Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Introducing "Automated Security Updates" #15
We are really excited to announce a new feature for deppbot today
Automated Security Updates - Fixes your security vulnerabilities automagically.
The idea behind it is simple if you already know how to Secure Your Ruby App with bundler-audit
Let's go through how it works, using
First, deppbot uses bundler-audit to find out
We can see that
deppbot will fix this in one commit (just like one would):
But there is more than that! deppbot also provides the information you need to know in the Pull Request:
Gems with security vulnerabilities that are fixed are listed at the very top in the Pull Request description, along with the corresponding CVE / OSVDB links to http://rubysec.com.
What about the "With these gem updates" section
Let me explain...
If you take the updated
Oh no, an incompatible error.
However, deppbot is smart enough to figure it out how to resolve it
When would you receive a Security Update Pull Request? Once deppbot detects vulnerable ruby gems (and there are no open Pull Requests from deppbot), deppbot will issue a Security Update Pull Request regardless of your frequency setting. In this case, we prioritise the security of your app above everything-else and ignore the frequency setting in order to help you secure your app in the quickest time possible.
Let us know what you think about this new feature!
One more thing,