The GitHub Advisory Database now includes curated security advisories on Erlang [Hex], Elixir, and more. This brings the Advisory Database to nine supported ecosystems, including: Composer, Go, Maven, npm, NuGet, pip, RubyGems and Rust.
Support for this ecosystem in the dependency graph and Dependabot alerts will be available in the future.
GitHub's Advisory Database now supports listing malware advisories. You can see them by searching "type:malware" on https://github.com/advisories.
If you have enabled Dependabot alerts on your repositories, GitHub will send Dependabot alerts for malware automatically. Note that Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.
When you visit the GitHub Advisory Database, you can now search for any historical advisory recognized by the National Vulnerability Database.
Previously, we only displayed advisories from our supported ecosystems. We then expanded to have an Unreviewed category for advisories that do not belong to those ecosystems, and we've been auto-publishing new advisories to this category since.
We've now backfilled our database to include all historical advisories from prior years, so you can find any advsiory you may be searching for regardless of publication date. This brings us to over 160 thousand advisories, and counting! You can browse them by clicking the "All unreviewed" button or by searching "type:unreviewed" in the search bar.
In February 2022, we launched a new feature called community contributions to security advisories.
We have made a handful of changes to the UX based on your feedback:
