A bit of Googling showed that Github has started to automatically scan for outdated dependencies with security vulnerabilities.Clicking on the alert will show which packages that are impacted.
Github also helpfully show exactly what are the vulnerabilities
Automated Security Fix
What's even better is the automated security fix feature. You will need to turn it on for your repository though.
If you choose not to have automated fixes, you still can manually trigger the fix by using the Create automated security fix functionality.
A pull request will be automatically generated.
While it is nice for Github to generate security fixes, we should not be depending on 3rd parties for our project's security. Use a tool such as yarn audit to keep your project constantly up to date and secure.
No comments:
Post a Comment