Dependabot relieves alert fatigue from npm devDependencies
A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.
Over the past few months, we’ve made a number of improvements that make Dependabot smarter, quieter, and easier to work with, from pausing pull requests on inactive repositories to making alerts visible to more developers. Today, we’re addressing the alert fatigue problem with a new allow auto-dismissal function in Dependabot that safely reduces the volume of false positive alerts that can overwhelm developers and distract from legitimate vulnerabilities.
In this context, we’ve defined a false positive alert as one that is unlikely to be exploitable and may only have limited effects, such as long-running builds or tests. But what’s the most responsible way to identify a false positive? Senior Product Manager, Erin Havens, explains GitHub’s unique approach:
“Rather than over-index on one criterion like reachability or dependency scope, we’ve designed an alert rules engine that uses a rich set of complex, contextual alert metadata. This way, Dependabot can relieve alert fatigue while remaining vigilant about alerts that might put your software at risk.”
Today’s public beta release targets a commonly-cited source of false positives: npm devDependencies. Dependabot now assesses incoming alerts against a set of GitHub-curated rules that take into account how you’re using an npm devDependency, and the level of risk it may pose to your repository. “In ecosystems with lots of dependencies like npm, false positives can cascade through a project, burdening developers with needless noise,” explains Harry Marr, Senior Director of Software Engineering for GitHub supply chain security.
“By detecting and auto-dismissing false positives, today’s release will reduce the volume of npm alerts by approximately 15%, and marks the beginning of a series of ships that improve the relevance of alerts and relieve alert fatigue.”
How it works
Dependabot’s auto dismissal function is enabled by default for public repositories and can be enabled by administrators of private repositories on the Code Security page. When enabled, Dependabot will automatically dismiss false positive alerts and let you know via a special timeline event, supported in the audit log, webhook, REST, GraphQL, and alert-centric views. You can review auto-dismissed alerts with the resolution:auto-dismissed filter:
What’s next?
This first application of alert rules for Dependabot addresses a common pain point for npm developers, with support for additional ecosystems coming soon. Please join us in the GitHub Community to share your feedback and ideas on how Dependabot can work better for you and other developers.
Learn more about alert rules
Tags:
Written by
Related posts
Attacking browser extensions
Learn about browser extension security and secure your extensions with the help of CodeQL.
Cybersecurity spotlight on bug bounty researcher @adrianoapj
As we wrap up Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@adrianoapj!
Securing the open source supply chain: The essential role of CVEs
Vulnerability data has grown in volume and complexity over the past decade, but open source and programs like the Github Security Lab have helped supply chain security keep pace.