Every dependency you add is a supply chain attack waiting to happen (opens in new tab)

Yes, keep your dependencies low in numbers. No, don't turn off dependabot. Wait two weeks before updating. IIRC, there's a built-in feature for that.