Some of my advanced git repositories have Github Dependabot alerts for vulnerabilities ranging from low priority to critical. Some have recommendations for remediation, and others can be remediated directly through Dependabot action in the repository. Is it advisable to allow Github remediation of vulnerabilities, or are there larger considerations that make such updates unadvisable?
This is an excellent question. I think it depends on where the vulnerabilities are. For example, it it’s in your own code (like not using a specific NPM package, or using a new version, or something like), then it should be fine.
However, if it’s found a vulnerability in a part of the codebase that is not managed by you (i.e. that is native to the JourneyApps platform) then you should rather send that through to us on firstname.lastname@example.org.
I hope this makes sense