Earlier in mid-October, GitHub had introduced a Dependency Graph section in the Project’s Insights tab that show a tree-like structure of all the loaded libraries. The new feature is the next step to improve the overall experience of managing and running projects in GitHub.
As soon as a new vulnerability is detected, the user will get notified along with the known fixes to the issue.
This feature is a major step towards ensuring code’s security in the projects running on GitHub. With GitHub now hosting nearly 67 million of repositories and projects that rely on software libraries and software packages that do not get updated frequently, security is major concern.
Developers can keep a check on the security alerts that can be accessed under Insights tab of any project. Users will also get email notifications whenever GitHub updates its database with information about new vulnerability.
The security feature will be automatically enabled for the public repositories while for private repositories, owners will need to opt in security alerts in their repository setting or simply by allowing access in the dependency graph section of their repository’s insights tab. The user will get suggestions on recommended updates and for moving to a safer version.
The vulnerabilities disclosed will be those that have CVE IDs – disclosed publicly from the NVD (National Vulnerability Database). However, GitHub plans to improve the vulnerability identification process.