danguera / security-strategy-essentials

https://lab.github.com/githubtraining/security-strategy-essentials
MIT License
0 stars 0 forks source link

Add Dependabot to your repository #4

Closed github-learning-lab[bot] closed 3 years ago

github-learning-lab[bot] commented 3 years ago

Automated dependency updates with Dependabot

Manually going through your dependencies for alerts and outdated versions is tedious work. Let's automate this process!

Meet Dependabot

Dependabot icon

Dependabot alerts you and creates pull requests to keep your dependencies secure and up-to-date!

How does Dependabot work?

Dependabot is the actor for GitHub's automated security updates.

  1. GitHub uses the dependency graph and security alerts to scan your repository and notify you of potential dependency updates
  2. If any dependencies are out-of-date, Dependabot opens a pull request to update each one
  3. If tests pass, and the updated version looks good, you simply merge the pull request

Configuring Dependabot security updates

You can enable automated security updates for any repository that uses security alerts and the dependency graph. You can disable automated security updates for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security updates in every repository that uses security alerts and the dependency graph.

screenshot of a Dependabot alert, showing debug dependency

Here, we have a security alert on the debug dependency. Clicking on debug will show you the pull request created by Dependabot to update the dependency. We just updated to 2.6.9 but Dependabot noticed we are still outdated.

If you navigate to your closed pull requests, you'll notice Dependabot has done its job and is trying to bump, or update, the version of debug.

Close this issue when done


I'll respond below when you close the issue.

github-learning-lab[bot] commented 3 years ago

Nice job getting to know Dependabot.


Let's learn about adding a SECURITY.md policy to your repository. Navigate to your next issue.