GitHub —the online code repository — is launching a new security feature that will warn developers about insecure dependencies, the company wishes to decrease the number of vulnerable projects hosted and spread through its platform.
The new feature is known as the Dependency Graph, which provides developers with a simple way to view all the other packages and applications their own code uses. This feature will track these dependencies against the standard vulnerability databases and warn developers if any of their dependencies are vulnerable. It will also send email notifications whenever a project is updated to use a weak dependency (library) or GitHub updates its database with information on new vulnerabilities.
GitHub Director of Product said that the engineers will start by using the CVE vulnerabilities classification system to keep track of known security issues, but they will also send warnings for well-known issues that don’t have CVE ID number.
According to GitHub:
“we made it easier for you to keep track of the projects your code depends on with the dependency graph, currently supported in Javascript and Ruby. Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.”