In case someone is wondering about the timing, the PR was stuck for a few days due to an issue with our CI. Once we fixed the CI, the bot rebased the PR (of course)
Prikaži ovu nit
So this just happened: - a bot found a vulnerability in a dependency - a bot sent a PR to fix it - the CI verified the PR - a bot merged it - a bot celebrated the merge with a GIF https://github.com/buildo/react-components/pull/1367 …pic.twitter.com/kNEPY5RSHr
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
oh well, I don’t have a Soundcloud but we’re hiring *human* developers at
@buildoHQ - full time, in Milan - must speak Italian - must like botshttps://buildo.io/careersPrikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
does "a bot found a vulnerability in a dependency" involve creating a CVE, or how did this trigger a GitHub security alert?
-
This is the “Automated security fixes” feature by GitHub. Whenever a fix for a known CVE is available, it automatically sends you a PR. Seehttps://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/ …
- Još 4 druga odgovora
Novi razgovor -
-
-
Dependabot can automerge if CI is green out of the box
-
yes, but GitHub's dependabot integration for security patches can't. Or did I miss something
@natfriedman? - Još 2 druga odgovora
Novi razgovor -
-
-
Could this be used to inject new vulnerabilities?
-
absolutely.
- Još 3 druga odgovora
Novi razgovor -
-
-
Hmm, wondering how this works
Does it checkout the git repo and parse all the package.json files? -
I don't know the technical details, but I assume you can implement this via the GitHub API
- Još 3 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.