There is a security issue, and here is how to fix it!

Today I received an alert mail from GitHub Dependabot. One of my demo projects on GitHub has a dependency on bootstrap. Here is what the mail looks like:

It seems my project has a dependency on a version of bootstrap that has a known security vulnerability that allows a XSS attack. But not only does GitHub inform you, if you use a dependency in your open source project – it also provides you with a solution. Dependabot automatically creates a Pull-Request that fixes the issue!

With one click on Merge pull request I can fix the issue.

I could also get Dependabot to do certain things by commenting on the PR. For example:

@dependabot rebase

Dependabot will then rebase the changes on master

@dependabot merge
@dependabot squash and merge

Will merge this PR after your CI passes on it

@dependabot close
@dependabot reopen

Will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually. Reopen the PR with the reopen command.

@dependabot use these [labels|reviewers|assignees|milestone]

Tells Dependabot to use the current [labels|reviewers|assignees|milestone] as a default for future PRs.

Isn’t that awesome? I’m really impressed. That`s the experience I want to have. Tell me there is a security issue AND provide me a fix!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s