Skip to content

Dependency update with Dependabot  #5740

New issue
New issue
Open
Open
Dependency update with Dependabot #5740
Labels
enhancementImprovements to existing features / behaviourgithub actionssecurityGeneral label for issues/PRs related to the security of the software
@naveensrinivasan

Description

@naveensrinivasan
naveensrinivasan
opened on Sep 16, 2021

Background

Dependabot provides Automated dependency updates for go , docker , and GitHub actions.

Security updates

Dependabot security updates make it easier for you to fix vulnerable dependencies in the repository. If this feature is enabled, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph in the repository, Dependabot automatically tries to fix it.
https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-dependabot-security-updates

Don't want the dependencies to be upgraded automatically

Dependabot opens a PR to the repository, it gives the team an opportunity to review the commit diff's between the version changes and decide whether to merge those changes or not.

Without this, it is hard to keep track of dependencies and their security posture and upgrades

Here is an example of changes that dependabot recommends
https://github.com/naveensrinivasan/lnd/pulls

image

The recent fix for DNS #5738 is tracked and could have been compared much easily with something like this naveensrinivasan#5

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementImprovements to existing features / behaviourgithub actionssecurityGeneral label for issues/PRs related to the security of the software

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions