GitHub’s security tool Dependabot is under fire after heavy criticism from the Go community. The reason for this is a recent security update in a cryptography library. This led to thousands of automatic notifications and code suggestions in projects that in practice turned out not to be vulnerable.
Dependabot, a tool developed by GitHub that automatically scans repositories for vulnerable software dependencies and immediately generates security notifications and pull requests, is used by many organizations as an integral part of their DevSecOps approach. It is precisely this automation that is now under discussion.
The criticism, reported by The Register, came from Filippo Valsorda, former head of the Go security team at Google and now maintainer of several cryptographic components within the Go standard library. He recently published a security fix for an external Go library that is indirectly used by many projects. The change involved a single line of code in a specific function, but had no effect on most implementations because that function is not usually called.
Nevertheless, Dependabot sounded the alarm on a large scale. Thousands of repositories automatically received pull requests and warnings, including a high vulnerability score and signals about possible compatibility issues. According to Valsorda, this shows that the tool mainly checks whether a dependency is present, without analyzing whether the vulnerable code is actually accessible within a project. He believes this leads to noise and reduced attention to real risks.
Dependency scanning is not a risk assessment
The discussion touches on a broader problem within enterprise IT. Automatic dependency scanners are often seen as sufficient security measures, even though they do not provide insight into a vulnerability’s actual impact. According to critics, real security requires context, such as whether production environments are at risk, whether secrets need to be replaced, and whether customers need to be informed.
Automatic dependency updates have also been criticized. Continuously implementing updates outside the regular development cycle can cause stability issues and increases the risk of supply chain attacks, in which malicious code is distributed via seemingly legitimate updates. Targeted updates, tested in isolated CI environments, would be more effective.
On Hacker News, the topic led to an extensive discussion, with many participants endorsing the criticism. Several responses noted that customers and auditors rely heavily on scan results, leaving little room for technical nuance. The argument that vulnerable code is not used is often not accepted in audits. According to commentators, this shows how compliance-driven security can become increasingly detached from technical reality.
At the same time, some nuance was also added. In environments with limited resources, some believe that Dependabot still offers more value than no insight at all. The discussion mainly emphasizes that automated tools can be useful, but are no substitute for substantive analysis and expertise.