GitHub will soon warn developers of insecure dependencies
GitHub, the online code repository, is hosting its annual user conference this week. Following long-standing tradition in the tech industry, the company used the event to announce a number of new features for its service. The announcements center around two topics: security and discoverability.
Given the number of hacks we’ve seen in recent years, it’s no surprise that GitHub, too, wants to do its part to ensure that the code its users work on is as a secure as possible. The basic idea here is that most projects these days rely on a wide variety of third-party libraries and other dependencies.
So in a first step, GitHub is launching the “dependency graph,” which gives developers an easy way to see all the other packages and applications their own code uses (this currently only works for Ruby and JavaScript, though, with support for Python coming soon). With this in place, the team can then also track these dependencies against the standard vulnerability databases and notify developers if any of their dependencies are vulnerable. GitHub lists these security alerts as “coming soon,” so it may still be a while before this goes live, but it’s definitely a step in the right direction.
The GitHub team tells me that more than 75 percent of projects on the service use dependencies and more than half of those that do have more than 10 dependencies, while projects that use more than 100 aren’t all that uncommon either.
As for discoverability, GitHub notes that it now hosts more than 25 million active repositories, but that it’s not easy for developers to find the ones they would be interested in. To improve this, it’s launching both a new news feed for getting recommendations based on who you follow, the repositories you star and what’s generally popular on GitHub, as well as a new hand-curated “Explore” section that showcases projects and other resources in areas like machine learning or game development.
In addition to these updates, GitHub also is launching a new Premium Support option (with a promised response time of 30 minutes) for its GitHub Enterprise service, as well as a new community forum, a trial of its Marketplace and a team discussion tool that allows teams to have their conversation right where they keep their code.
“We know that artificial intelligence isn’t going to revolutionize the work that people have to do on GitHub tomorrow,” GitHub engineering manager for data science Miju Han told me about the company’s slew of updates today. “Improving the fundamentals is core to the GitHub experience and in the long term, it provides us with the best quality data.”