The latest articles on DEV Community by Oleksandr Prokhorenko (@djminikin). https://dev.to/djminikin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3881987%2Fa850c659-e354-43bd-94cc-1883bb2c36e5.jpg https://dev.to/djminikin en Oleksandr Prokhorenko Thu, 16 Apr 2026 08:39:31 +0000 https://dev.to/djminikin/the-dependency-vulnerability-gap-that-cicd-cant-fix-hhn https://dev.to/djminikin/the-dependency-vulnerability-gap-that-cicd-cant-fix-hhn <p>Every project I’ve worked on has the same setup: osv-scanner or Dependabot wired into CI, which fails the build if a known CVE is found. It feels complete. It isn't.</p> <p>Here’s the gap: CI runs at push time. CVEs are published continuously.</p> <p>If a vulnerability is disclosed in express, serde, or requests the day after your last commit, your CI pipeline won't catch it until your next push. For a team that deploys once a week, that's up to seven days of running known-vulnerable software in production with no alert, no PR, no indication that anything is wrong.</p> <p><strong>Why Dependabot doesn’t fully solve this</strong><br> Dependabot is genuinely useful, and I’m not dismissing it. But it has real constraints:</p> <p>It only works on GitHub-hosted repositories</p> <p>It supports around 10 ecosystems</p> <p>It watches only the default branch (main/master)</p> <p>It opens PRs, which is great for planned maintenance, but not for “you’re vulnerable right now, act fast.”</p> <p>If you’re on GitLab, self-hosted Gitea, or running a polyglot monorepo with a mix of Rust, Python, and Go, you’re largely on your own.</p> <p><strong>The AI coding tools problem makes this worse</strong></p> <p>AI coding assistants: Claude. Copilot and Cursor introduce dependencies faster than most developers can review them. That’s not a criticism; it’s just the nature of the tooling. But these assistants have a training cutoff. They are unaware of CVEs published after that date.</p> <p>Concretely, an AI agent suggests <a href="mailto:somepackage@2.1.0">somepackage@2.1.0</a>. At the time, it was suggested that no known vulnerabilities existed. Three weeks later, a CRITICAL CVE is published. Your CI pipeline has no reason to re-run. Nobody gets a notification. You find out when a user files a report.</p> <p>The problem isn’t that the AI made a bad suggestion. The problem is that there’s no continuous monitoring layer watching for changes after the fact.</p> <p>The right mental model isn’t “scan at push time.” It’s “watch continuously and alert when the threat landscape changes.”</p> <p><strong>The gap, summarised</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6p6liduogiyt26qgpt90.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6p6liduogiyt26qgpt90.png" alt=" " width="800" height="160"></a></p> <p><strong>What we built</strong></p> <p>We built <a href="https://oppsy.dev/" rel="noopener noreferrer">Oppsy</a> specifically to fill this gap. You upload a lock file, configure a notification channel, and we recheck your dependencies whenever the OSV database is updated. New CVE at 3 am? You’ll know by morning.</p> <p><a href="https://oppsy.dev/" rel="noopener noreferrer">It’s launching in summer 2026. The waitlist is open now — it’s free to join.</a></p> <p>If this resonates, I’d be curious whether the notification channel matters to you. Is Slack the obvious choice, or does your team live somewhere else?</p> automation cicd devops security