> It could still be an open platform, of course. Someone just needs to be able to do it better than Github. As Dependabot shows, that's absolutely possible.
That's actually exactly my point. Dependabot did Github security alerts so much better than Github did, that Github gave up on trying to compete entirely.
Which is to say that it's incontrovertibly possible to beat Github at their own game and on their own platform. To the point where even Github agrees they've been beat.
Awkward, this literally happened today: https://dependabot.com/blog/hello-github/
(I agree with the thrust of your comment; I just think the timing here is funny.)