DEV Community

Github bot @dependabot fixes security vulnerabilities

wolfiton on March 17, 2020

Hi everyone, Today I want to write about @dependabot, Github's automatic dependency bot updater that will keep your project dependencies up to dat...
Collapse
 
jankapunkt profile image
Jan Küster

I like this automation of version bumps but I'd really like to have it update the top-level dependant. In most cases the vulnerable packages are not the ones in the top level but x-levels deep. However, at the time the fixes are available through the bots, they are often fixed in the top level dependencies so ultimately I will update them anyway next time. Has anyone experience with configuring a bot to behave in this way?

Collapse
 
jankapunkt profile image
Jan Küster

Okay I just realized, that's actually exactly what Greenkeeper or david-dm do :-)

Collapse
 
sharadcodes profile image
Sharad Raj (He/Him)

I had similar experience with my jekyll theme with gem versions

Collapse
 
wolfiton profile image
wolfiton • Edited

Thanks @ryanwestlund for sharing your opinion on @dependabot. What has impressed you the most regarding @dependabot?

The automation? the muli language support?

Collapse
 
wolfiton profile image
wolfiton • Edited

Interesting @rob I haven't pushed the PR yet.

Thanks for the explanation and your experience with @dependabot.