Security: Automated Dependency Update Configuration (SEC-27)
Automated Dependency Update Configuration — SEC-27
Overview
This page documents the findings and recommended remediation for security control SEC-27, identified in release v0.1.142. The control concerns the absence of automated dependency update tooling in the repository.
Problem Statement
No .github/dependabot.yml or renovate.json configuration file was present in the repository. This means:
- Third-party
npmdependencies are not automatically checked for updates. - Security patches published by package maintainers will not automatically generate pull requests.
- The engineering team must manually monitor package registries, security advisories, and changelogs — a process that is error-prone and easy to delay.
In a compliance-sensitive platform such as a sanctions screening service, delayed security patches can introduce unacceptable risk to data integrity and regulatory standing.
Recommended Remediation
1. Add a Dependabot Configuration
Create .github/dependabot.yml in the repository root:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
non-major-dependencies:
update-types:
- "minor"
- "patch"
Key configuration choices:
| Option | Value | Reason |
|---|---|---|
package-ecosystem | npm | Covers all Node.js / JavaScript dependencies |
interval | weekly | Balances update frequency with PR noise |
groups (non-major) | minor + patch | Batches low-risk updates into a single PR per week |
2. Enable GitHub Security Advisories
For vulnerabilities listed in the GitHub Advisory Database, Dependabot can open a PR immediately — outside of the weekly schedule — when a security patch is published for a dependency you use. This is enabled by default once Dependabot is configured.
Ensure the following is active in your repository settings:
- Settings → Code security and analysis → Dependabot alerts — ON
- Settings → Code security and analysis → Dependabot security updates — ON
3. Handling Major Version Updates
Major version bumps are intentionally excluded from the grouped weekly PR. Each major update will appear as its own pull request, prompting the team to review breaking changes before merging.
Risk Summary
| Risk | Without Dependabot | With Dependabot |
|---|---|---|
| Security patch lag | Days to weeks (manual) | Hours to days (automated PR) |
| Missed CVEs | High (no alerting) | Low (advisory integration) |
| PR noise | N/A | Managed via grouping |
| Review overhead | All manual | PR-per-group, automated context |
References
- GitHub Dependabot documentation
- Dependabot configuration options
- GitHub Advisory Database
- Security Control: SEC-27