|
|
|
|
|
|
by greysteil
2091 days ago
|
|
|
PM from GitHub here and author of Dependabot. It's different. - Dependabot looks for vulnerabilities in your dependencies, and creates pull requests to update you to fixed versions. - Code scanning looks for vulnerabilities in your own code. So, for example, if you have written code that takes user input and creates a database instruction from it without escaping it, it will flag that you are introducing an SQL injection vulnerability. (As an aside, we could definitely improve Dependabot to treat devDependencies differently. You do need to care about vulnerabilities in your devDependencies in _some_ cases (code exfiltration is the obvious one) but not in many - we should to get smarter about distinguishing between those cases.) |
|
|
Hey totally off topic sorry. Can you get someone to turn off pull-requests for the unofficial mirrors that you guys created for some open source projects? Users are being mislead into thinking opening PRs there is productive, but they're not monitored by our project and we don't own the repo anyway. https://github.com/wine-mirror/wine/pulls
I've tried contacting your support, but they just tell me that they don't own the repo, which is obviously false[1]. I don't know who to reach out to.
[1] https://github.community/t/how-is-the-mirrored-from-annotati...