Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

github vulnerable dependencies per branch

Tags:

github

dependencies

It seems to me that you can only see the vulnerable dependencies on the master branch. I fixed those mentioned in the alert on a separate branch and want to check if in fact the vulnerable dependencies are fixed, so what I really need is to be able to check the alert for the specific branch, can this be done?

like image 950
thehme Avatar asked May 21 '18 14:05

thehme

People also ask

How do I fix GitHub vulnerability?

On GitHub, navigate to the main page of the repository. Under your repository name, click Security. Click the alert you'd like to view. Review the details of the vulnerability and, if available, the pull request containing the automated security fix.

Are Dependabot alerts serious?

Dependabot alerts tell you that your code depends on a package that is insecure. If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible.

How do I fix Dependabot vulnerability?

Fixing vulnerable dependenciesIf you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.

How do I resolve Dependabot alerts in GitHub?

On GitHub.com, navigate to the main page of the repository. Under your repository name, click Settings. In the "Security" section of the sidebar, click Code security and analysis. Under "Code security and analysis", to the right of Dependabot alerts, click Enable to enable alerts or Disable to disable alerts.

1 Answers

The security alerts for vulnerable dependencies reported by GitHub might be valid only for the default branch (usually master, but you can change it).

If you are not ready to merge your fix to the default branch of your repo, one workaround would be to push that branch to the default (again, usually master) branch of a new dedicated (and temporary) repository, just to check if any new alerts are detected on that new repo.

Update Oct. 2020, 2+ years later: Michael Greisman points out in the comments to this GitHub Community answer and the documentation "About alerts for vulnerable dependencies".

It confirms that the scan is done against the default branch.

"Once the fix... is merged into the default branch... GitHub will schedule a new scan of your project’s dependencies".

like image 169
VonC Avatar answered Sep 24 '22 20:09

VonC
Sign in to Comment

Related questions

Upstream gone message on switching back to an empty master branch?
fatal- 'origin' does not appear to be a git repository
What's the difference between a Pull Request and a branch?
Another git process seems to be running and thus cant commit
Git commit problem: Unable to append to .git/
Source tree fix for git Password authentication is temporarily disabled as part of a brownout. Please use a personal access token instead [duplicate]
Making an Android project Open Source? [closed]
Update git-svn git mirror without redownloading everything
Change "base repo" for GitHub pull requests
GitHub v3 API: Get full commit list for large comparison
How to increment version numbers in GitHub Protected Branches?
Alternatives to github network graph viewer? [closed]
GitHub Actions: build outside vs inside container?
Git submodules — exclude specific files/directories
when not to use "git rebase" while working with GIT branches?
How to see how many repos created from my repo template (GitHub)
When searching Issues or Pull Requests in Github, can you specify a date relative to "today"?
Is it possible to get github wiki content by github api
Git: handling an appcache?
How to link Smartgit to GitHub

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!