Intelligent severity scoring

[sandstrom]

Here is a warning that I got today, and what's wrong about it:

1. It's a dev dependency (known from package-lock.json), so this is is a total non-issue. Why even warn about it?
2. If you really want to warn about it, set the severity to 1 and let me ignore everything below e.g. 5.
3. Also, we don't run any JS on the backend, which I should be able to configure somewhere. So denial of service is a complete non-issue anyway (assuming this hadn't been a dev-only dependency), since JS runs in the browser — there is no service do deny.

I could go on with more examples. I'd say ~90% of all dependabot warnings we get are noise. A few simple if/else clauses would fix what's wrong with this one. So we're not talking about General AI level intelligence here, just make dependabot slightly less stupid.

[erinhav]

Hi @sandstrom, that's good feedback. We're working on making alerts more relevant. We just released a new beta where alerts now can surface vulnerable code paths for Python, and are working on extending that to other ecosystems. We're also building out the ability to flag development dependencies and transitive dependency paths. Once we're able to differentiate those alerts, we'll be able to make Dependabot Alerts a lot smarter, or even potentially configurable.

Let me know if you'd like to provide more feedback over a 1 hour user research session (gift card provided for your time)!

[sandstrom]

@erinhav Sounds like good new developments, both of them!

Another thing could be to allow me to selectively unsubscribe to certain classes of alerts.

For example, I'm totally uninterested in denial of service vulnerabilities in JS, since we're only using it for the client-side [browser]. All anyone can do with it is to DOS themselves.

Obviously this won't be the case for everyone, NodeJS or certain browser XSS scenarios take a very different view. But with customization, I could ignore them, while others would still be subscribed.

I've got too much todo at my work, sorry!

But while I have your attention, I've got two other suggestions:

• Merge Queue Feedback: Support for semi-linear merge #14863
• Intelligent 'Dismiss stale approvals when new commits are pushed' #12876

I know it's outside your PM role, but if you think what I've written makes sense, feel free to ping/forward to the relevant PM at Github.

Happy Easter! 🐰🐣