GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret.
GitHub Action for dependency review enforcement
A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.
The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
Learn more about dependency review enforcement.
Users of Dependabot version updates can now proactively update their dependencies for Flutter or Dart projects which use the pub package manager.
To test version updates on your own Dart or Flutter repo, add the following configuration file in .github/dependabot.yaml:
version: 2
enable-beta-ecosystems: true
updates:
- package-ecosystem: "pub"
directory: "/"
schedule:
interval: "weekly"Note the package-ecosystem: "pub" and enable-beta-ecosystems: true flags.
Limitations
Support for pub is in beta, and thus, we are aware of some limitations. For example, security updates are not supported in this release but will be in the future.
Other known limitations:
- No support for updating git-dependencies
- If the version found is ignored (by dependabot config) no update will happen (even if, an earlier version could be used)
- No support for private package repositories
We want your feedback! Please open or vote on a comment in this discussion. You can get help troubleshooting by opening an issue on dependabot-core.
Special thanks to the Dart team for collaborating with us to make this happen.