This article is more than 1 year old

Git your patches here! GitHub offers to brew automatic pull requests loaded with vuln fixes

Your repo's dependencies need updating to close a hole? We're way ahead of you, pal

GitHub can now automagically offer security patches for projects' third-party dependencies.

The Microsoft-owned source-code management site announced on Wednesday the new beta-grade feature: when enabled, developers will receive automatically generated pull requests that, when accepted, will apply security fixes to a project's dependencies.

For example, Lindsey is a programmer who maintains a project that makes use of three other packages from outside developers, and opts into this new feature. When one of those packages needs a patch for a security vulnerability, Lindsey gets an automatically generated pull request that, when accepted, will merge the fixed package into the project.

These automatic updates will, for now anyway, be limited to dependencies written in Ruby, Python, Java, .NET, and JavaScript. The feature will also require the project have a dependency graph enabled, and will be gradually rolled out over the next few months to coders.

GitHub CEO Nat Friedman

Microsoft? Oh it's just another partnership, insists GitHub CEO


Prior to merging in a patched dependency, a developer will be given a compatibility score to gauge whether the update will break their code. The security fix may change API functionality, or similar, which will cause subsequent builds to fail.

Ideally, programmers should apply the security patch to their code in a separate branch, or locally, then test it, and accept the fix if it all works, and push out an updated build for users to download and install. If the compatibility score is high, and the fix is an emergency, you may want to accept the pull right away.

"Automated security requests contain everything you need to quickly and safely review and merge a proposed fix into your project, including information about the vulnerability like release notes, changelog entries, and commit details," GitHub said in announcing the new feature.

The automatic updates will make use of Dependabot, the automated update tool GitHub acquired just seven days ago. Earlier this week, GitHub boss Nat Friedman bigged up the tool as "Roomba for your code", referring to the automated home vacuum bot.

The Dependabot acquisition was part of a larger effort by GitHub to add new management and administrator options for both its free and premium service customers along with a new funding push for open-source projects. ®

More about


Send us news

Other stories you might like