Github — Automated security updates that automatically resolve vulnerability

Introduction

If you push the source code to Github, you will receive an Alert email from Github if the repository contains vulnerable packages. It’s not a good thing, but if it’s a repository that you haven’t developed yet, it can be tedious to find the code and update the package. At that time, automated security updatesyou can use Github to have Github do the work up to the publication of the PR, and you can respond by simply merging on the Github screen.

What is automated security updates

“Easily update vulnerable dependencies with automatic or manual pull requests.”

Configuring automated security updates

Some are not available

There are some things Dependabot can’t handle, such as other packages depending on vulnerable packages. In that case, you need to update manually.

Operation check is at your own risk

As a matter of course, the operation confirmation with the update is not performed. If you maintain source code, you need to make sure that the master branch works. So after all, you need to clone the repository under your own environment, but I think it is still easy.

Conclusion

It depends on the developer’s judgment to rely too much on one service.g, I want to do what Github does, leaving it to Github.