2

I have a repository which uses ReactJS and has 39 vulnerabilities (all of them are in yarn.lock file) when I am on the master branch. Dev branch and a few other branches are many more commits ahead of this master and there are a ton more dependencies and most of them are outdated as of now. However, even when I switch the branch on GitHub (when I switch to Dev or something else), it still shows the same 39 vulnerabilities.

So, does that mean GitHub is showing the vulnerabilities for the entire project in all the branches? Do I have to set some setting to look at the alerts/vulnerabilities only for the current branch? Or does it mean that all of the branches have the same vulnerabilities?

Thanks in advance.

torek
  • 448,244
  • 59
  • 642
  • 775
C Puneeth
  • 61
  • 10

2 Answers2

3

Found the simplest way to deal with this situation - Go to "settings" of the repository and change the default branch to the current branch. This will not affect anything unless you have some sort of trigger in place to deploy the current default branch.

Once you get that done, dependabot should be able to scan for vulnerabilities and give you the results. You can flip it how many ever times you'd like.

C Puneeth
  • 61
  • 10
0

Last I checked, Dependabot, by default, only checks the default branch for a repo for vulnerabilities and Dependency Review should help you prevent adding new vulnerabilities to other branches.

I'm not aware of a branch filter in the security panel in GitHub. The recommendation is to try and keep your vulnerability count at 0.

You can use the dependabot.yml config file to add additional pull-request target branches. If configured, Dependabot will also watch those branches and alert based on them.

Given know many vulnerabilities are found nowadays, a strategy of fixing them in the development branch and waiting for the next release window to patch them is a very risky one. You'll want to hotfix your master branch and production environment regularly and keep the vulnerability count low.

Sample config:

update_configs:
  - package_manager: java
    target_branch: java8
  - package_manager: java
    target_branch: java11
jessehouwing
  • 106,458
  • 22
  • 256
  • 341