Will dependabot try to update a dependency to the latest version if it has an open CVE? #77570
Replies: 3 comments
-
For regularly scheduled version updates from Dependabot, Dependabot will attempt to update to the latest version as long as it exists on the registry. So, as long as the malicious package hasn't been yanked, Dependabot will propose updates to it 😬 If a new version is published that resolves it, Dependabot security updates would propose the fix ~immediately. |
Beta Was this translation helpful? Give feedback.
-
I am afraid so. I have dependabot configured to create PRs as soon as possible on my repos and that means it creates a PR for each and every upgrade available. I am pretty sure some of the PR I have received had some unresolved CVEs. If there is a setting to only take upgrades that don't have any CVEs (or not above a certain CVSS threshold), I don't see it mentioned in the doc. I understand and share your concern, on one hand I like that with my current setup I get fixes immediately for existing CVEs, but supply chain attacks are a growing concern. For now I still think that on balance, patching ASAP is better but my GitHub projects are not work-related nor do I have continuous delivery in place so I can afford to rollback a PR manually if I get a security advisory on one of my repos after the fact. |
Beta Was this translation helpful? Give feedback.
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Let's say I have dependabot installed with a monthly schedule, so I receive my dependabot PR on the 1st of each month.
One of my dependencies releases a new version on the 28th and is soon found to have a malicious security vulnerability (the maintainer's account was hijacked, for example) on the 29th. The project's real maintainer is unable to access their repo or account in the package index to revert the malicious version, but manages to publish a CVE/GHSA/OSV for the malicious version on the 30th.
When dependabot runs on my project on the 1st, will I receive a PR updating me to the malicious version or does dependabot first confirm that the version is "safe"?
Beta Was this translation helpful? Give feedback.
All reactions