Leveraging GitHub Security Advisory API, the Dependabot commercial service aims to help developers track their dependencies, monitoring the security of their programs, and making sure any potential vulnerabilities are removed as easily as possible by automatically creating PRs to resolve them.
According to Dependabot co-founder Grey Baker, Ruby applications can easily pull in over 100 dependencies. At over 700 dependencies, that figure is even higher for JavaScript. To make the matter more complex, only a small fraction of those 700 dependencies, less than five percent, appear to be direct dependencies, i.e. dependencies that the developer consciously decided to use.
The majority of those dependencies are "transitive," meaning they’re pulled in by other dependencies without a direct link between them and the application using them.
There is surely a relationship between the number of transitive dependencies an application pulls in and the philosophy behind the package registry that each language uses. It is well known, in fact, that NPM is by far the largest repository, mostly due to it favouring the creation of small packages to accomplish minimalist functions that are relied upon by many other packages. This fact went under the spotlight a couple of years ago when a tiny package used to left-padding strings was removed from NPM and broke over 200 million other packages and apps. The Python ecosystem, as a counter-example, looks much healthier in this respect, with the number of transitive dependencies being, on average, on a par with that of direct dependencies.
With dependencies in the order of dozens or hundreds, it is a critical task to keep them up to date to bring in security fixes. That is the reason why GitHub introduced its Security Alerts, which notify repository admins when library vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories. This gives administrators a precious "heads up" to react promptly and fix the vulnerability by upgrading to a secure version. Unfortunately, this leaves upon them the burden of identifying a version that fixes the vulnerability and creating a PR to manage the change.
Here is where Dependabot comes into the picture by automatically creating a PR on GitHub and isolating the dependency that needs updating. This makes it possible to integrate the process of monitoring and resolving potential vulnerabilities with a continuous integration (CI) workflow that ensures the application is not broken by that PR. For projects that do not have a continuous integration pipeline in place, Dependabot makes publicly available the CI pass rate for a given update. This is calculated over all projects that performed the same update so you know, for example, that only for 3% of them the update failed the CI tests.
Dependabot is available on GitHub Marketplace. Prices range from $0 per month for personal or open source GitHub accounts, to $100 per month for unlimited private projects on an organization account.