Secure Dependencies with GitHub and Dependabot
Publikováno: 6.2.2019
Updating and confirming security for dependencies from open source projects just became a lot more easier, GitHub announced Celý článek
Updating and confirming security for dependencies from open source projects just became a lot more easier, GitHub announced Dependabot which would now make updating dependencies easier and more secure.
Dependabot taps into the GitHub Security Advisory API to automate the process and create pull requests to fix vulnerabilities as they’re found.
https://twitter.com/github/status/1091031455390679040
The problem with dependencies
A lot of applications rely on open source dependencies and when these dependencies aren't up to date ,it would obviously cause a lot of problems with security. manually updating these dependencies and checking for updates can be stressful.
Just bringing in 30 JavaScript dependencies indirectly brings in 712 other dependencies!
Exactly how does Dependabot solve this ?
Although GitHub’s Security Alerts already keep you updated on security treats to dependencies due to them being out-of-date , Dependabot solves an extra problem by tapping into the GitHub Security Advisory API to automate the monitoring process, help check for security advisories in dependency files and create pull requests to fix vulnerabilities as they’re found . Dependabot doesn’t just create pull requests for security vulnerabilities by default, it will create pull requests whenever an update is available. Isn't this cool??
Every day dependabot pulls down your dependency files, parses them, and checks for any out-of-date or insecure dependencies. If it finds any, it creates a pull request on GitHub, isolating the specific dependency that needs updating, with details of what has changed.
Conclusion
To help ensure those newly created pull requests are easy to merge, Dependabot shares the Confidence interval pass rate (%) for all projects performing the same update using a badge on the pull request. With this information, you can merge with more confidence. check it out on GitHub marketplace