Security

GitHub dependency security alerts notified developers of 4M code vulnerabilities

Developers who use GitHub have been alerted to security issues in over 500,000 JavaScript and Ruby dependencies--lowering the time it takes to issue fixes and get to market.


Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • GitHub can notify developers of security issues in dependencies, as well as suggesting remediation steps.
  • Since implementing dependency security notifications in November 2017, over four million vulnerabilities have been discovered in 500,000 Ruby and JavaScript dependencies.

GitHub dependency alerts, which the repository site implemented in November 2017, have notified developers of over four million security vulnerabilities in more than 500,000 Ruby and JavaScript dependencies in the four months since.

The alerts, which show up on all RubyGems and JavaScript npm dependencies used by a project, are an essential part of app development security, GitHub said.

"As more developers draw from existing code libraries to build new tools, tracking changes in dependencies like security vulnerabilities has become more difficult," GitHub stated in a blog entry, adding that in the majority of cases newer versions of dependencies that address security issues already exist.

Developers who use RubyGems or npm on GitHub should be sure to enable security alerts, and those who use Python should keep an eye out—the alerts will be added to Python dependencies later this year.

With over 75% of GitHub projects using shared dependencies, there's a good possibility that at least one of the projects you're involved in could benefit from security alerts. They aren't enabled by default, however, so you'll need to toggle a few settings to turn them on.

Enable dependency graphs

Public dependency users won't need to do anything to get security alerts, but if you use private dependencies you'll need to do one of two things: Either opt in to security alerts in repository settings or allow access in the Dependency Graph section of the Repository Insights tab.

Choose your notification preferences

Alerts aren't much good if you aren't being notified. Enabling dependency graphs, and therefore security alerts, will notify project administrators but not anyone else, so be sure to add essential individuals in the Dependency Graph settings.

SEE: Software quality control policy (Tech Pro Research)

If you want to change how notifications are delivered (UI, web, email, etc.) you can do so by following these steps.

Make changes to address security issues

GitHub will automatically suggest steps to solving dependency security issues, including linking to known secure alternatives and taking other measures based on machine learning and community input.

It's up to developers to implement those changes, however, so be sure your team is taking security recommendations to heart.

With more than 500,000 libraries being vulnerable to upwards of four million issues there's a good chance code you're involved with is affected, and GitHub is making it easy to fix the problem.

Also see

screen-shot-2016-03-21-at-11-03-16.jpg
Image: GitHub

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox