Introduction
GitHub dependency management tools help you handle the security risks and maintenance requirements of incorporating third-party software into your project.
Imagine you're responsible for a GitHub project. This project is built on several other pieces of software, also known as dependencies. These dependencies provide necessary functionality, but they also require proper management. You want to keep your dependencies up to date, and also put processes in place to address any security risks or vulnerabilities that are introduced because you rely on software that's maintained outside of your project. You also want to automate this process and avoid delays in responding to important issues.
Luckily, GitHub provides you with dependency management tools that help to manage your dependencies and any vulnerabilities they might introduce. In this module, you'll learn about these tools.
Learning objectives
By the end of this module, you'll be able to:
- Describe the available tools for managing vulnerable dependencies on GitHub.
- Enable and configure Dependabot alerts.
- Identify the permissions and roles required to view and enable Dependabot alerts.
- Enable and configure Dependabot security updates.
- Identify, review, and address vulnerable dependencies.
- Explain how to use GraphQL API to retrieve vulnerability information.
- Explain how to configure notifications for vulnerable dependencies.
Prerequisites
- A GitHub account
- Administrative access to a repository
- Familiarity with managing GitHub administrative settings
- Working knowledge of the GitHub pull request workflow