This is going to be a short article showing you how I deal with security vulnerabilities. If you’ve struggled with update dependencies that cause security vulnerabilities in the past or you just want to see my approach, this article is for you.
As far as I know, no one likes to deal with alerts such as the one above. Instead, we would like to write some new features or cover more of the code with tests, but this work still has to be done. OK, no more introductions. Let’s dive in.
Our goal should be to resolve all security vulnerabilities or at least those with the highest severity. We can recognize four types of severity level:
You can always start by sorting them according to severity level. Basically, a good approach is to look into Dependabot alerts once in a while in order to not end up with a situation like in the image above (48 potential vulnerabilities).
First, if you have the possibility to add
Dependabot Preview from the GitHub marketplace, do it. It’s completely free.
The “Security advisories handled automatically” option will be especially helpful for your case. To achieve that, Dependabot creates pull requests with dependency updates.
If you have Dependabot configured, you can go to the pull requests page and try to merge the PRs created by Dependabot, which often solves the problem with security vulnerabilities.
If you can’t resolve all issues with Dependabot or you don’t have Dependabot configured at all, you can switch to the terminal and try to list all the security vulnerabilities with the