Updating and confirming security for dependencies from open source projects just became a lot more easier, GitHub announced Dependabot which would now make updating dependencies easier and more secure.
Table of Contents
Dependabot taps into the GitHub Security Advisory API to automate the process and create pull requests to fix vulnerabilities as they’re found.
Keeping your open-source project secure can be a daunting task.January 31, 2019
A lot of applications rely on open source dependencies and when these dependencies aren't up to date ,it would obviously cause a lot of problems with security. manually updating these dependencies and checking for updates can be stressful.
Although GitHub’s Security Alerts already keep you updated on security treats to dependencies due to them being out-of-date , Dependabot solves an extra problem by tapping into the GitHub Security Advisory API to automate the monitoring process, help check for security advisories in dependency files and create pull requests to fix vulnerabilities as they’re found . Dependabot doesn’t just create pull requests for security vulnerabilities by default, it will create pull requests whenever an update is available. Isn't this cool??
Every day dependabot pulls down your dependency files, parses them, and checks for any out-of-date or insecure dependencies. If it finds any, it creates a pull request on GitHub, isolating the specific dependency that needs updating, with details of what has changed.
To help ensure those newly created pull requests are easy to merge, Dependabot shares the Confidence interval pass rate (%) for all projects performing the same update using a badge on the pull request. With this information, you can merge with more confidence. check it out on GitHub marketplace