Evolving Trends in the Adoption and Effectiveness of DEPENDABOT Security Pull Requests

Jernestål, Jacob

January 2024

In the rapidly evolving software industry, bots have become integral to automating tasks and enhancing developer productivity and are revolutionizing the way security patches are implemented in software projects. Our study investigates the impact of DEPENDABOT on the speed and efficacy of security patching in GitHub Open Source Software projects, by studying merge times and factors that contribute to DEPENDABOT’s resolution of security issues in JavaScript projects. We use a dataset containing DEPENDABOT Security Pull Requests. Our study validates previous findings by collecting data from the GitHub API and publishing a dataset collected between 2021 and 2024. We face challenges with collecting features impacting merge times, but overcome them by prioritizing the top 3 features and 2 additional ones. We also investigate the factors behind not merging Pull Requests to identify the obstacles in adopting DEPENDABOT’s recommendations, by analysing Pull Request comments. We start performing sentiment analysis and topic modeling but switch to GitHub Copilot instead and continue investigating presence of factors impacting rapid merge times. Our results present a lower adoption rate of DEPENDABOT Security Pull Requests in JavaScript Open Source Software projects, specifically 13%, compared to those of the original study. 76% of Pull Requests are merged within 4 days, with a median decision time of 0,3 days. The main reason for not merging a DEPENDABOT Security Pull Requests is that another DEPENDABOT Security Pull Request supersedes it. Factors associated with faster merge are related to smaller changes and, controversially, disabling auto merge.

GitHub

Dependabot

Security

Rapid Merge Time

Copilot

Software Engineering

Programvaruteknik

Supplementing Dependabot’svulnerability scanning : A Custom Pipeline for Tracing DependencyUsage in JavaScript Projects

Karlsson, Isak, Ljungberg, David

January 2024

Software systems are becoming increasingly complex, with developers frequentlyutilizing numerous dependencies. In this landscape, accurate tracking and understanding of dependencies within JavaScript and TypeScript codebases are vital formaintaining software security and quality. However, there exists a gap in how existing vulnerability scanning tools, such as Dependabot, convey information aboutthe usage of these dependencies. This study addresses the problem of providing amore comprehensive dependency usage overview, a topic critical to aiding developers in securing their software systems. To bridge this gap, a custom pipeline wasimplemented to supplement Dependabot, extracting the dependencies identified asvulnerable and providing specific information about their usage within a repository.The results highlight the pros and cons of this approach, showing an improvement inthe understanding of dependency usage. The effort opens a pathway towards moresecure software systems.

Vulnerability scanning

Software Dependencies

JavaScript

TypeScript

Dependabot

Vulnerability Scanning Tools

Software Security

Pipeline

GitHub

Dependency Management

Computer Systems

Datorsystem