Dependabot relieves alert fatigue from npm devDependencies
source link: https://github.blog/2023-05-02-dependabot-relieves-alert-fatigue-from-npm-devdependencies/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Dependabot relieves alert fatigue from npm devDependencies
A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.
Over the past few months, we’ve made a number of improvements that make Dependabot smarter, quieter, and easier to work with, from pausing pull requests on inactive repositories to making alerts visible to more developers. Today, we’re addressing the alert fatigue problem with a new allow auto-dismissal function in Dependabot that safely reduces the volume of false positive alerts that can overwhelm developers and distract from legitimate vulnerabilities.
In this context, we’ve defined a false positive alert as one that is unlikely to be exploitable and may only have limited effects, such as long-running builds or tests. But what’s the most responsible way to identify a false positive? Senior Product Manager, Erin Havens, explains GitHub’s unique approach:
“Rather than over-index on one criterion like reachability or dependency scope, we’ve designed an alert rules engine that uses a rich set of complex, contextual alert metadata. This way, Dependabot can relieve alert fatigue while remaining vigilant about alerts that might put your software at risk.”
Today’s public beta release targets a commonly-cited source of false positives: npm devDependencies. Dependabot now assesses incoming alerts against a set of GitHub-curated rules that take into account how you’re using an npm devDependency, and the level of risk it may pose to your repository. “In ecosystems with lots of dependencies like npm, false positives can cascade through a project, burdening developers with needless noise,” explains Harry Marr, Senior Director of Software Engineering for GitHub supply chain security.
“By detecting and auto-dismissing false positives, today’s release will reduce the volume of npm alerts by approximately 15%, and marks the beginning of a series of ships that improve the relevance of alerts and relieve alert fatigue.”
How it works
Dependabot’s auto dismissal function is enabled by default for public repositories and can be enabled by administrators of private repositories on the Code Security page. When enabled, Dependabot will automatically dismiss false positive alerts and let you know via a special timeline event, supported in the audit log, webhook, REST, GraphQL, and alert-centric views. You can review auto-dismissed alerts with the resolution:auto-dismissed filter:
What’s next?
This first application of alert rules for Dependabot addresses a common pain point for npm developers, with support for additional ecosystems coming soon. Please join us in the GitHub Community to share your feedback and ideas on how Dependabot can work better for you and other developers.
Learn more about alert rules
The GitHub Insider Newsletter
Get the best of GitHub. Once a month. Directly to your inbox.
SubscribeMore on Dependabot
3 ways to meet compliance needs without slowing down agility
Learn how to enable developer productivity and collaboration while staying secure and compliant. Stay compliant without slowing down your business. From security to CI/CD, automate every step of your software workflow—so your developers can stay focused on what matters most: building.
Unlocking security updates for transitive dependencies with npm
How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.
Dependabot alerts are now visible to more developers
Default settings will allow developers with write and maintain access to see and resolve Dependabot alerts.
More on npm
Introducing npm package provenance
How to verifiably link npm packages to their source repository and build instructions.
Unlocking security updates for transitive dependencies with npm
How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.
New npm features for secure publishing and safe consumption
Now you can create tokens with fine-grained permissions for automating your publishing and organization management workflows. And a new code explorer allows you to view content of a package directly in the npm portal.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK