Today I received an alert mail from GitHub Dependabot. One of my demo projects on GitHub has a dependency on bootstrap. Here is what the mail looks like:

It seems my project has a dependency on a version of bootstrap that has a known security vulnerability that allows a XSS attack. But not only does GitHub inform you, if you use a dependency in your open source project – it also provides you with a solution. Dependabot automatically creates a Pull-Request that fixes the issue!

With one click on Merge pull request I can fix the issue.

I could also get Dependabot to do certain things by commenting on the PR. For example:

@dependabot rebase

Dependabot will then rebase the changes on master

@dependabot merge
@dependabot squash and merge

Will merge this PR after your CI passes on it

@dependabot close
@dependabot reopen

Will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually. Reopen the PR with the reopen command.

@dependabot use these [labels|reviewers|assignees|milestone]

Tells Dependabot to use the current [labels|reviewers|assignees|milestone] as a default for future PRs.

Isn’t that awesome? I’m really impressed. That`s the experience I want to have. Tell me there is a security issue AND provide me a fix!