An Interest In:
Web News this Week
- April 26, 2024
- April 25, 2024
- April 24, 2024
- April 23, 2024
- April 22, 2024
- April 21, 2024
- April 20, 2024
Some of Our Sources
- Mashable
- Simplebits
- Joshua Blankenship
- Pearsonified
- Smashing Apps
- Fuel Your Creativity
- Freelance Switch
- Willems Lab
- Hashedout
- The Verge
Help Webnuz
Referal links:
Fix Open Source Vulnerabilities AUTOMATICALLY with Dependabot
Keeping your dependencies updated is one of the easiest ways to keep the software you build secure. Unfortunately, it is also one of the most overlooked.
Luckily for us, GitHub Dependabot can help with this, by updating your dependencies automatically, so you can spend less time updating dependencies and more time building.
How does Dependabot work?
Let's quickly see how Dependabot works and then we'll see how to enable and use it.
First step, Dependabot pulls down your dependency files and looks for any outdated or insecure requirements.
Then, if any of your dependencies are out-of-date, Dependabot opens individual pull requests to update each of them.
Finally, you can check that your tests pass, scan the included changelog and release notes, and if everything looks ok, merge the changes back to your code.
How to Enable Dependabot?
Enabling Dependabot is really easy.
First, fo to the Security tab of your repository, then click on the Enable Dependabot Alerts button.
At this point another screen will appear:
The first button you have to click on to enable Dependabot on your repository is the one I've highlighted in red. And technically this is all you need to have Dependabot enabled and look for vulnerabilities.
However, we want to take this a step further.
If you click on the other button, the one highlighted in green, Dependabot will be able to automatically create pull requests for you to fix your vulnerable dependencies!
This is what we want, don't we?
Video
Alright, enough talking... let's see this in practice.
Link to the video: https://youtu.be/ijPoIfQWypQ
Conclusions
Let me know in the comment section below if you want to see more about Dependabot or if you have any questions about it.
Also you may want to check out this video here, where I talk about GitHub Code Scanning (which complements Dependabot in many ways).
Like, share and follow me for more content:
YouTube
Buy me a coffee
Patreon
Merch
Facebook page
GitHub
Twitter
LinkedIn
Podcast
Original Link: https://dev.to/n3wt0n/fix-open-source-vulnerability-automatically-with-dependabot-4igm
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To