Securing JavaScript transitive dependencies

Dependabot can now update both Yarn and npm transitive dependencies in response to security advisories for Node packages.

This massively decreases the surface area for security vulnerabilities. The average JavaScript project added to Dependabot has 533 transitive dependencies vs. 26 top-level dependencies.

Previously, Dependabot would only keep your top-level dependencies secure and up-to-date.

Here's how it works:

  • Dependabot polls The Node Security Working Group's database and GitHub Security Advisory API, looking for new advisories
  • If it finds any, Dependabot tries to update that specific dependency to the latest version allowed by its parents, creating a lockfile-only change
  • Dependabot creates individual PRs for each insecure sub dependency. Each PR will include details of the vulnerabilities fixed

Stay safe 🚇

Dependabot helps keep your dependencies up-to-date. It's free for personal accounts and open source, and always will be.

Find out moreTake me to the app