Well aware of the need to manage the ever-increasing complexity of project dependencies, as well as keep code safer within the interconnected open source ecosystem, GitHub’s data and analytics team has stepped up with two new features targeted at increasing security and creating transparency in the murky waters of project dependencies.
Public repos will automatically have security alerts enabled via their dependency graphs, but private repos need to opt in. By default, admins will be the first responders for security alerts, but anyone with repo access, from individuals to entire teams, can be added as alert recipients under repo settings.
When an alert is triggered for a potential vulnerability, the notification will highlight any dependencies affected. The most advanced feature of the new security alert system uses machine learning to include recommendations for replacement with known safe versions from the GitHub community if any exist.