Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

GitHub Helps Developers Keep Dependencies Secure via Dependabot

Microsoft-owned GitHub informed developers on Thursday that they can easily ensure that the dependencies used by their applications are always secure and up to date through an integration of its Security Advisory API with Dependabot.

Microsoft-owned GitHub informed developers on Thursday that they can easily ensure that the dependencies used by their applications are always secure and up to date through an integration of its Security Advisory API with Dependabot.

Created by London-based developer Grey Baker, Dependabot is a management tool that helps GitHub users keep their dependencies up to date. The tool checks a user’s dependency files every day and creates pull requests in case an update is available. Users can manually review the requests and merge them, or they can configure Dependabot for automatic merger based on certain criteria.

Dependabot now also integrates with GitHub’s Security Advisory API, which gives users access to its “carefully curated” database of vulnerabilities. According to GitHub, the Security Advisory service was used last year to send out over 10 million alerts related to more than 1,000 flaws.

By tapping into the Security Advisory API, Dependabot can check if a project’s dependencies are affected by any known vulnerabilities and create pull requests for updates. Dependabot includes support for Ruby, JavaScript, PHP, Java, Python, .NET, Rust and Elixir security advisories.

Ensuring that dependencies are always updated is not an easy task if an automated system is not used. For example, Baker pointed out that JavaScript has 30 direct dependencies and 712 indirect dependencies. Ruby has a total of 125 dependencies, Rust has 98, PHP has 73, and Python has 68.

“Dependabot automatically creates pull requests in response to security advisories. Every day it pulls down your dependency files, parses them, and checks for any out-of-date or insecure dependencies. If it finds any it creates a pull request on GitHub, isolating the specific dependency that needs updating, with details of what has changed,” Baker explained.

In order to make it easier for developers to decide if they want to merge a pull request, information is provided on the continuous integration (CI) pass rate for all projects performing a certain update. If the pass rate is high, developers can be more confident in their decision to merge.

“A typical ruby project (with 38 top-level dependencies) normally receives two dependency updates a week. Of those updates, 94% are non-breaking, which means that on average you’ll only need to write any code in response to a dependency update once every two months. The rest of the time you can just click “merge” and work with secure, up-to-date dependencies,” Baker said.

Dependabot is free for open source and personal projects, and companies have to pay between $15 and $100 per month to ensure that their dependencies are always up to date.

Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries

Related: GitHub to Warn Users on Compromised Passwords

Related: Support for Python Packages Added to GitHub Security Alerts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...