More generally, when you delegate any kind of decision-making to an automated process, ask yourself how it could be exploited by an adversary. Humans can adapt on the fly when an attack attempt occurs, but bots cannot. Having humans in the loop can be a powerful security feature.
-
-
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I assume it only bumps dependency versions, given the name (dependabot).
-
And seemingly only minor versions for vulnerabilities. Seems great IMO, better than having unpatched dependencies being packaged up because maintainers are on holiday/at a conference.https://help.github.com/en/articles/configuring-automated-security-fixes …
- Show replies
New conversation -
-
-
FWIW only security patches sent by GitHub get merged
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I agree, this should not happen usually
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
We tried such practice on large project. While you updating packages to fix one critical issue you get packages with hundred new lower priority vulnerabilities. I still think that we should review the vulnerability reproducibility instead of blindly update the packages.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
