GITHUB Vulnerability Alerts

Table of Contents

Renovate now supports raising Pull Requests immediately for any JavaScript or Python package identified as having a vulnerable version by GitHub’s Vulnerability Alerts.

For example, if you have configured weekly or monthly schedules for some dependencies, but one of them is revealed to be vulnerable, Renovate will raise a Pull Request for its upgrade immediately – overriding the configured schedule.

Like you’d expect, much of this functionality is configurable, via a new vulnerabilityAlerts config object. Its defaults are:

{
  groupName: null,
  schedule: [],
  commitMessageSuffix: '[SECURITY]',
}

i.e. Renovate will:

  • remove any schedule so that it’s raised immediately
  • break it out of any grouping so that they are not raised together
  • add [SECURITY] as a suffix to the PR to raise attention

You can customise this configuration object, e.g. to add custom labels or assignees too.

Because GitHub’s Vulnerability Alerts were created after the Renovate App was created, it means there are additional permissions we now need to ask for. Repository/Organization owners will need to grant this permission to Renovate before the functionality can work.

Also note that if you want this to be enabled on a private repository, you need to enable it “in general” for GitHub first under the repository’s settings:

This is the first of several planned vulnerability-related features, such as supporting npm’s “audit” feature using their acquired Node Security Project team/database.

Recent resources

What is LDAP Injection? Types, Examples and How to Prevent It

Learn what LDAP Injection is, its types, examples, and how to prevent it. Secure your applications against LDAP attacks.

Read more

How to Use Dependency Injection in Java: Tutorial with Examples

Learn how to use Dependency Injection in Java with this comprehensive tutorial. Discover its benefits, types, and practical examples.

Read more

Idempotency: The Microservices Architect’s Shield Against Chaos

Discover the power of idempotency in microservices architecture. Learn how to maintain data consistency and predictability.

Read more