Dependabot relieves alert fatigue from npm devDependencies

A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.

|
| 2 minutes

Over the past few months, we’ve made a number of improvements that make Dependabot smarter, quieter, and easier to work with, from pausing pull requests on inactive repositories to making alerts visible to more developers. Today, we’re addressing the alert fatigue problem with a new allow auto-dismissal function in Dependabot that safely reduces the volume of false positive alerts that can overwhelm developers and distract from legitimate vulnerabilities.

In this context, we’ve defined a false positive alert as one that is unlikely to be exploitable and may only have limited effects, such as long-running builds or tests. But what’s the most responsible way to identify a false positive? Senior Product Manager, Erin Havens, explains GitHub’s unique approach:

“Rather than over-index on one criterion like reachability or dependency scope, we’ve designed an alert rules engine that uses a rich set of complex, contextual alert metadata. This way, Dependabot can relieve alert fatigue while remaining vigilant about alerts that might put your software at risk.”

Today’s public beta release targets a commonly-cited source of false positives: npm devDependencies. Dependabot now assesses incoming alerts against a set of GitHub-curated rules that take into account how you’re using an npm devDependency, and the level of risk it may pose to your repository. “In ecosystems with lots of dependencies like npm, false positives can cascade through a project, burdening developers with needless noise,” explains Harry Marr, Senior Director of Software Engineering for GitHub supply chain security.

“By detecting and auto-dismissing false positives, today’s release will reduce the volume of npm alerts by approximately 15%, and marks the beginning of a series of ships that improve the relevance of alerts and relieve alert fatigue.”

How it works

Dependabot’s auto dismissal function is enabled by default for public repositories and can be enabled by administrators of private repositories on the Code Security page. When enabled, Dependabot will automatically dismiss false positive alerts and let you know via a special timeline event, supported in the audit log, webhook, REST, GraphQL, and alert-centric views. You can review auto-dismissed alerts with the resolution:auto-dismissed filter:

Allow auto-dismissal and review dismissed alerts on the Code Security page

What’s next?

This first application of alert rules for Dependabot addresses a common pain point for npm developers, with support for additional ecosystems coming soon. Please join us in the GitHub Community to share your feedback and ideas on how Dependabot can work better for you and other developers.

Learn more about alert rules

Written by

Related posts