Dealing with GitHub security alerts
Open, Needs TriagePublic

Description

It seems GitHub are making "security alerts" on repos more visible to those with rights... https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/

These relate to Ruby gems and NPM packages

We should look at some way of processing/dealing with these

Reedy created this task.Nov 18 2017, 2:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 18 2017, 2:38 PM
Tgr added a subscriber: Tgr.Nov 18 2017, 9:59 PM
Reedy updated the task description. (Show Details)Nov 18 2017, 10:51 PM
Reedy added a comment.Nov 25 2017, 3:56 PM

https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/

You can choose to receive security alerts by email, in your web notifications, or in the GitHub user interface. The security alerts list the affected dependency and, in some cases, use machine learning to suggest a fix from the GitHub community.

Reedy added a comment.Nov 25 2017, 3:57 PM

Emailed for clarification...

Reedy added a comment.Nov 25 2017, 4:44 PM

https://help.github.com/articles/managing-alerts-for-vulnerable-dependencies-in-your-organization-s-repositories/

Organization owners and repository admins receive security alerts when GitHub detects a vulnerable dependency in an organization repository. You can specify additional organization members or teams to also receive security alerts for vulnerable dependencies.

This doesn't seem to be the case...