Today I received an alert mail from GitHub Dependabot. One of my demo projects on GitHub has a dependency on bootstrap. Here is what the mail looks like:
It seems my project has a dependency on a version of bootstrap that has a known security vulnerability that allows a XSS attack. But not only does GitHub inform you, if you use a dependency in your open source project – it also provides you with a solution. Dependabot automatically creates a Pull-Request that fixes the issue!
With one click on Merge pull request I can fix the issue.
I could also get Dependabot to do certain things by commenting on the PR. For example:
Dependabot will then rebase the changes on master
@dependabot merge @dependabot squash and merge
Will merge this PR after your CI passes on it
@dependabot close @dependabot reopen
Will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually. Reopen the PR with the reopen command.
@dependabot use these [labels|reviewers|assignees|milestone]
Tells Dependabot to use the current [labels|reviewers|assignees|milestone] as a default for future PRs.
Isn’t that awesome? I’m really impressed. That`s the experience I want to have. Tell me there is a security issue AND provide me a fix!