I have a repository which uses ReactJS and has 39 vulnerabilities (all of them are in yarn.lock file) when I am on the master branch. Dev branch and a few other branches are many more commits ahead of this master and there are a ton more dependencies and most of them are outdated as of now. However, even when I switch the branch on GitHub (when I switch to Dev or something else), it still shows the same 39 vulnerabilities.
So, does that mean GitHub is showing the vulnerabilities for the entire project in all the branches? Do I have to set some setting to look at the alerts/vulnerabilities only for the current branch? Or does it mean that all of the branches have the same vulnerabilities?
Thanks in advance.
CodePudding user response:
Last I checked, Dependabot, by default, only checks the default branch for a repo for vulnerabilities and Dependency Review should help you prevent adding new vulnerabilities to other branches.
I'm not aware of a branch filter in the security panel in GitHub. The recommendation it to try and keep your vulnerability count at 0.
You can use the dependabot.yml config file to add additional pull-request target branches. If configured, Dependabot will also watch those branches and alert on them.
Given know many vulnerabilities are found nowadays, a strategy of fixing them in the development branch and waiting for the next release window to patch them is a very risky one. You'll want to hotfix your master branch and production environment regularly and keep the vulnerability count low.
Sample config:
update_configs:
- package_manager: java
target_branch: java8
- package_manager: java
target_branch: java11