Renovate now supports raising Pull Requests immediately for any JavaScript or Python package identified as having a vulnerable version by GitHub’s Vulnerability Alerts.

For example, if you have configured weekly or monthly schedules for some dependencies, but one of them is revealed to be vulnerable, Renovate will raise a Pull Request for its upgrade immediately - overriding the configured schedule.

Like you’d expect, much of this functionality is configurable, via a new vulnerabilityAlerts config object. Its defaults are:

{
  groupName: null,
  schedule: [],
  commitMessageSuffix: '[SECURITY]',
}

i.e. Renovate will:

  • remove any schedule so that it’s raised immediately
  • break it out of any grouping so that they are not raised together
  • add [SECURITY] as a suffix to the PR to raise attention

You can customise this configuration object, e.g. to add custom labels or assignees too.

Because GitHub’s Vulnerability Alerts were created after the Renovate App was created, it means there are additional permissions we now need to ask for. Repository/Organization owners will need to grant this permission to Renovate before the functionality can work.

Also note that if you want this to be enabled on a private repository, you need to enable it “in general” for GitHub first under the repository’s settings:

GitHub vulnerability alerts enabling

This is the first of several planned vulnerability-related features, such as supporting npm’s “audit” feature using their acquired Node Security Project team/database.

Rhys Arkins

Rhys Arkins, creator of Renovate