Introduction:
This is going to be a short article showing you how I deal with security vulnerabilities. If you’ve struggled with update dependencies that cause security vulnerabilities in the past or you just want to see my approach, this article is for you.
As far as I know, no one likes to deal with alerts such as the one above. Instead, we would like to write some new features or cover more of the code with tests, but this work still has to be done. OK, no more introductions. Let’s dive in.
Goal
Our goal should be to resolve all security vulnerabilities or at least those with the highest severity. We can recognize four types of severity level:
- Critical
- High
- Moderate
- Low
You can always start by sorting them according to severity level. Basically, a good approach is to look into Dependabot alerts once in a while in order to not end up with a situation like in the image above (48 potential vulnerabilities).
Dependabot
First, if you have the possibility to add Dependabot Preview
from the GitHub marketplace, do it. It’s completely free.
The “Security advisories handled automatically” option will be especially helpful for your case. To achieve that, Dependabot creates pull requests with dependency updates.
If you have Dependabot configured, you can go to the pull requests page and try to merge the PRs created by Dependabot, which often solves the problem with security vulnerabilities.
Workflow
Investigate
If you can’t resolve all issues with Dependabot or you don’t have Dependabot configured at all, you can switch to the terminal and try to list all the security vulnerabilities with the audit
command: