Skip to content
This repository has been archived by the owner on Oct 25, 2023. It is now read-only.

adding dependency-review #114

Merged
merged 1 commit into from
Aug 14, 2023
Merged

adding dependency-review #114

merged 1 commit into from
Aug 14, 2023

Conversation

tuckerweibell
Copy link
Contributor

What is Dependency Review?

Dependency review is a public and advanced security feature that helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request. Dependency review informs you of:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these components.
  • Vulnerability data for these dependencies.

If a pull request targets your repository's default branch and contains changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities.

Sometimes you might just want to update the version of one dependency in a manifest and generate a pull request. However, if the updated version of this direct dependency also has updated dependencies, your pull request may have more changes than you expected. The dependency review for each manifest and lock file provides an easy way to see what has changed, and whether any of the new dependency versions contain known vulnerabilities.

By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see "Reviewing dependency changes in a pull request."

What will this do?

Dependency review will add an additional check to your repository that will alert for an newly introduced dependencies that have high or critical vulnerabilities (as specified in the dependency-review.yml file).

image

Although for now you may decide to merge the vulnerable dependencies, it is recommended you reach out to the security team for assistance resolving the vulnerable dependencies before merging them to your default branch.

Questions

Please reach out in the #dependency-review-questions slack channel if you have any questions or concerns.

@tuckerweibell tuckerweibell requested a review from a team as a code owner August 14, 2023 20:09
@noranda noranda merged commit 1dcaa17 into main Aug 14, 2023
@noranda noranda deleted the tw/dependency-review branch August 14, 2023 20:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants