Turn Dependabot Off
Filippo Valsorda boldly advocates ditching Dependabot, especially for Go projects, labeling it a "noise machine" that generates counterproductive security alerts and update PRs. He proposes a sophisticated alternative: using Go's govulncheck for precise, symbol-level vulnerability detection and scheduled GitHub Actions for controlled dependency testing. This contrarian yet technically sound approach resonates deeply with developers grappling with alert fatigue and seeking smarter, language-specific security tooling.
The Lowdown
The article by Filippo Valsorda presents a strong argument against the blanket use of GitHub's Dependabot, particularly for Go projects, asserting that it creates significant "noise" and alert fatigue rather than genuinely improving security or developer workflow. Valsorda, drawing on his experience as former Go Security Team lead, advocates for a more nuanced and effective approach to dependency management and vulnerability scanning.
- Valsorda highlights a real-world case where a minor Go security fix (
filippo.io/edwards25519) led to thousands of unnecessary Dependabot pull requests, often with inaccurate CVSS scores and compatibility warnings, even for projects that didn't use the vulnerable component or package. - He details how Dependabot's lack of context, failing to filter based on package sub-paths or symbol reachability, leads to excessive false positives.
- The core recommendation is to replace Dependabot's security alerts with
govulncheck, a Go-specific tool.govulncheckuses static analysis to determine if a vulnerable symbol is actually reachable and called by the project's code, drastically reducing irrelevant alerts. - For general dependency updates, Valsorda suggests replacing Dependabot's automatic PRs with scheduled GitHub Actions that test against the latest dependency versions. This allows projects to discover breakage early without merging updates until it aligns with their own release cycles, also mitigating immediate supply chain attack risks.
- He emphasizes that minimizing false positives is crucial for enabling teams to properly triage and respond to actual security vulnerabilities, which can require significant remediation beyond a simple dependency bump.
- The article also touches on the negative impact of noisy scanners on open-source maintainers, who often receive unjustified requests to update dependencies.
Ultimately, Valsorda argues that a system like govulncheck combined with strategic, scheduled testing leads to a more secure, efficient, and less frustrating development process by focusing attention on truly actionable security concerns and allowing controlled dependency evolution.
The Gossip
Govulncheck's Go-ld Standard
Commenters widely laud `govulncheck` as a superior tool for Go projects, praising its precise symbol-level analysis that significantly reduces false positives compared to Dependabot. Many consider it a standout feature of the Go ecosystem, appreciating its ability to trace call paths and only alert if a vulnerable function is actually reachable.
Cross-Ecosystem Comparisons
A dominant theme is the widespread desire for `govulncheck`-like functionality in other programming languages and ecosystems such as Rust, JavaScript/TypeScript, Python, and JVM. Users are actively seeking or discussing existing tools like `cargo-audit` (Rust) or Sonatype Scan (JVM) that might offer similar intelligent vulnerability filtering, highlighting a common pain point across the developer community.
Dependabot's Dilemma & Dynamic Updates
The discussion often pivots to the broader utility of Dependabot. While many agree with the author about its security alert shortcomings and the problem of alert fatigue, some argue it's still valuable for general dependency updates, preventing "tech debt" and ensuring projects don't fall too far behind. There's a debate on balancing immediate updates with "time as a firewall" against supply chain attacks, with some noting features like Dependabot's configurable cooldowns as a middle ground.