DEV Community

loading...
Cover image for OMFG... Dependabot is free now. Close your security vulnerabilities faster than ever!

OMFG... Dependabot is free now. Close your security vulnerabilities faster than ever!

Cubicle Buddha
TypeScript nut + head writer at CubicleBuddha.com (other loves are cats, my wife, comic books, and VGs)
・2 min read

If you want to be a productive programmer you likely want to take advantage of libraries, plugins, and frameworks that other people have made. Why not stand on the shoulders of giants, right? Libraries like lodash and redux have been pounded on for years, so it generally makes sense to take advantage of quality that’s been built up over years of commits. But unfortunately there’s a dark side-effect of all of this sharing... security vulnerabilities.

It’s not as common as haters of NodeJS/NPM would like you to believe, but vulnerabilities do crop up in popular libraries. But thanks to the bounty prizes that NPM makes available, payers of NPM Enterprise find out about exploits sooner than the general public. But you say, “wait— I don’t pay for NPM Enterprise... so what about me?” That’s when Dependabot comes in.

Dependabot will automatically PR your github repository and attempt to merge the PR if the unit tests pass. That means that as soon as a fix for a vulnerability is published... your code is going to get the fix.

I’m all about living in the present but still protecting the future. In fact, that’s one of the core topics at CubicleBuddha.com. So that’s why I use Dependabot to help me do the minimum amount of work to stay vigilant. I’ve heard it said that the best programmers are the laziest ones— because those are the programmers who will find a creative way to do less work. Jokes aside: time is precious and why not spend more time creating features that help your users.

Other reasons you should care to use Dependabot:

  • your favorite UI widget library fixes an accessibility issue and now you can get free help out quickly
  • you work at a big company and you want to make sure all of your teams stay on a consistent version of a private library. Dependabot can save you tons of meetings and governance

So now that Dependabot is free (thanks Github and Microsoft!), go integrate it into your repo and enjoy getting back to your life. :)

Discussion (6)

Collapse
coreyja profile image
Corey Alexander

I can't say enough good things about Dependabot! It's a great service and every time I've reached out with an issue they've got it fixed super quickly!

Just this weekend I was having an issue with automerging and the founder responded to my GitHub comment with a few hours and we had the situation sorted! And that's the probably 5th time Ive had almost identical interactions!

Congrats so much to them for the aquisition!

Collapse
cubiclebuddha profile image
Cubicle Buddha Author

That’s so wonderful to hear! :)

Collapse
Sloan, the sloth mascot
Comment deleted
Collapse
cubiclebuddha profile image
Cubicle Buddha Author

I’m not sure I understand what you mean?

Collapse
burdettelamar profile image
Burdette Lamar

Hi CB. Check this: en.wiktionary.org/wiki/OMFG

Thread Thread
intrnl profile image
intrnl

It's a sign of shock, nothing's wrong with that?