Dependabot

Dependabot is a security feature designed to manage dependencies, ensuring the software project remains up-to-date with the latest library versions. The process scans dependency files like package.json or pom.xml to detect outdated libraries and automatically generates pull requests with proposed dependency updates. Dependabot is enabled by default for all repositories within the Allianz GitHub organization. If necessary, automatic pull requests can be disabled for specific repositories by sending a request to [email protected].

Dependabot's behavior can be customized. For more details, please refer to the official documentation.

While Dependabot helps by reacting to merged code and keeping dependencies up-to-date, the dependency review action provides a proactive layer of security by preventing problematic code from being merged in the first place. This action reviews dependency changes in pull requests, highlighting which dependencies were added, removed, or updated, along with their security impacts. The dependency review action must be set up manually with an action workflow, as it is not enabled by default. Detailed instructions for setup can be found in the official documentation.