Dependabot now creates pull requests immediately in response to security advisories for Node packages. 🕵️♀️
Here's how it works:
- Dependabot polls The Node Security Working Group's database, looking for new advisories
- If it finds any, Dependabot kicks off update runs to update that specific dependency immediately for any users who have it
- Dependabot prefixes the titles of the created PRs with
[Security]and includes details of the vulnerabilities fixed in the PR message
If you want to automatically merge security updates, there's an option for that:
And if you only want to receive pull requests from Dependabot that are security related, there's an option for that, too:
We're hugely grateful to the Node Security Working Group team for creating the database, and have already proposed some small contributions to it. We're looking forward to doing more, and to supporting their work however we can.
Stay safe out there!
PS: Using another language? We announced the same functionality for Ruby, PHP, Elixir and Rust last week.