Dependabot is an awesome Dependency Monitoring tool that helps keep dependencies up to date. In real-time, it checks dependency files for outdated requirements and opens individual pull requests (PRs) for any it finds. Then, users can review, merge, and get to work on the latest, most secure releases.
When users check in an insecure dependency, or a new vulnerability is discovered in an existing dependency, Dependabot will notify users with security alerts for vulnerable dependencies. Additionally, Dependabot Alerts and Dependabot Security Updates watch the National Vulnerability Database and other sources for vulnerabilities in open source packages. If Dependabot finds a vulnerability in a leveraged package, it sends an alert. If it can suggest a fix, it also sends a PR to update the dependency manifest with the closest non-vulnerable version.
Read more