For GitHub there's a dependabot, which is now aquired by GitHub and hence absolutely free for GitHub users and doesn't need external dashboard. Dependabot submits PRs when a new version of package is available and raises alarms if there's a security issue.
I tried Snyk and it seemed annoying because some issues it found weren't exactly issues, had no fix and no way to ignore them (maybe there is and I just couldn't find). Anyway, dependabot is much quieter in this sense:-)
I’ve used dependabot but I don’t think it’s enough. Yes it submits PRs but if the fix is not something in your dependencies directly, then it doesn’t help much. Plus, there are some issues that dependabot doesn’t catch for some reason.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
For GitHub there's a dependabot, which is now aquired by GitHub and hence absolutely free for GitHub users and doesn't need external dashboard. Dependabot submits PRs when a new version of package is available and raises alarms if there's a security issue.
I tried Snyk and it seemed annoying because some issues it found weren't exactly issues, had no fix and no way to ignore them (maybe there is and I just couldn't find). Anyway, dependabot is much quieter in this sense:-)
I’ve used dependabot but I don’t think it’s enough. Yes it submits PRs but if the fix is not something in your dependencies directly, then it doesn’t help much. Plus, there are some issues that dependabot doesn’t catch for some reason.