Building a slide deck, pitch, or presentation? Here are the big takeaways:
- GitHub can notify developers of security issues in dependencies, as well as suggesting remediation steps.
"As more developers draw from existing code libraries to build new tools, tracking changes in dependencies like security vulnerabilities has become more difficult," GitHub stated in a blog entry, adding that in the majority of cases newer versions of dependencies that address security issues already exist.
Developers who use RubyGems or npm on GitHub should be sure to enable security alerts, and those who use Python should keep an eye out—the alerts will be added to Python dependencies later this year.
With over 75% of GitHub projects using shared dependencies, there's a good possibility that at least one of the projects you're involved in could benefit from security alerts. They aren't enabled by default, however, so you'll need to toggle a few settings to turn them on.
Enable dependency graphs
Public dependency users won't need to do anything to get security alerts, but if you use private dependencies you'll need to do one of two things: Either opt in to security alerts in repository settings or allow access in the Dependency Graph section of the Repository Insights tab.
Choose your notification preferences
Alerts aren't much good if you aren't being notified. Enabling dependency graphs, and therefore security alerts, will notify project administrators but not anyone else, so be sure to add essential individuals in the Dependency Graph settings.
SEE: Software quality control policy (Tech Pro Research)
If you want to change how notifications are delivered (UI, web, email, etc.) you can do so by following these steps.
Make changes to address security issues
GitHub will automatically suggest steps to solving dependency security issues, including linking to known secure alternatives and taking other measures based on machine learning and community input.
It's up to developers to implement those changes, however, so be sure your team is taking security recommendations to heart.
With more than 500,000 libraries being vulnerable to upwards of four million issues there's a good chance code you're involved with is affected, and GitHub is making it easy to fix the problem.
- How to build a successful developer career (free PDF) (TechRepublic)
- GitHub makes open-source project licensing easier with an open-source program (ZDNet)
- GitHub: The smart person's guide (TechRepublic)
- GitHub: Open source is dominated by men who just can't communicate (ZDNet)
- GitHub: Here are the biggest open source project trends we'll see in 2018 (TechRepublic)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.