Microsoft GH-500 Exam - Topic 5 Question 2 Discussion

Actual exam question for Microsoft's GH-500 exam

Question #: 2
Topic #: 5

[All GH-500 Questions]

-- [Configure and Use Dependency Management]

In the pull request, how can developers avoid adding new dependencies with known vulnerabilities?

AEnable Dependabot alerts.

BAdd Dependabot rules.

CAdd a workflow with the dependency review action.

DEnable Dependabot security updates.

Show Suggested Answer

Suggested Answer: C

To detect and block vulnerable dependencies before merge, developers should use the Dependency Review GitHub Action in their pull request workflows. It scans all proposed dependency changes and flags any packages with known vulnerabilities.

This is a preventative measure during development, unlike Dependabot, which reacts after the fact.

by Emile at Aug 15, 2025, 12:08 PM

Limited Time Offer

25%

Off

Get Premium GH-500 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Kenneth

2 months ago

Adding rules is good, but it can get complicated fast.

upvoted 0 times

...

Leota

2 months ago

Totally agree with enabling security updates!

upvoted 0 times

...

Joaquin

3 months ago

Wait, are Dependabot security updates really that reliable?

upvoted 0 times

...

Skye

3 months ago

I think adding a workflow with the dependency review action is more effective.

upvoted 0 times

...

Yvonne

3 months ago

Enabling Dependabot alerts is a must!

upvoted 0 times

...

Alyce

4 months ago

I feel like enabling Dependabot security updates is definitely a good step, but I wonder if it covers everything we need.

upvoted 0 times

...

Cammy

4 months ago

Adding a workflow with the dependency review action sounds familiar, but I’m uncertain if it’s the best option here.

upvoted 0 times

...

Katlyn

4 months ago

I remember practicing with a question about Dependabot rules, but I can't recall if they specifically prevent adding vulnerable dependencies.

upvoted 0 times

...

Wei

4 months ago

I think enabling Dependabot alerts is important, but I'm not sure if that's enough to avoid vulnerabilities.

upvoted 0 times

...

Rikki

4 months ago

I'm feeling pretty confident about this one. I'd go with option D - enabling Dependabot security updates. That should automatically update any dependencies with known issues, right?

upvoted 0 times

...

Yuette

5 months ago

Okay, I've got this. The answer is C - adding a workflow with the dependency review action. That's the best way to catch any new dependencies with known vulnerabilities before they get merged.

upvoted 0 times

...

Selma

5 months ago

Hmm, this one seems a bit tricky. I'm not totally sure about the difference between Dependabot alerts and Dependabot security updates. I'll need to review those options more closely.

upvoted 0 times

...

Kanisha

5 months ago

I think the key here is to use a combination of Dependabot alerts and the dependency review action. Dependabot can help identify known vulnerabilities, while the review action can catch any new dependencies that get added.

upvoted 0 times

...