{“lastseen”:”2026-02-20T22:05:10″,”description”:”Dependabot is a noise machine. It makes you feel like you\u2019re doing work, but you\u2019re actually discouraging more useful work. This is _especially_ true for security alerts in the Go ecosystem.\\n\\nI recommend turning it off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running your test suite against the latest version of your dependencies.\\n\\n## A little case study\\n\\nOn Tuesday, I published a security fix for filippo.io\/edwards25519. The `(*Point).MultiScalarMult` method would produce invalid results if the receiver was not the identity point.\\n\\nA lot of the Go ecosystem depends on filippo.io\/edwards25519, mostly through github.com\/go-sql-driver\/mysql (228k dependents only on GitHub). Essentially no one uses `(*Point).MultiScalarMult`.\\n\\nYesterday, Dependabot opened thousands of PRs against unaffected repositories to update filippo.io\/edwards25519. These PRs were accompanied by a security alert with a nonsensical, made up CVSS v4 score and by a worrying 73% compatibility score, allegedly based on the breakage the update is causing in the ecosystem. Note that the diff between v1.1.0 and v1.1.1 is one line in the method no one uses.\\n\\n\\n\\nWe even got one of these alerts for the Wycheproof repository, which _does not import the affected filippo.io\/edwards25519 package at all_. Instead, it only imports the unaffected filippo.io\/edwards25519\/field package.\\n \\n \\n $ go mod why -m filippo.io\/edwards25519\\n # filippo.io\/edwards25519\\n github.com\/c2sp\/wycheproof\/tools\/twistcheck\\n filippo.io\/edwards25519\/field\\n \\n\\nWe have turned Dependabot off.\\n\\n## Use a serious vulnerability scanner instead\\n\\nBut isn\u2019t this toil unavoidable, to prevent attackers from exploiting old vulnerabilities in your dependencies? Absolutely not!\\n\\nComputers are perfectly capable of doing the work of filtering out these irrelevant alerts for you. The Go Vulnerability Database has rich version, package, _and symbol_ metadata for all Go vulnerabilities.\\n\\nHere\u2019s the entry for the filippo.io\/edwards25519 vulnerability, also available in standard OSV format.\\n \\n \\n modules:\\n – module: filippo.io\/edwards25519\\n versions:\\n – fixed: 1.1.1\\n vulnerable_at: 1.1.0\\n packages:\\n – package: filippo.io\/edwards25519\\n symbols:\\n – Point.MultiScalarMult\\n summary: Invalid result or undefined behavior in filippo.io\/edwards25519\\n description: |-\\n Previously, if MultiScalarMult was invoked on an\\n initialized point who was not the identity point, MultiScalarMult\\n produced an incorrect result. If called on an\\n uninitialized point, MultiScalarMult exhibited undefined behavior.\\n cves:\\n – CVE-2026-26958\\n credits:\\n – shaharcohen1\\n – WeebDataHoarder\\n references:\\n – advisory: https:\/\/github.com\/FiloSottile\/edwards25519\/security\/advisories\/GHSA-fw7p-63qq-7hpr\\n – fix: https:\/\/github.com\/FiloSottile\/edwards25519\/commit\/d1c650afb95fad0742b98d95f2eb2cf031393abb\\n source:\\n id: go-security-team\\n created: 2026-02-17T14:45:04.271552-05:00\\n review_status: REVIEWED\\n \\n\\nAny decent vulnerability scanner will _at the very least_ filter based on the package, which requires a simple `go list -deps .\/…`. This already silences a lot of noise, because it\u2019s common and good practice for modules to separate functionality relevant to different dependents into different sub-packages.1 For example, it would have avoided the false alert against the Wycheproof repository.\\n\\nIf you use a third-party vulnerability scanner, you should demand at least package-level filtering.\\n\\n_Good_ vulnerability scanners will go further, though, and filter based on the reachability of the vulnerable _symbol_ using static analysis. That\u2019s what govulncheck does!\\n \\n \\n $ go mod why -m filippo.io\/edwards25519\\n # filippo.io\/edwards25519\\n filippo.io\/sunlight\/internal\/ctlog\\n github.com\/google\/certificate-transparency-go\/trillian\/ctfe\\n github.com\/go-sql-driver\/mysql\\n filippo.io\/edwards25519\\n \\n $ govulncheck .\/…\\n === Symbol Results ===\\n \\n No vulnerabilities found.\\n \\n Your code is affected by 0 vulnerabilities.\\n This scan also found 1 vulnerability in packages you import and 2\\n vulnerabilities in modules you require, but your code doesn’t appear to call\\n these vulnerabilities.\\n Use ‘-show verbose’ for more details.\\n \\n\\ngovulncheck noticed that my project indirectly depends on filippo.io\/edwards25519 through github.com\/go-sql-driver\/mysql, which does not make the vulnerable symbol reachable, so it chose not to notify me.\\n\\nIf you want, you can tell it to show the package- and module-level matches.\\n \\n \\n $ govulncheck -show verbose,color .\/…\\n Fetching vulnerabilities from the database…\\n \\n Checking the code against the vulnerabilities…\\n \\n The package pattern matched the following 16 root packages:\\n filippo.io\/sunlight\\n filippo.io\/sunlight\/internal\/stdlog\\n […]\\n Govulncheck scanned the following 54 modules and the go1.26.0 standard library:\\n filippo.io\/sunlight\\n crawshaw.io\/sqlite@v0.3.3-0.20220618202545-d1964889ea3c\\n filippo.io\/bigmod@v0.0.3\\n filippo.io\/edwards25519@v1.1.0\\n filippo.io\/keygen@v0.0.0-20240718133620-7f162efbbd87\\n filippo.io\/torchwood@v0.8.0\\n […]\\n \\n === Symbol Results ===\\n \\n No vulnerabilities found.\\n \\n === Package Results ===\\n \\n Vulnerability #1: GO-2026-4503\\n Invalid result or undefined behavior in filippo.io\/edwards25519\\n More info: https:\/\/pkg.go.dev\/vuln\/GO-2026-4503\\n Module: filippo.io\/edwards25519\\n Found in: filippo.io\/edwards25519@v1.1.0\\n Fixed in: filippo.io\/edwards25519@v1.1.1\\n \\n === Module Results ===\\n \\n Vulnerability #1: GO-2025-4135\\n Malformed constraint may cause denial of service in\\n golang.org\/x\/crypto\/ssh\/agent\\n More info: https:\/\/pkg.go.dev\/vuln\/GO-2025-4135\\n Module: golang.org\/x\/crypto\\n Found in: golang.org\/x\/crypto@v0.44.0\\n Fixed in: golang.org\/x\/crypto@v0.45.0\\n \\n Vulnerability #2: GO-2025-4134\\n Unbounded memory consumption in golang.org\/x\/crypto\/ssh\\n More info: https:\/\/pkg.go.dev\/vuln\/GO-2025-4134\\n Module: golang.org\/x\/crypto\\n Found in: golang.org\/x\/crypto@v0.44.0\\n Fixed in: golang.org\/x\/crypto@v0.45.0\\n \\n Your code is affected by 0 vulnerabilities.\\n This scan also found 1 vulnerability in packages you import and 2\\n vulnerabilities in modules you require, but your code doesn’t appear to call\\n these vulnerabilities.\\n \\n\\nIt\u2019s easy to integrate govulncheck into your processes or scanners, either using the `govulncheck -json` CLI or the golang.org\/x\/vuln\/scan Go API.\\n\\n### Replace Dependabot with a govulncheck GitHub Action\\n\\nYou can replace Dependabot security alerts with this GitHub Action.\\n \\n \\n name: govulncheck\\n on:\\n push:\\n pull_request:\\n schedule: # daily at 10:22 UTC\\n – cron: ’22 10 * * *’\\n workflow_dispatch:\\n permissions:\\n contents: read\\n jobs:\\n govulncheck:\\n runs-on: ubuntu-latest\\n steps:\\n – uses: actions\/checkout@v5\\n with:\\n persist-credentials: false\\n – uses: actions\/setup-go@v6\\n with:\\n go-version-file: go.mod\\n – run: |\\n go run golang.org\/x\/vuln\/cmd\/govulncheck@latest .\/…\\n \\n\\nIt will run every day and only notify you if there is an actual vulnerability you should pay attention to.\\n\\n### The cost of alert fatigue\\n\\nFalse positive alerts are not only a waste of time, they also reduce security by causing alert fatigue and making proper triage impractical.\\n\\nA security vulnerability should be assessed for its impact: production might need to be updated, secrets rotated, users notified! A business-as-usual dependency bump is a woefully insufficient remediation for an actual vulnerability, but it\u2019s the only practical response to the constant stream of low-value Dependabot alerts.\\n\\nThis is why as Go Security Team lead back in 2020\u20132021 I insisted the team invest in staffing the Go Vulnerability Database and implement a vulnerability scanner with static analysis filtering.\\n\\nThe govulncheck Action will not automatically open a PR for you, and that\u2019s a good thing! Now that security alerts are not mostly noise, you can afford to actually look at them and take them seriously, including any required remediation.\\n\\nNoisy vulnerability scanners also impact the open source ecosystem. I often get issues and PRs demanding I update the dependencies of my projects due to vulnerabilities that don\u2019t affect them, because someone\u2019s scanner is failing to filter them. That\u2019s extra toil dropped at the feet of open source maintainers, which is unsustainable. The maintainer\u2019s responsibility is making sure projects are not affected by security vulnerabilities. The responsibility of scanning tools is making sure they don’t disturb their users with false positives.\\n\\n## Test against latest instead of updating\\n\\nThe other purpose of Dependabot is to keep dependencies up to date, regardless of security vulnerabilities. Your practices and requirements will vary, but I find this misguided, too.\\n\\nDependencies should be updated according to _your_ development cycle, not the cycle of each of your dependencies. For example you might want to update dependencies all at once when you begin a release development cycle, as opposed to when each dependency completes theirs.\\n\\nThere are two benefits to quick updates, though: first, you can notice and report (or fix) breakage more rapidly, instead of being stalled by an incompatibility that could have been addressed a year prior; second, you reduce your patch delta _in case_ you need to update due to a security vulnerability, reducing the risk of having to rush through a refactor or unrelated fixes.\\n\\nYou can capture both of those benefits without actually updating the dependencies by simply running CI against the latest versions of your dependencies every day. You just need to run `go get -u -t .\/…` before your test suite. In the npm ecosystem, you just run `npm update` instead of `npm ci`.\\n\\nThis way, you will still be alerted quickly of any potential issues, without having to pay attention to unproblematic updates, which you can defer to whenever fits your project best.\\n\\nThis is a lot safer, too, because malicious code recently added to a dependency will not rapidly reach users or production, but only CI. Supply chain attacks have a short half-life! You can further mitigate the risk by using a CI sandboxing mechanism like geomys\/sandboxed-step, which uses gVisor to remove the ambient authority that GitHub Actions grants every workflow, including supposedly read-only ones.\\n \\n \\n name: Go tests\\n on:\\n push:\\n pull_request:\\n schedule: # daily at 10:22 UTC\\n – cron: ’22 10 * * *’\\n workflow_dispatch:\\n permissions:\\n contents: read\\n jobs:\\n test:\\n runs-on: ubuntu-latest\\n strategy:\\n fail-fast: false\\n matrix:\\n go:\\n – { go-version: stable }\\n – { go-version-file: go.mod }\\n deps:\\n – locked\\n – latest\\n steps:\\n – uses: actions\/checkout@v5\\n with:\\n persist-credentials: false\\n – uses: actions\/setup-go@v6\\n with:\\n go-version: ${{ matrix.go.go-version }}\\n go-version-file: ${{ matrix.go.go-version-file }}\\n – uses: geomys\/sandboxed-step@v1.2.1\\n with:\\n run: |\\n if [ \\”${{ matrix.deps }}\\” = \\”latest\\” ]; then\\n go get -u -t .\/…\\n fi\\n go test -v .\/…\\n \\n\\nFor more spicy open source opinions, follow me on Bluesky at @filippo.abyssdomain.expert or on Mastodon at @filippo@abyssdomain.expert.\\n\\n## The picture\\n\\nThe Tevere has overflowed its lower banks, so a lot of previously familiar landscapes have changed slightly, almost eerily. This is the first picture I took after being able to somewhat safely descend onto (part of) the river’s banks.\\n\\n\\n\\nMy work is made possible by Geomys, an organization of professional Go maintainers, which is funded by Ava Labs, Teleport, Tailscale, and Sentry. Through our retainer contracts they ensure the sustainability and reliability of our open source maintenance work and get a direct line to my expertise and that of the other Geomys maintainers. (Learn more in the Geomys announcement.) Here are a few words from some of them!\\n\\nTeleport \u2014 For the past five years, attacks and compromises have been shifting from traditional malware and security breaches to identifying and compromising valid user accounts and credentials with social engineering, credential theft, or phishing. Teleport Identity is designed to eliminate weak access patterns through access monitoring, minimize attack surface with access requests, and purge unused permissions via mandatory access reviews.\\n\\nAva Labs \u2014 We at Ava Labs, maintainer of AvalancheGo (the most widely used client for interacting with the Avalanche Network), believe the sustainable maintenance and development of open source cryptographic protocols is critical to the broad adoption of blockchain technology. We are proud to support this necessary and impactful work through our ongoing sponsorship of Filippo and his team.\\n\\n* * *\\n\\n 1. This also makes it possible to prune the tree of dependencies only imported by packages that are not relevant to a specific dependent, which has a large security benefit. \u21a9”,”published”:”2026-02-20T19:48:08″,”modified”:”2026-02-20T19:48:08″,”type”:”filippoio”,”title”:”Turn Dependabot Off”,”source”:””,”references”:””,”id”:”FILIPPOIO:E9AFE970A5EB71BD3D5CD46EA35EEC57″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-26958″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:6.3,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:H\/AT:P\/PR:N\/UI:N\/VC:N\/SC:N\/VI:N\/SI:N\/VA:L\/SA:N\/E:U”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/words.filippo.io\/dependabot\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-20T22:05:10″,”description”:”Dependabot is a noise machine. It makes you feel like you\u2019re doing work, but you\u2019re actually discouraging more useful work. This is _especially_ true for…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,23,12,162,21,13,7,11,5],"class_list":["post-42045","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-63","tag-exploit","tag-filippoio","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n