GitHub has enabled automatic security updates for known vulnerable open source dependencies in user repositories; a feature warmly welcomed by users.
The move comes just a week after the Microsoft-owned company bought Dependabot, which powers the functionality: integration has been rapid.
The automated fixes are available in repos that use the dependency graph.
When permissioned to do so, GitHub automatically creates a pull request in a users’ repository. Users can also manually create pull requests to upgrade dependencies only when they choose to, in case a fix is going to break code elsewhere.
The fixes are opened by the Dependabot GitHub App, which is automatically installed on every repository where automated security fixes are enabled.
Pro tip: you can now enable automatic security updates for known-vulnerable open source dependencies on your GitHub repos. Just go to the Security tab on your repo to turn it on. https://t.co/k3NWinTPpS pic.twitter.com/YeLBeebnLr
— Nat Friedman (@natfriedman) May 29, 2019
The GitHub automatic security updates come as week after the company also added WhiteSource data to its security vulnerability alerts system.
GitHub now uses MITRE’s Common Vulnerabilities and Exposures (CVE) List, code maintainer security advisories, a combination of machine learning and human review and data from WhiteSource to raise security alerts.
(WhiteSource is a New York-based open source software security specialist).
The releases come amid growing concern about open source security, including malicious open source library “trust attacks” involving the intentional contribution of malicious code into widely used but not robustly maintained libraries.
Seriously, just TURN IT ON NOW. If a merged green PR breaks something, there was a gap in your automated tests (and you should fill that gap ASAP, not turn off the auto bumps).
— Dino A. Dai Zovi (@dinodaizovi) May 29, 2019