Don’t Ignore Vulnerable Dependencies

It’s been nearly 6 months since I really heavily started using GitHub repositories. However, I have been really ignorant about one thing. I knew I should have acted but I always closed my eyes to this, looking like I have never seen anything…. The something is…… vulnerable dependency alert emails from GitHub!!!!!! I have decided not to behave like this as I have completed a tough coding bootcamp and hence I think I should be professional enough.

When you receive an email from GitHub, first of all — don’t panic (I used to think I have done something so wrong and was so scared reading the message in the alert email)!!!

Second of all, check the details by clicking the review button in the email then you can check the repository with the alert.

This case is a Node dependency and, in this case, it seems like I need to upgrade the version of react-dom to 16.4.2 or later. Let’s see what version of react-dom the app has, which is subject to this alert.

It looks like the app has Version 16.4.1, hence I received the security alert from GitHub. Let’s now fix this.

After npm install react-dom is executed, let’s check the package.json file again. As shown below, the version is now 16.12.0, which is above 16.4.2!!!

Once you commit and push this change to the repository, you will receive another email from GitHub, saying no action needed after the update. This is all!

It is very simple and straightforward so I will check alert emails from GitHub going forward!