In this post, I'll exploit CVE-2023-3420, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
In 2022, Dependabot automatically generated more than 75 million pull requests, which developers used to keep their dependencies up-to-date and to address millions of specific vulnerabilities. Moving forward, Dependabot is getting a little smarter—and, a little quieter—by reducing bot-based noise from repositories based on your interaction with Dependabot.
We’ve been listening to your feedback and making Dependabot more focused on the repositories you care about. In addition to a recent ship to ensure Dependabot version updates are off-by-default for forks, as of today, Dependabot will now automatically cease creating pull requests on inactive repositories.
If Dependabot pull requests have been opened and rebased over time, but none of these pull requests have been merged, closed, or otherwise interacted with for 90 days, Dependabot will cease automated pull request activity and let you know.
This change does not affect Dependabot alerts and their subsequent notifications. There’s also no change to manually requested Dependabot pull requests, which can still be generated from a Dependabot alert’s details page.
This change only applies to repositories where Dependabot pull requests exist but remain untouched. In other words, Dependabot will continue to automatically open and update pull requests until all the following criteria are true for at least 90 days:
- Has not had a Dependabot PR merged
- Has not had changes made to the Dependabot config file
- Has not had any @dependabot comment-ops performed
- Has not had any Dependabot PRs closed by the user
- Has received at least one Dependabot PR before the 90 day window
- Has at least one Dependabot PR open at the end of the 90 day window
- Has had Dependabot enabled for this entire period
Dependabot will also stop automatically rebasing pull requests after 30 days.
Dependabot will add a notice to the body of all open Dependabot pull requests and add a
dependabot-paused label to them. Dependabot will also add a banner notice in the UI of your repository settings page (under “Dependabot”), as well as your Dependabot alerts page (if Dependabot security updates are affected).
Once you (so, not Dependabot) perform any of the following actions while Dependabot is paused, it will unpause itself:
- Merge a Dependabot pull request
- Close a Dependabot pull request
- Make a change to the Dependabot config file
- Manually trigger a security update
- Manually trigger a version update
- Enable security updates
- Use @dependabot commands on pull requests
This change will start to roll out today, expanding through January 2023 to include all repositories owned by individuals and by organizations with free and Team plans.
Shortly thereafter, it will roll out to GitHub Enterprise Cloud and GitHub Enterprise Server customers, where this improvement has the added benefit of enhanced efficiency with your self-hosted GitHub Actions runners.
Moving forward, we will continue to work on making every Dependabot alert and pull request more relevant (with some larger undertakings currently underway, based on your feedback). Please continue to share your feedback on Dependabot–we’re listening!