Date: 2019-05-21
Accepted
We want to ensure we are made aware of vulnerabilities that are discovered in third-party open source libraries the application uses and can quickly update dependent libraries to secure versions so that we can be confident we are not open to known security threats.
We will run Dependabot, a third-party service that automatically checks for known vulnerabilities and automatically creates Pull Requests against the codebase to update vulnerable dependencies.
The team responsible for the codebase will still need to review, merge, and deploy the Pull Requests to update the libraries on the live system.