►
From YouTube: Demo Days EMEA - Dependabot & dependency graph
Description
Lukas Pollmann, Senior Solutions Engineers, dives into software dependencies. More effective management of software vulnerabilities enables your organization to consume open source software more responsibly, saving you developer time and effort. Secure your open source supply chain.
Learn more about Security here: https://github.com/learn/security
A
All
right,
hi
everybody,
so
my
name
is
lucas.
I'm
really
happy
to
have
you
all
this
morning
here
or
the
evening.
Wherever
your
time
zone
is,
and
today
the
idea
of
this
little
stream
will
be
to
show
you
around
how
we
can
help
you
with
your
dependencies
and
before
we
get
started.
I
just
want
to
introduce
you
to
two
friends
I
brought
with
me
today,
one
you
might
all
know,
or
I
hope
so
that
is
our
octocat
mona
lisa.
A
I
have
here
as
a
plush
and
she
will
help
me
guide
you
through
this
process
today
and
on
the
other
side,
because
it
will
be
about
dependencies
and
how
to
fix
them.
I
brought
the
other
big
helper
at
github
with
me,
and
that
is
our
little
cubot.
So
if
you
don't
know
hughbot,
he
is
actually
an
open
source
project
and
we
call
him
the
most
working
people
person
at
github,
so
he
actually
sees
quite
a
lot
of
us
as
a
chatbot
who
can
interact
with
anything
at
github
and
getting
started
with
that.
A
It
would
be
interesting
for
me
who
of
you,
is
already
a
github
user
and
has
a
profile,
as
I'm
showing
here
feel
free
to
use
the
chat
about
that.
So
I
just
want
to
get
started
with
what
is
usually
the
starting
place
for
any
project
at
gita,
and
it
is
your
own
profile
and
what
you
can
see
here
is
my
guitar
profile.
If
you
know
the
old
design,
it
has
changed
a
little
bit
over
the
last
months.
A
I
see
a
lot
of
people
I
mean,
is
using
github
recorded
pl,
so
really
nice
to
see
you
guys,
and
I
think
you
all
will
have
such
a
profile.
So
what
you
can
see
here
is
the
contributions
I
did
to
be
honest.
They
are
really
high
in
my
profile,
because
I
do
quite
a
lot
with
github,
not
just
with
coding.
So
if
you
don't
know
that
yet
github
is
actually
doing
most
of
its
stuff
within
gita
and
we
even
force
the
legal
people
or
the
sales
people
to
use
giving
github.
A
So
I
think
this
is
quite
a
cool
thing
and
it
is
just
repository.
What
I
will
do
today
is
go
through
some
projects
with
you
and
show
a
little
bit
how
we
can
solve
what
I
would
call
the
dependency
hell.
So
you
all
know
dependencies
the
software
we
build
on
and
the
aim
is
really
to
get
you
through
this
process.
A
If
you
get
stuck
with
something
or
if
you're
interested
in
learning,
something
more
just
feel
free
to
use
the
chat,
I'm
always
happy
to
follow
up
with
you,
and
otherwise
this
is
really
a
interactive
session.
So
the
idea
is
just
that
we
go
through
this
process,
learn
something
on
the
way
and
in
the
end
I
would
be
happy
if
you
try
it
out
yourself.
A
So,
let's
get
started,
maybe
with
something
else.
I
wanted
to
show
you,
and
I
think
that
is
a
is
a
nice
thing
about
github,
which
you
might
not
know
yet,
and
it's
called
the
octocad
generator.
So
there
is
a
project
I
have
on
github
done
with
a
good
colleague
of
mine
and-
and
here
is
the
source
code
and
what
it
actually
is
is
a
app
that
allows
you
to
create
your
own
mona,
lisa
and
there's
a
little
bit
of
background,
because
we
use
it
actually
on
conferences.
A
A
So
this
is
the
site
octocad
demo
github.io
for
those
who
are
interested
that
is
actually
hosted
in
github
and
if
you
do
not
know
you
can
host
the
website
from
your
github
repository.
A
So
you
just
have
to
have
like
a
static
website
in
the
repository
go
to
settings
and
then
you
can
host
it
so
no
need
to
buy
additional
web
space
for
them
projects.
And
if
I
get
started
here,
you
will
see
this
little
editor
here,
and
so
I
want
to
do
this
interactively.
So
I
need
your
ideas
on
on
how
we
could
design
the
octocat
here.
So
let's
get
started
with
the
color,
the
first
one,
to
give
me
a
color
that
will
be
the
color,
I'm
choosing.
A
A
A
It
I
think
it
goes
in
the
direction
maybe-
and
I
will
choose
some
darker
hair
for
her
and
then
let's
look
for
some
some
nice
accessories,
so
I
props
here
I
mean
so
you
see
we
have
quite
some
props.
You
can
give
her
like
a
coffee
mug
like
a
notebook,
and
I
think
for
this
day
since
we
are
on
twitch,
I
need
we
were
a
gamepad
and
I
just
looked
for
something
nice
to
wear
and
I
think
she
of
course
needs
to
get
a
guitar
t-shirt.
So
that's
the
octocat
created
for
the
stream.
A
A
So,
let's
get
started
with
a
little
project
I
have
here
and
as
with
every
project,
this
is
just
the
starting
point
in
gita
to
go
to
the
repository
side.
What
you
will
see
here
is
the
source
code.
So
in
this
section
I
have
my
code
of
this
little
project.
It's
done
in
node.js,
so
if
you
are
from
the
javascript
community
might
be
interesting
for
you.
What
I'm
showing
here
could
also
be
used
with
other
languages
like
java
and
c
sharp
c,
if
you're
into
that,
and
this
little
project
is
really
simple.
A
It's
actually,
you
can
see
here
in
the
gif
just
a
simple
web
server,
so
that's
usually
what
you
would
do,
starting
a
node.js
project,
creating
a
little
server
showing
something
and
then
test
this,
and
what
you
can
see
here
is
that
this
server
is
using
an
endpoint
from
our
api
that
creates
a
little
animated,
mona
lisa
with
the
sound
of
guitar.
So
you
will
ask
what
is
the
sound
of
github
it's
quite
funny,
because
the
sound
of
github
is
actually
a
collection
of
ideas
that
we
use
to
create
guitar
and
you
can
use
that
endpoint?
A
Actually,
it's
really
simple.
It's
linked
here.
It's
api
to
github.comcat,
we'll
share
it
also
in
the
chat
and
as
it's
used,
you
get
this
little
ascii
art
and
always
the
center
of
pizza.
In
this
case
mind
your
words
good
good
idea,
if
you're
on
twitch-
and
if
you
hit
it
again,
you
can
see
here
have
a
sense
and
there
is
even
a
blog
post
about
it
so
to
set
up
gita
github
one
of
the
driving
forces
for
our
developers
on
how
we
create
github.
A
So
how
can
we
help
you
as
a
developer,
manage
it
better
and
to
get
started?
Maybe
let's
have
a
look
where
the
dependency
is
of
this
project.
So
if
I
look
here,
there
is
a
file
called
package.json
and
that
file
actually
allows
you
to
get
an
insight
in
what
dependencies
we
have
here.
So
a
package.json
file
is
a
file
that
every
node.js
project
will
create
at
some
point
and
it
allows
you
to
set
up
some
things
so
that
others
can
also
install
your
project.
A
He
is
a
colleague
and
friend
of
mine
he's
also
working
together
and
then
here
you
see
these
comments
like
start
or
test
and
they
actually
allow
you
to
define
what
should
happen
if
you
hit
npm
start
or
mpm
test,
so
it's
straightforward
and
we
had
github
created
something
we
call
the
dependency
graph
who
have.
You
has
heard
about
the
dependency
graph
so
far.
A
Great,
we
have
one
here,
yeah,
two
really
good,
so
the
dependency
graph
is
something
that
we
build
in
github
based
on
this
file
and
it's
hidden
in
your
repository
in
this
little
section
called
insights.
So
insights
is
something
I
barely
used
before
joining
github.
I
did
not
really
know
that
this
section
was
there,
but
it's
quite
interesting
because
it
gives
you
those
little
pulse
of
what
is
happening
in
my
repo.
A
So
why
is
it
helpful
for
you,
because
we
can
use
that
information
actually
to
do
quite
some
interesting
things?
On
the
one
side
you
get
an
understanding
of.
How
is
your
project
actually
built
up,
and
I
think
that
it's
always
important,
because
there
have
been
occasions
where
people
had
a
dependency
in
there,
they
could
cause
trouble.
A
I
get
our
other
languages
are
supported,
so
I
think
peter
can
can
add
in
a
chat
a
list
of
the
languages
that
we
have,
and
the
interesting
thing
is
here
that
we
can
do
this
as
long
as
a
language
actually
has
a
certain
package
ecosystem.
So,
as
you
can
see
here
in
this
little
link
from
the
documentation,
I
will
share
this.
Also
with
you.
A
A
So
that
is
the
languages
where
we
say
we
support
not
just
the
language
but
also
different
formats
of
dependencies,
and
from
that
we
can
build
this
dependency
graph
and
with
this
dependency
graph,
what
is
quite
cool?
You
can
then,
for
example,
understand
which
version
you're
using
and
could,
for
example,
look
up
if
that
version
is
secure
or
if
there
is
a
dependency,
where
you
read
in
the
news
that
somebody
just
took
over
this
dependency
and
turn
it
into
a
cryptominer.
A
A
We
have
to
configure
it
here
is
actually
a
little
acquisition
that
we
did
at
github.
So
we
don't
only
have
hubot
here,
which
is
our
famous
chatbot
and
employee
at
ddap,
but
we
now
have
a
second
board
called
the
pandabot
and
dependable
did
actually
two
things,
and
one
thing
is:
it
goes
through
this
dependency
graph
and
it's
checking
hey.
What
is
he
using?
What
version
is
he
using
and
do
I
know
something
about
it?
A
Now
that's
a
good
question
with
the
license.
I
will
get
back
to
that
in
a
minute.
First
thing
I
want
to
show
you
is
what
you
can
enable
here.
So
there's
this
depend
about
alerts
you
can
set
up.
So
it's
the
first
thing
that
I
get
information
hey.
There
is
something
wrong
in
my
dependency
and
then
the
second
thing
is
helping
you
with
the
updates.
I
will
now
enable
both
and
in
a
minute
we
should
get
some
information
about
this.
A
The
github
repo
I
can,
I
can
give
you
the
guitar
people,
if
you're
interested
in
that
good
question
here
in
general,
with
the
with
the
license.
A
What
we
do
so
far
is
that,
on
the
organizational
level
we
have
a
feature,
organizational
insights,
that
lists
not
just
the
dependency
graph,
but
also
the
license
the
license
we
get
from
the
project.
Usually
so
like
we
know
right,
its
project
has
an
mit
license
like
it's,
for
example,
listed
in
this
package.json
file,
and
then
we
can
give
you
an
overview
where
you
could
filter,
otherwise
that
information
is
partly
available,
but
we
do
not
yet
show
it
here
in
the
car
dependency
graph.
But
what
I
can
give
you
for
the
future
is.
A
There
is,
of
course,
projects
where
we
think:
how
can
we
improve
that
graph
and
in
a
few
few
months,
or
so
it
could
be
that
we
also
introduce
more
information
on
licenses,
for
example.
So
this
is
something
we're
working
on
and
I
think
the
cool
thing
here
with
the
pandabod
is
that
it's
really
easy
to
set
up.
So
if
I
go
now
back
to
this
repository,
we
see
this
little
yellow
box
here
and
just
to
keep
in
mind.
If
you
do
it
for
your
private
repo,
you
can
just
turn
it
off.
A
You
get
these
alerts,
you
might
get
some
emails,
but
we
had
also
some
people
who
did
this
for
the
whole
organization.
So
I
know
from
from
a
customer
who
turned
this
off
from
an
organization
with
10
000
developers
and
then
at
that
point
he
had
configured
it
in
a
way
that
there
were
10
000
emails
going
out
to
everyone
about
vulnerabilities,
which
is
great.
We
all
want
to
inform
the
people
they
should
care
about
their
code,
but
you
know
some
people
don't
like
this
much
email,
so
just
keep
an
eye
on
that.
A
So
who
wants
to
see
the
alerts?
I
think
everybody.
So,
let's
jump
into
it,
and
here
you
see,
we
have
six
alerts
at
the
moment
and
what
is
interesting
is
I
do
not
just
get
the
information
about
the
affected
package.
I
also
see
how
severe
this
is
and
the
idea
here
is
yet
it's
also
available
for
private
repos.
A
really
good
question
here,
courageous,
so
the
idea
is
really
that
everybody
can
use
it
no
matter
if
it's
private,
no
matter
it's
public.
A
What
we
do
is
also
help
you
to
sort
a
little
bit
through
this
mess.
So
we
have
six
dependencies
here
that
have
issues
I
think
it's
quite
good
to
handle.
But
let's
imagine
you
have
like
200
dependencies
where
you
have
to
work
on
which
can
be
in
big
enterprise
projects
or
bigger
community
projects
quite
easily
the
case,
and
for
that
reason
we
allow
you
to
sort
these,
so
you
can
see
low
severity.
You
can,
I
see
high
severity.
I
can
start
this.
A
Let's
do
it
for
severity
and
I
can
see
also,
which
is
interesting,
the
file
where
it
was
gotten
from
so
the
package.json
or
the
package
log
json.
We
have
seen
them
before
and
then
we
also
have
here
this
little
pull
request
symbol,
and
that
brings
me
to
the
other
interesting
aspect.
A
A
Yeah,
that
was
good,
so
what
I
want
to
do
first,
is:
let's
look
at
one
of
these
like
here.
We
have
this
https
proxy
agent.
If
I
click
on
this,
you
will
get
to
this
detailed
page
and
it
actually
does
two
things
for
you.
It
gives
you
some
context
of
how
I
can
fix
this
mess.
A
So
that
tells
me
you
should
update
to
this
version
at
least,
and
the
other
thing
is,
it
gives
me
information
from
data
from
white
source,
so
we
always
use
vulnerability
data
from
different
sources,
and
there
is
like
here
this
little
link,
which
brings
me
actually
to
this
information
about.
Where
did
this
occur?
Where
is
this
vulnerability?
What
it's
about,
and
then
it
allows
me
to
better
understand
why
I
should
care
about
this.
A
The
other
thing
it
allows
me
to
do
is
to
dismiss
this
thing.
So
if
you
say
hi,
I
know
about
a
spark.
It's
just
the
old
school
project.
I
don't
want
to
fix
this
hey.
You
can't
do
that.
We
do
not
force
you
to
do
so,
but
I
would
always
encourage
you
to
do,
and
these
are
things
we
can
then,
for
example,
decide
on
how
to
handle
this.
A
If
you
don't
want
to
care
about
it
and
then,
if
I
look
here
into
this
pull
request,
what
you
can
see
here
is
that
the
pandabot
already
did
some
work
for
us
and
the
good
thing
is.
It
is
not
just
updating
automatically
my
dependencies,
but
it
allows
me
to
do
this
in
an
easier
way
and
how
does
it
do
it?
A
It
did
two
things
here:
it
did
create
actually
a
new
branch,
and
this
branch
here
has
it
commits
and
this
committee,
if
you
look
at
it,
it's
pretty
simple,
it
just
does
one
thing
and
that
is
actually
updating
this
package
lot
that
json.
So
I
can
see
here
it
has
updated
the
version.
The
hash
was
updated
to
have
the
incred
integrity
there.
I
can
see
when
it
did.
This
commits
this
little
change,
so
this
is
quite
nice.
A
I
can
also
go
back
and
then
the
pandabot
gives
me
some
more
context,
and
why
is
this
important?
Because
we
all
know
that
when
we
have
dependencies
and
they
do
change
between
the
versions,
they
can
be
bigger
changes
that
can
break
something,
and
this
is
not
nice
if
you
depended
on
a
certain
function,
for
example,
that
is
suddenly
not
available
anymore.
You
just
updated
the
dependency
your
program
breaks
and
that's
what
we
want
to
avoid
and
that's
why
there
is
release
notes,
so
you
can
grief
through
them.
You
can
see
okay,
what
has
changed?
A
A
So
before
we
get
to
this
point,
I
got
a
really
good
question
in
the
chat,
and
that
was
about
how
deep
do
we
actually
go
with
this
dependency
analysis,
so
we're
here?
What
we
did
so
far
was
looking
into
a
little
node.js
project.
I
showed
you
how
the
dependencies
look
like
how
we
visualize
them,
and
then
we
showed
you
these
alerts
depending
on
these
dependencies.
A
You
have
what
we,
of
course
try
to
do,
is
to
show
you
not
just
the
dependencies
you
have,
but
also
all
the
programs
that
depend
on
them
and
for
the
specific
dependencies
we
give
you
alerts
and
feedback.
Now
you
say
what
is
if
some
dependency
has
a
dependency
depends
on.
That
is
something
we
cannot
always
cover,
of
course,
because
at
a
certain
level
it
would
get
too
complex
and
the
number
of
graphs
we
would
have
to
build
out,
but
what
we
try
to
do
is
because
of
that
to
improve
constantly
our
dependency
graph
model.
A
A
To
improve
that
further,
because
we
also
know
products
that
do
not
just
have
like
one
package
manager
in
use,
but
maybe
different
package
managers
and
language
stacks
at
the
same
time,
and
then
the
third
thing
we
were
also
doing
is
to
give
you
some
tools
like
codeql,
and
we
will
have
another
cool
streaming
session
later
this
month
with
my
colleague
c
bass
that
allow
you
actually
to
analyze
your
own
code
and
dependencies,
you
have
there
and
data
flows
and
so
get
further
protection.
So
it
helps
you
at
a
certain
level.
A
A
Yeah
and
as
peter
said,
we
also
have
to
have
in-depth
analysis,
but
of
course
there
are
certain
areas
we
still
not
cover
or
certain
languages,
but
we're
working
on
this
now.
The
other
thing
this
is
your
and
there
was
a
right
comment
here
by
a
user
cfclp
that
is
actually
the
confidence
level
and
how
we
do
develop.
This
confidence
level
is
by
looking
into
a
project
that
has
done
the
same
change
and
see
if
there
had
been
any
issues
after
that
change.
A
Yes,
then
it
lowers
this
confidence
level
and,
if
no
or
barely,
then
it's
quite
high.
Of
course,
we
can
only
give
you
that
score
if
there
have
been
people
who
did
this
change,
and
it's
the
same
with
these
updates,
they
can
only
be
done
if
somebody
else
has
provided
a
newer
version
that
fixes
this
problem.
A
So
with
the
score,
I
know,
okay,
93
looks
quite
good,
so
it
shouldn't
be
too
many
problems.
What
you
can
see
now
here
is
this
is
a
full
pull
request.
So
what
I
could
also
do,
I
have
not
set
it
up
here,
but
I
could,
for
example,
set
up
a
build
process,
and
for
this
you
could
use
a
ci
system
you
have
in
place
or
if
you
have
not
used
get
a
ci
system,
there
is
actually
something
on
github
you
can
use
and
let's
get
up
actions
who
has
used
github
actions
so
far.
A
A
We
can
use
other
ecosystems
or
what
I
really
like
is
we
can
automate
other
steps.
So,
for
example,
what
I
could
create-
and-
and
these
are
things
that
we
have
done-
would
be
a
workflow
that
reacts
every
time.
Somebody
is
starting
my
repo
and
then
once
this
is
start,
for
example,
it
could
trigger
a
little
script.
That
would
then
post
me
a
message
on
slack
or
what
I
have
also
done
is
like
using
siri
shortcuts
and
then
just
telling
siri
shortcuts.
It
should
create
a
new
issue.
A
Like
I
go
to
the
desk
of
my
colleague
peter,
I
see
it
was
bad
code,
so
I
can
just
say:
hey
siri
create
an
issue.
Peter
has
to
fix
this
and
that
and
then
it
could
just
trigger
a
workflow
like
this
in
github
and
post
to
an
issue.
So
this
is
something
that
you
could
also
set
up
easily.
If
you
would
like
to
do
this,
you
would
go
to
this
action
set
actions.
Page
cool
thing
is,
it
is
free
to
use
for
every
user
in
github.
You
have
a
certain
amount
of
minutes.
A
You
can
run
it
for
free,
but
even
for
the
free
user.
It's
like
2000
minutes
a
month
and
just
to
have
a
little
test
setup
or
to
build
your
code
regularly.
It's
enough
for
open
source
projects.
Of
course
we
do
not
limit
this
because
we
want
to
use.
We
want
them
to
automate
their
projects
more
easily.
Oh,
that's
one
thing
you
could
set
up
and
then,
when
we
go
to
this
pull
request
back
here,
you
see
we
have
more
than
the
one
we
already
looked
at.
A
The
other
thing
what
you
can
do
is
you
can
also
give
depend
about
certain
commands,
and
I
think
that
is
really
important,
because
when
we
use
dependable,
when
we
have
a
tool
like
this
in
place
with
bigger
projects
with
projects
where
we
have
a
lot
of
people
or
specific
ways,
we
do
branching,
we
do
merging.
You
can
configure
the
pandabots
either
with
a
command
or
command
and
recommend
like
this
right
into
this.
This
pull
request.
You
know,
if
you
go
to
conversation
here
down
there.
A
I
can
just
do
a
command
here
and
the
other
thing
is,
for
example,
I
can
also
use
a
dependable
configuration
file
and
then
configure
if
the
panda
boot
should
only
look
for
certain
branches
or,
if
dependable,
should
only
add
certain
reviewers
or,
if
dependable,
should
ignore
certain
versions,
which
is
really
helpful,
and
it
gives
you
a
lot
of
flexibility.
It's
not
just
the
solution
that
works
in
one
way.
You
can
adjust
it.
A
You
can
build
on
this,
and
this
is
why
I
really
like
the
pandabot
and
now
like
just
to
show
it
how
we
can
merge
it.
It's
really
easy.
I
merge
this
operation
here
and
then
you
can
see.
I
can
delete
the
branch
and
this
vulnerability
is
fixed
in
that
case
in
general.
What
I
would
always
encourage
you
to
do
is
two
things
make
sure
you
have
a
pipeline
set
up
with
a
repository
just
to
test.
If
you
do
a
change,
will
the
test
still
run?
Will
the
code
still
build?
A
A
A
But
how
do
we
actually
get
to
these?
These
data
that
we're
using
here?
So
what
you
have
seen
is
maybe
these
two
links
that
we
shared
earlier
in
the
chat
which
have
been
of
this
advisory
database,
and
I
really
like
this
advice
with
database,
because
it
shows
the
power
of
a
big
ecosystem
like
we
have
on
github.
A
Debts,
are
constantly
contributed
by
people,
but
also
researched
by
researchers
or
writer
attackers,
and
what
these
people
usually
want
to
do
is
get
in
touch
easily
with
the
project
and
that's
what
is
really
important
for
us
to
allow
that
process
to
be
easy
to
be
straight
down.
That's
why
we
created
two
things.
A
That's
what
I
showed
you
already.
These
are
vulnerabilities
in
my
dependencies
and
I
should
care
about
them,
and
you
see
we
only
have
five
left
because
we
fixed
one
with
the
pull
request
and
what
we
can
do
on
the
other
side
is
you
could
do
code
scanning?
This
is
something
you
will
learn
later
in
another
session
and
we
have
these
new
sections
here,
policy
and
advisory.
A
So
the
policy
is
straightforward.
You
could
just
set
it
up
here,
like
click
on
this
button,
and
then
we
give
you
some
really
nicely
formatted
text
that
you
can
then
turn
into
your
own
policy.
So
this
is
markdown.
We
use
marked
on
a
lot
of
github
and
you
can
just
graph
this
and
publish
it,
so
it's
actually
used
by
project.
So
if
I
would
look
like
on
a
project
like
tensorflow
github,
what
you
can
see
here,
is
they
having
the
security
policy
in
use.
A
So
if
you
don't
know
tensorflow
it's
one
of
these
cool
machine
learning
frameworks,
I
use
it
in
my
my
free
time
for
some
hobby
projects
with
machine
learning.
It's
one
of
the
industry
standards
and
the
cool
thing
is,
it
is
done
on
github.
So
you
see.
There's
a
lot
going
on
here,
a
lot
of
issues
and
pull
requests
we
have
over.
I
think
it
is
over
147k
stars
so
huge
they
are
rockstars
in
guitar
and
they
use
this
policy.
So
if
I
go
there,
I
can
understand
how
do
I
treat
a
vulnerability?
A
How
do
I
report
them?
What
is
the
best
way
to
contact
them?
So
I
think
this
is
really
something
that
helps
people
to
to
get
started
and
to
contact
the
people
of
a
repository
and
then
the
other
thing.
What
you
can
do
is
then
draft
advisories
and
these
advisories
are
drafted
in
a
secret
space.
Then
only
the
person
who
contacts
the
maintainers
and
the
maintainers
themselves
see,
and
in
this
space
they
can
draft
the
advisory
on
the
text
side.
So
stating
what
is
the
issue?
Why
is
it
a
big
issue?
A
So
I
see
there
is
something
going
on
in
the
chat
yeah
so
as
peter
says
in
the
chat
in
general.
What
we
do
with
this
dependencies
is
that
we
give
you
a
reporting
once
we
find
an
alert
so
once
we
find
something
that
was
reported
either
over
github,
as
I
showed
you
or
if
it
was
reported
over
one
of
the
databases
like
the
nvd
and
on
the
other
side
we
also
open
the
pull
request
once
there
is
a
fix
available,
so
the
alert
is
as
soon
as
we
know,
there's
a
vulnerability.
A
The
fix
will
then
be
done
as
soon
as
there
if
there
is
a
update
available
after
dependency.
If
I
look
into
something
like
a
draft
reporting,
you
can
see
what
versions
were
affected,
how
they
fixed
it.
They
also
linked
the
patch
here
for
this,
and
it's
actually
how
the
raw
form
of
this
alert
would
look
like.
So
this
is
what
happens
this
user
here
from
from
google,
published
this
little
advisory?
A
So
there
you
can
see
the
alerts,
and
I
think
this
is
really
cool,
because
we
have
all
these
projects
you
benefit
from
that.
You
do
not
just
benefit
from
knowing
about
these
alerts,
but
from
getting
the
updates,
and
if
these
dependencies
get
more
secure
and
the
best
case,
your
software
gets
more
secure
and
that's
why
this
is
a
feature
everybody
can
use
in
github.
It's
really
easy
to
do
so.
A
And
that
is,
for
example,
here
the
dependency
graph,
so
I
explain
how
does
the
dependency
graph
work
what
eq
systems
are
supported?
It
can
also
help
explain
you
how
you
can
manage
these
vulnerabilities.
You
see,
there's
a
lot
of
content
going
on
and
the
cool
thing
is.
It
also
explains
the
other
things
around
github
so
like.
A
If
you
want
to
understand
how
to
make
my
repo
itself
more
secure,
or
how
can
I
use
these
actions,
he
briefly
showed
it's
all
in
this
docs.dap.com,
and
another
thing
I
want
to
talk
with
you
about
is
the
public
roadmap
you
might
have
heard
about
it.
So
github
has
a
public
roadmap
which
is
in
a
github
repo,
so
just
have
there.
A
And
then
we
have
this
little
project
board
for
the
guitar
public
roadmap
and
it's
cool,
because,
if
you're
interested
or
had
questions
about
okay,
he
showed
me
how
I
can
fix
my
vulnerabilities.
But
what
is
next
for
that?
What
other
things
are
you
working
on
for
making
my
reaper
more
secure
or
helping
me
to
automate
stuff?
You
can
just
go
to
this
little
roadmap
page
here.
A
I
will
post
it
also
in
the
chat-
and
this
gives
you
this
little
project
board
and
it
shows
you
what
things
we
are
working
on,
how
confident
we
are
to
ship
it
in
what
time
frame
and
gives
you
some
feedback
there.
So
I
think
this
is
another
cool
thing
have
a
look
at
this
roadmap
and
in
general
I
hope
you
enjoy
the
session
today.
I
want
to
just
do
a
little
summarization
of
that,
then
I'm
open
for
some
questions
and
then
we're
stopping
this
really
nice
stream
today.
A
So
let's
get
back
to
it,
we
talked
about
projects
on
github
and
how
to
make
them
more
secure.
The
easiest
way
to
do
so
is
with
the
panda
buttons.
So
we
have
this
project
here.
We
can
see
these
alerts
and
they
tell
me
that
in
my
dependencies,
so
the
software
I'm
building
on
there
might
be
some
issues.
So,
let's
jump
into
these
alerts,
I
see
these
are
alerts.
These
are
vulnerabilities
I'm
affected
by.
I
can
see
that
the
pandabot
tells
me,
which
versions
I
should
care
about
in
my
dependencies.
A
So
I
can
go
in
this
one
I
can
see.
That
is
the
version
that
is
affected.
There
is
a
cd
behind
that,
and
in
this
case
the
pandabot
cannot
update
to
the
required
version,
and
that's
because
there
is
not
yet
an
update
available,
which
is
interesting
can
be
because
the
maintainer
did
not
work
on
it.
Yet
it's
because
it
was
reported
by
somebody
else
and
he
did
not
have
the
time
or
was
not
willing
to
do
so,
but
on
the
other
side,
if
there
is
one
available,
he
will
create
this
little
pull
request.
A
A
A
I
can
see
that
there
is
a
cicd
pipeline
also
running
so
in
this
case,
what
it
tells
me
is,
there
hasn't
been
a
review,
so
somebody
should
check
if
this
change
here
recommended
by
the
pandabot
is
actually
secure.
I
can
see
that
there
is
a
problem
with
this
version
building
the
dockerfile.
So
if
I
go
there
there
is
this
run.
It
fails.
A
So
this
gives
me
a
hint
that
I
should
maybe
change
more
than
just
this
dependency,
and
it
also
gives
me
the
feedback
by
dependable
and
that's
usually
why
we
would
recommend
you
to
not
just
merge
them,
but
have
something
set
up
go
through
this
process.
It's
like,
if
you
would
review
the
work
of
some
of
your
colleagues
on
this
project
and
the
other
cool
thing
is.
A
Otherwise
this
is
this
dependable.
You
can
set
it
up
in
your
repo
settings,
it's
really
handy
and
I
would
just
encourage
everybody
to
try
it
out.
It's
free
of
charge
for
everyone
and
the
good
thing
is,
it
can
really
make
make
you
save
your
job
or
some
headaches,
because
I
can
tell
you
the
story
that
the
biggest
threats
that
companies
faced
with
it
security
like
when
they
were
fined
to
big
fines
or
had
like
massive
data
breaches.
They
usually
arise
from
these
phase.
A
If
there
is
a
certain
dependency
they
use
for
years,
nobody
updated
it
because
it's
hard
work
to
do.
You
have
to
find
out
what
is
affected.
If
there
is
a
vulnerability,
they
don't
do
it
and
then
suddenly
there
is
a
big
hole
in
their
I.t
security
because
of
this
bad
vulnerability,
and
then
they
can
be
hacked.
A
For
example,
that's
why
I
care
about
these
things,
use
the
pandabot,
because
it
can
take
some
heavy
lifting
away
to
make
your
project
secure,
and
it's
also
interesting
to
understand
actually
on
what
software
am
I
building,
because
if
you,
for
example,
are
like
me
to
go
on
github,
you
look
for
some
templates
for
a
new
project.
The
issue
that
can
always
arise
is
that
somebody
just
copied
from
somebody
else
you
copied
from
somebody
else,
and
then
you
always
took
just
their
dependencies
with
you.
A
A
To
give
you
some
hats
up,
what
are
we
talking
next
time?
I
want
to
show
you
another
section
in
this
repository,
which
is
about
code
scanning,
so
this
is
another
thing
that
github
allows
projects
to
do
in
the
future
and
that
is
to
scan
your
code
itself.
So,
to
really
understand
is
my
code
secure,
and
in
this
case,
what
you
could
do
is
in
the
future
set
up
workflows
within
github
that
allow
you
to
scan
your
code
and
how
this
is
done
will
be
explained
by
my
colleague
sebas
in
the
next
session.
A
Just
one
interesting
thing
here
in
the
chat-
and
this
is
just
something
I
want
to
share
with
you
when
we
talk
about
dependenbot,
it
is
not
solely
used
for
updating
security
vulnerabilities.
A
We
can
update
with
the
panda
bots
also
versions,
and
what
we
also
plan
is
that
the
pandabot
can
be
used
for
other
parts
in
github
to
update
them.
So
actually
we
at
the
moment
work
on
updating
actions.
So
if
you
have
like
an
access
workflow
in
github
and
use
it
uses
like
a
third-party
action
to
deploy
to
to
aws,
then
you
could
configure
also
the
pandabot
to
keep
that
up
to
date,
because
these
extensions
of
actions
change
and
then
we
can
keep
this
up
to
date
and
the
same
could
be
applied
in
the
future.
A
A
All
right
folks,
so
thank
you
for
your
time.
I
hope
you
enjoyed
this
session.
It
was
really
fun
for
me
to
stream
here
and
actually
my
first
time
on
twitch.
I
hope
you
learned
something
and
with
that
me
mona,
say
goodbye
to
you.