Dependabot can now update both Yarn and npm transitive dependencies in response to security advisories for Node packages.
Previously, Dependabot would only keep your top-level dependencies secure and up-to-date.
Here's how it works:
- Dependabot polls The Node Security Working Group's database and GitHub Security Advisory API, looking for new advisories
- If it finds any, Dependabot tries to update that specific dependency to the latest version allowed by its parents, creating a lockfile-only change
- Dependabot creates individual PRs for each insecure sub dependency. Each PR will include details of the vulnerabilities fixed
Stay safe 🚇