Go library maintainer brands GitHub's Dependabot a 'noise machine'

A Go library maintainer has urged developers to turn off GitHub's Dependabot, arguing that false positives from the dependency-scanning tool "reduce security by causing alert fatigue."

Filippo Valsorda, formerly in charge of the Go security team at Google, now maintains the cryptography packages in the Go standard library.

Last week, he published a security fix for one of the libraries he maintains, filippo.io/edwards25519, which is used for EdDSA (Edwards-curve Digital Signature Algorithm) cryptography. As a result, Dependabot "opened thousands of PRs [pull requests] against unaffected repositories," Valsorda said.

The automated process also generated what Valsorda called "a nonsensical made up CVSS [Common Vulnerability Scoring System] v4 score" and warned developers of a 73 percent compatibility score, implying a 27 percent chance of breaking code, even though the fix was "one line in the method no one uses."

The most common reason for depending on this library is ...