GitHub has enabled automatic security updates for known vulnerable open source dependencies in user repositories; a feature warmly welcomed by users.
The move comes just a week after the Microsoft-owned company bought Dependabot, which powers the functionality: integration has been rapid.
The automated fixes are available in repos that use the dependency graph.
When permissioned to do so, GitHub automatically creates a pull request in a users’ repository. Users can also manually create pull requests to upgrade dependencies only when they choose to, in case a fix is going to break code elsewhere.
(WhiteSource is a New York-based open source software security specialist).
The releases come amid growing concern about open source security, including malicious open source library “trust attacks” involving the intentional contribution of malicious code into widely used but not robustly maintained libraries.
Seriously, just TURN IT ON NOW. If a merged green PR breaks something, there was a gap in your automated tests (and you should fill that gap ASAP, not turn off the auto bumps).