GH-100 · Question #20
GH-100 Question #20: Real Exam Question with Answer & Explanation
The correct answer is B: It uses the dependency graph and Dependabot alerts to open PRs for patched versions.. B is correct because Dependabot works by first building a dependency graph of your project's declared dependencies, then cross-referencing that graph against the Dependabot alerts database (which tracks CVEs and security advisories). When a patched version exists for a vulnerable
Question
How does Dependabot determine which security update PRs to open?
Options
- AIt waits for manual triage of all CVEs.
- BIt uses the dependency graph and Dependabot alerts to open PRs for patched versions.
- CIt reads the GitHub Issues and automatically suggests fixes.
- DIt compares your codebase to the GitHub Trending list.
Explanation
B is correct because Dependabot works by first building a dependency graph of your project's declared dependencies, then cross-referencing that graph against the Dependabot alerts database (which tracks CVEs and security advisories). When a patched version exists for a vulnerable dependency, Dependabot automatically opens a PR to bump to that safe version.
Why the distractors are wrong:
- A is wrong because Dependabot is automated - it doesn't wait for human triage before acting on known vulnerabilities.
- C is wrong because Dependabot reads your manifest files (e.g.,
package.json,requirements.txt) and the advisory database, not GitHub Issues. - D is wrong because GitHub Trending is a popularity feature completely unrelated to security vulnerability detection.
Memory tip: Think of Dependabot as a two-step robot: (1) graph your deps, (2) alert + patch via PR. The name itself is a hint - it's a bot that handles dependencies, not issues or trends.
Topics
Community Discussion
No community discussion yet for this question.