GitHub expands Ruby and JavaScript security alerts to Python

After launching a JavaScript and Ruby security alert program a year ago, the now Microsoft-owned GitHub code hosting site is expanding the alerts to projects using the popular Python language, 

The project’s aim was to help developers identify vulnerabilities in dependencies written and shared in JavaScript and Ruby. GitHub’s dependency graph helped spot bugs in certain dependencies and pointed developers to known fixes. 

Public repositories automatically get the security alerts while private repositories need to opt into the security device.

Un-noticed vulnerabilities in open source libraries written in Ruby, JavaScript, Python and other languages is a widespread problem according to open-source vulnerability tracker Snyk, which scanned 1,000 projects on GitHub and found 64 percent were vulnerable to at least one flaw. One of the main problems was that shared code spread the same vulnerabilities to multiple projects. 

The expansion of the service to Python could have a big impact. One of the most popular projects written in Python is Google’s open source deep leaning framework Tensorflow.

The security alert initiative has turned up a huge number of vulnerabilities — four million to be precise — in over half a million repositories with project dependencies written in Ruby and JavaScript.  

Within a month of launching, the service found 450,000 vulnerabilities that repository owners removed or updated.

Python is probably a good target for this program given its rapid ascent among data scientists and, according to coding community site Stackoverflow, Python is the fastest growing language used by developers

The alert service is starting small with a “few recent vulnerabilities” however over the coming weeks older Python bugs will join the program, allowing an ever greater feed of vulnerability alerts that developers with Python dependencies can fix. 

Read more: Chat bot opens door to Ticketmaster payment card hack

As with the existing program for Ruby and JavaScript, public repositories will automatically have the dependency graph and security alerts enabled, while private repositories will need to opt-in.

The source of the vulnerability information is from MITRE’s Comms Vulnerabilities and Exposures (CVE) List. 

“When GitHub receives a notification of a newly-announced vulnerability, we identify public repositories (and private repositories that have opted in to vulnerability detection) that use the affected version of the dependency. Then, we send security alerts to owners and people with admin access to affected repositories. You can also configure security alerts for additional people or teams working in organization-owned repositories,” GitHub says. 


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags javascriptpythonrubyGitHubdeveloper

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts