GitHub Rolls Out Automatic Security Updates for Vulnerable Open Source Code

GitHub Rolls Out Automatic Security Updates for Vulnerable Open Source Code
Add to favorites

Welcome new function comes a week after Dependabot acquisition


GitHub has enabled automatic security updates for known vulnerable open source dependencies in user repositories; a feature warmly welcomed by users.


The move comes just a week after the Microsoft-owned company bought  Dependabot, which powers the functionality: integration has been rapid.


The automated fixes are available in repos that use the dependency graph.


When permissioned to do so, GitHub automatically creates a pull request in a users’ repository. Users can also manually create pull requests to upgrade dependencies only when they  choose to, in case a fix is going to break code elsewhere.


The fixes are opened by the Dependabot GitHub App, which is automatically installed on every repository where automated security fixes are enabled.



Pro tip: you can now enable automatic security updates for known-vulnerable open source dependencies on your GitHub repos. Just go to the Security tab on your repo to turn it on. https://t.co/k3NWinTPpS pic.twitter.com/YeLBeebnLr


— Nat Friedman (@natfriedman) May 29, 2019


The GitHub automatic security updates come as week after the company also added WhiteSource data to its security vulnerability alerts system.


GitHub now uses MITRE’s Common Vulnerabilities and Exposures (CVE) List, code maintainer security advisories, a combination of machine learning and human rev ..