Debugging Dependabot nonworking Security Updates

Debugging Dependabot nonworking Security Updates

Julien Danjou

Running a project requires good security practice and management. Handling the security of software passes through holding the safety of its dependencies.

GitHub's answers to that have been to provide a service named Dependabot that sends security updates to your project. Dependabot can understand the dependency list of software, analyze them, and send regular or security updates as necessary.

Dependabot works by creating pull requests with the needed update in your repository:

Pull requests created by Dependabot

In some instances, this service can be dysfunctional and stop working altogether. Keeping outdated dependencies is a security issue for your project, as you'll stop receiving the needed update, and that can expose your production system to malicious attacks.

Unfortunately, GitHub does not automatically warn you if some of your security updates stop working, so be sure to monitor them yourself.

Dependency Conflict

One of the standard issues that can block updating your dependencies is a conflict between required versions. If package A depends on package B version less than 1.5, and a security fix is available in 1.6 and superior, there's no way for Dependabot to update package B, and therefore to patch that potential security hole.

If you enabled security updates, you should be able to go to the list of Dependabot alerts:

Dependabot security alerts

Clicking on any of those dependency alerts will bring you to a screen explaining why the package might not be updateable. If you see no reason on this screen, you can click on Create Dependabot security update. Wait a couple of minutes, refresh the page, and you should see the culprit error.

Now depending on the issue, it's more than likely you'll have to fix it manually. That can be updating the dependency blocking the update yourself, pinging the maintainer to update its package, or replacing the blocking package with an alternative.

Update Job Issue

While Dependabot supports a wide range of language and package managers, it sometimes falls short on parsing some more advanced syntax.

Complex files can block Dependabot entirely and make it not sending any update at all. Fortunately, you can access Dependabot logs to see what happens during its run.

Those logs are present in the InsightDependency graphDependabot tab on your GitHub project.

By clicking on the Last checked N hours ago link on the right side of the packaging file, it'll bring you to the update log.

Reading this log file can give you a hint about what is happening under the hood when GitHub tries to update your dependencies. If the file contains a syntax error, Dependabot will raise an exception and print the reason. Same if Dependabot is not able to access one of you package repository, for example.

In any case, it's then up to you to fix that file to make sure Dependabot can read and understand your dependency file.

If you need further assistance with Dependabot, GitHub documentation provides some hints on how to troubleshoot Dependabot issues.