Dependabot opens 20-30 PRs per week across my repos. Most are minor version bumps, but buried in there are actually critical security issues. I find myself either ignoring them all (risky) or spending hours triaging (unsustainable).
The problem: I don't have a good signal for what's actually urgent vs. what can wait.
What I've tried: - Following CVSS scores → but "critical" doesn't mean "exploitable in my context" - Auto-merging patch versions → missed a few important security fixes - Manual review of everything → takes 5-10 hours/week
I recently discovered CISA's KEV catalog (Known Exploited Vulnerabilities) which flags CVEs that are actively being exploited in the wild. This seems like a better signal than CVSS alone, but I'm curious:
1. How do you decide what's actually urgent? CVSS? EPSS? Manual assessment?
2. Do you treat "outdated but not vulnerable" dependencies differently from "has CVEs"?
3. For those using Dependabot/Renovate/Snyk - what's your workflow? Do you review every alert or have you found a good filtering system?
I'm considering building something to help with this (health score + exploitation-based prioritization) but want to make sure I'm not just solving my own weird problem.
What's working for you?
stevepike•2mo ago
To your specific points
> 1. How do you decide what's actually urgent? CVSS? EPSS? Manual assessment?
The risk factors we track are open CVEs, abandonment (is this package supported by the maintainer?), and staleness (how deep in the hole am I?).
We also look at the libyear metric as an overall indication of dependency health.
> 2. Do you treat "outdated but not vulnerable" dependencies differently from "has CVEs"?
We group upgrades into three general swimlanes:
> 3. For those using Dependabot/Renovate/Snyk - what's your workflow? Do you review every alert or have you found a good filtering system?We offer a Github app that integrates with alerts from Dependabot. While security teams are happy with just a scanner, the engineering teams that actually do this upgrade work need to mash that up with all the other data we're talking about here.
greekcoder•2mo ago
stevepike•2mo ago
I'm not sure what you mean by prioritization on the issues, but generally we are trying to help you figure out what to upgrade next, and to actually do it too.
greekcoder•2mo ago
stevepike•2mo ago