Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding dependency-review #30

Merged
merged 2 commits into from
Aug 2, 2023
Merged

adding dependency-review #30

merged 2 commits into from
Aug 2, 2023

Conversation

tuckerweibell
Copy link
Contributor

What is Dependency Review?

Dependency review is a public and advanced security feature that helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these components.
  • Vulnerability data for these dependencies.

If a pull request targets your repository's default branch and contains changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities.

Sometimes you might just want to update the version of one dependency in a manifest and generate a pull request. However, if the updated version of this direct dependency also has updated dependencies, your pull request may have more changes than you expected. The dependency review for each manifest and lock file provides an easy way to see what has changed, and whether any of the new dependency versions contain known vulnerabilities.

By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see "Reviewing dependency changes in a pull request."

What will this do?

Dependency review will add an additional check to your repository that will alert for an newly introduced dependencies that have high or critical vulnerabilities (as specified in the dependency-review.yml file).

image

Although for now you may decide to merge the vulnerable dependencies, it is recommended you reach out to the security team for assistance resolving the vulnerable dependencies before merging them to your default branch.

Questions

Please reach out in the #dependency-review-questions slack channel if you have any questions or concerns.

@tuckerweibell tuckerweibell requested a review from a team as a code owner August 2, 2023 18:30
@tuckerweibell tuckerweibell changed the title Tw/dependency review tw/dependency review Aug 2, 2023
@tuckerweibell tuckerweibell changed the title tw/dependency review adding dependency-review Aug 2, 2023
Copy link
Collaborator

@capnsolo capnsolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tuckerweibell tuckerweibell merged commit a8af7ea into master Aug 2, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants