Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automated dependency alerts and updates with Dependabot #134

Open
rliberoff opened this issue Aug 21, 2024 · 0 comments
Open

Automated dependency alerts and updates with Dependabot #134

rliberoff opened this issue Aug 21, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@rliberoff
Copy link
Member

It can be overwhelming to stay on top of the latest security considerations for every dependency ENMARCHA has.

To reduce this overhead, GitHub provides Dependabot alerts that watch dependecy grpahs for us. It then cross-references target versions with versions on known vulnerability lists. When a risk is discovered, the project is alerted. Input for the analysis comes from GitHub Security Advisories.

A dependency alert can lead to a project contributor bumping the offending package reference to the recommended version and creating a pull request for validation. However this could be automates with Dependabot, which scans for dependency alerts and creates pull requests so that a contributor can validate the update and merge the request.

More information here: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

@rliberoff rliberoff added the enhancement New feature or request label Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant