GitHub is getting better at hunting down your dangerous code

GitHub is making one of its most important tools more useful with a major update.

A company blog post explains that GitHub has been working behind the scenes to improve Dependabot, an automated alerting service that flags potential vulnerabilities in code.

While this might sound great in theory – and probably saved a lot of heartache further down the coding line – in practice, the bot can be quite noisy, which GitHub devs have been complaining about for some time.

A change of tact

GitHub’s latest update changes Dependabot’s policy, indicating whether code calls vulnerable code paths, which should help increase signal-to-noise ratio.

Since its acquisition by Github in 2019, nearly three million developers have used Dependabot, which is a testament to the usefulness of automated tools for the often laborious task of coding apps and services.

As GitHub points out, the service currently keeps data about vulnerable packages in a centralized advisory database. Going forward, GitHub will include data on affected functions for each source library, powered by Stack Graphs.

And that’s not all. GitHub also plans to roll out additional changes over the next few months to improve Dependabot alerts, including reporting development dependencies and transitive dependency paths.

Microsoft to the rescue

Microsoft acquired GitHub in 2018 for $7.5 billion, cementing its position as one of the leading service providers for anyone using a computer. There were a lot of initial fears that Microsoft would ruin the service, which is loved by developers.

See also  No, Intel’s XeSS GPU frame rate booster isn’t about to launch

But those fears have mostly been dispelled, apart from a few hiccups along the way, including the introduction of an algorithmic feed.

The service remains extremely popular for everyone at all stages of the coding process.

Leave a Comment