Your Node.js dependencies could be vulnerable right now — and npm audit
only shows you one repo at a time. GitHub's Dependency Graph changes that.
In this video you'll learn how to enable the GitHub Dependency Graph on
a private Node.js repository, connect it to Dependabot vulnerability alerts,
and scale that setup across your entire organization using Security Configurations.
🔗 RESOURCES
→ GitHub Dependency Graph docs: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph
→ GitHub Advisory Database: https://github.com/advisories
→ Dependabot alerts docs: https://docs.github.com/en/code-security/dependabot/dependabot-alerts
00:00 From npm audit to GitHub
00:38 Exploring Dependency Graph
01:12 Digging into Transitives
01:57 Private Repo Setup
02:31 Enable Dependabot Alerts
02:56 Drill Into a Dependency and Its Dependents
03:21 Why Alerts Match npm
04:11 Multi Language Support
04:38 Next Steps and Wrap Up
#GitHubSecurity #DependencyGraph #Dependabot #DevSecOps #npm
