Over the past few months, weâve made a number of[ improvements]() that make Dependabot smarter, quieter, and easier to work with, from [pausing pull requests on inactive repositories]() to making [alerts visible to more developers](). Today, weâre addressing the alert fatigue problem with a new **allow auto-dismissal** function in Dependabot that safely reduces the volume of false positive alerts that can overwhelm developers and distract from legitimate vulnerabilities.
In this context, weâve defined a false positive alert as one that is unlikely to be exploitable and may only have limited effects, such as long-running builds or tests. But whatâs the most responsible way to identify a false positive? Senior Product Manager, Erin Havens, explains GitHubâs unique approach:
> “Rather than over-index on one criterion like reachability or dependency scope, weâve designed an alert rules engine that uses a rich set of complex, contextual alert metadata. This way, Dependabot can relieve alert fatigue while remaining vigilant about alerts that might put your software at risk.”
Todayâs public beta release targets a commonly-cited source of false positives: npm devDependencies. Dependabot now assesses incoming alerts against a set of GitHub-curated rules that take into account how youâre using an npm devDependency, and the level of risk it may pose to your repository. âIn ecosystems with lots of dependencies like npm, false positives can cascade through a project, burdening developers with needless noise,â explains Harry Marr, Senior Director of Software Engineering for GitHub supply chain security.
> âBy detecting and auto-dismissing false positives, todayâs release will reduce the volume of npm alerts by approximately 15%, and marks the beginning of a series of ships that improve the relevance of alerts and relieve alert fatigue.â
## How it works[]()
Dependabotâs auto dismissal function is enabled by default for public repositories and can be enabled by administrators of private repositories on the Code Security page. When enabled, Dependabot will automatically dismiss false positive alerts and let you know via a special timeline event, supported in the audit log, webhook, REST, GraphQL, and alert-centric views. You can review auto-dismissed alerts with the `resolution:auto-dismissed` filter:
![Allow auto-dismissal and review dismissed alerts on the Code Security page](https://github.blog/wp-content/uploads/2023/05/dependabot-1.png?resize=1024%2C819)
## Whatâs next?[]()
This first application of alert rules for Dependabot addresses a common pain point for npm developers, with support for additional ecosystems coming soon. Please join us in the [GitHub Community]() to share your feedback and ideas on how Dependabot can work better for you and other developers.
### Learn more about alert rules[]()
* [Alert rules changelog and FAQ]()
* [Alert rules documentation]()
* [About Dependabot]()Read More
References
Back to Main