The following is a guest post written by Dependabot’s co-founder, @greystiel.
Modern software often relies on hundreds of open source components, all of which need to be kept secure. Staying on top of security vulnerabilities in those dependencies requires constant vigilance, and the results of neglecting them can be catastrophic. Dependabot taps into the GitHub Security Advisory API to automate the process and create pull requests to fix vulnerabilities as they’re found.
|Source: Applications monitored by Dependabot
With so many dependencies it’s inevitable that security vulnerabilities creep in, and any one of them could be critical. Thankfully, GitHub’s Security Alerts help automate the process of monitoring your dependencies for vulnerabilities. With Security Alerts in place, GitHub sent over 10 million alerts to projects, related to over 1,000 vulnerabilities in 2018.
Along with automating your monitoring process, we introduced the Dependabot app to help check for security advisories in dependency files. Dependabot automatically creates pull requests in response to security advisories. Every day it pulls down your dependency files, parses them, and checks for any out-of-date or insecure dependencies. If it finds any it creates a pull request on GitHub, isolating the specific dependency that needs updating, with details of what has changed.
Dependabot doesn’t just create pull requests for security vulnerabilities—by default, it will create pull requests whenever an update is available. This brings an iterative approach to dependency management.
To help ensure those newly created pull requests are easy to merge, Dependabot shares the CI pass rate for all projects performing the same update using a badge on the pull request. For example, in a pull request updating Rails from 5.2.1 to 126.96.36.199 Dependabot reports that the update was passing CI on 97% of projects. With this information, you can merge with more confidence, and also see how other (open source) projects are dealing with any breaking changes.
Wondering how much work it is to stay up-to-date? A typical ruby project (with 38 top-level dependencies) normally receives two dependency updates a week. Of those updates, 94% are non-breaking, which means that on average you’ll only need to write any code in response to a dependency update once every two months. The rest of the time you can just click “merge” and work with secure, up-to-date dependencies.