Finding and fixing your first dependency vulnerability

Learn how to keep your dependencies secure by enabling Dependabot and its features in a demo repository.

この記事の内容

Using pre-written collections of code in your project, called libraries or packages, is common practice. These code modules save you a ton of time, letting you focus on the new, creative aspects of your work instead of coding large reusable components from scratch. When added to your project, they are called dependencies, since your work is dependent on the code they contain.

While using dependencies is perfectly normal, dependencies can contain code vulnerabilities, which would in turn make your project insecure. Luckily, tools like Dependabot can find dependency vulnerabilities, raise pull requests to fix them, and even prevent them from happening in the future. In this tutorial, you'll learn how to enable and use Dependabot and its features to keep your dependencies secure.

Setting up the demo repository

Let's get started by forking a demo project with some dependency vulnerabilities. Since we won't deploy the project, there is no security risk in this exercise.

  1. Navigate to the new2code/dependabot-demo repository.
  2. In the top right of the page, click Fork.
  3. On the page that appears, click Create fork.

Enabling dependency security features

Now that we've set up the project, let's configure Dependabot to find and create fixes for insecure dependencies.

  1. In the navigation bar for your repository, click Security.
  2. In the "Dependabot alerts" row, click Enable Dependabot alerts.
  3. In the "Dependabot" section, next to "Dependabot alerts", click Enable.
  4. In the pop up that appears, read the statement about enabling the dependency graph, then click Enable.
  5. To allow Dependabot to automatically open pull requests fixing dependency vulnerabilities, next to "Dependabot security updates", click Enable.

Viewing your insecure dependencies

With Dependabot configured, let's find out which of our dependencies contain vulnerabilities.

  1. In the navigation bar for your repository, click Security.
  2. To see the Dependabot alerts for your repository, in the side navigation, click Dependabot.
  3. To see detailed information about an alert, click the alert title. For this exercise, click Command Injection in hot-formula-parser.

Understanding a Dependabot alert

Now that Dependabot has identified some vulnerabilities in our dependencies, let's break down the information provided in the "Command Injection in hot-formula-parser" alert.

Fix summary

Below the title of the alert, you can see a short summary of the fix for this vulnerability, including the number of alerts it will close and the location of the vulnerability. In our case, the alert tells us that upgrading the hot-formula-parser package to version 3.0.1 will fix one Dependabot alert identified in our javascript/package-lock.json file.

This section also tracks Dependabot's progress creating a pull request to fix the vulnerability. Once a fix is available, you'll see a button labeled " Review security update" linking to the pull request.

Screenshot of the fix summary section of a Dependabot alert.

Vulnerability details

Below the fix details, Dependabot provides more information about the vulnerability, including:

  • The name of the vulnerable package
  • The versions of the package that contain the vulnerability
  • The version of the package that fixes the vulnerability
  • Details on the type of vulnerability and how it can be exploited

Screenshot of the vulnerability details section of a Dependabot alert.

In this alert, we can see that the parse function in the hot-formula-parser package doesn't properly check that user input is safe before executing it, which allows attackers to run malicious commands.

ヒント

If you don't fully understand the vulnerability details, try asking Copilot Chat to explain them.

Timeline

Finally, you can see the timeline of the alert at the bottom of the page. Our timeline currently contains the timestamp when Dependabot opened the alert, and will be updated automatically when we fix the vulnerability.

Screenshot of the timeline for a Dependabot alert.

Securing your dependencies

To secure our project quickly and easily, let's apply the fix Dependabot created.

  1. In the alert field with the fix summary, click Review security update.

  2. On the pull request page, click Files changed to see Dependabot's changes. After you review the changes, click Conversation to return to the pull request overview.

  3. To apply the fix, at the bottom of the page, click Merge pull request, then click Confirm merge.

    Once the pull request merges, the linked Dependabot alert will close automatically, and the fix time will be added to the timeline.

Preventing future dependency vulnerabilities

To help avoid insecure dependencies moving forward, let's allow Dependabot to automatically open pull requests updating your dependencies as new versions are released.

  1. In the navigation bar for your repository, click Settings.
  2. In the "Security" section of the sidebar, click Advanced Security.
  3. Next to "Dependabot version updates", click Enable.

Next steps

Now that you've tried out Dependabot and its features on a demo repository, enable them on your own projects to easily find, fix, and prevent dependency vulnerabilities.