Do you know if all your repositories have up-to-date dependencies?(github.blog)
github.blog
Do you know if all your repositories have up-to-date dependencies?
https://github.blog/2024-01-25-do-you-know-if-all-your-repositories-have-up-to-date-dependencies/
2 comments
I've never found the main issue to be knowing which repositories have out of date/insecure dependencies, but rather actioning those notifications.
At a previous job, the main repository consistently had 100+ dependabot security notifications; it would essentially be a full time job to sift through alerts for all repositories and apply necessary updates.
For example, NPM dependencies get installed not only on the build server, but also on the laptops of developers. These laptops are connected to VPNs, so malware can get into corporate networks.
Also, they can rootkit dev and production servers, so your coworkers and users might be getting served malware as well.