Update to 2 in STEP and README.md

.github/steps/-step.txt

@@ -1 +1 @@
-1
+2

README.md

@@ -13,53 +13,50 @@ _Secure your supply chain, understand dependencies in your environment, know abo
 
 </header>
 
-## Step 1: Review and add dependencies using dependency graph
+## Step 2: Enable and view Dependabot alerts
 
-_Welcome to "Secure your repository's supply chain"! :wave:_
+_Nice work! :tada: You added and viewed a dependency using Dependency graph!_
 
-**What's the big deal about securing your repository's supply chain?**: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.
+Given how many dependencies our repository uses, maintaining them needs to become an automated task. Keeping our code secure is a top priority, so the first thing we need to do is set up a way to be notified when a dependency we are using is vulnerable or malware. We can do this by enabling Dependabot alerts.
 
-GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are:
+**What are Dependabot alerts?**: Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**.
 
-- Dependency graph
-- Dependency review
-- Dependabot alerts
-- Dependabot updates
-  - Dependabot security updates
-  - Dependabot version updates
+If your code depends on a package that has a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative.
 
-**What is a dependency graph**: The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API (beta). For each repository, it shows:
+Let's try this out with our newly added `follow-redirects` dependency!
 
-- Dependencies, the ecosystems and packages it depends on
-- Dependents, the repositories and packages that depend on it
+### :keyboard: Activity 2.1: View security advisories in the GitHub Advisory Database
 
-### :keyboard: Activity 1.1: Verify that dependency graph is enabled
+1. Navigate to [GitHub Advisory Database](https://github.com/advisories).
+1. Type or paste `follow-redirects` into the advisory search box.
+1. Click on any of the advisories that were found to see more information.
+1. You'll see the packages, impact, patches, workaround, and references for the advisory.
 
-**We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.**
+Notice the long list of advisories for our dependency! This can look scary but it's actually a good thing. It means that our dependency is actively being maintained and patches are being pushed to remove the vulnerability. If we had Dependabot alerts enabled, we could receive alerts when we need to update a dependency and act promptly to secure them.
 
-Dependency graph is enabled by default for all new public repositories. If you're working in a public repository, you can go straight to "Activity 1.2: Add a new dependency and view your dependency graph." For private or internal repositories, you'll need to enable Dependency graph.
+Let's enable Dependabot alerts on our repository!
+
+### :keyboard: Activity 2.2: Enable Dependabot alerts
 
 1. Navigate to the **Settings** tab.
-1. Click **Code security and analysis**.
-1. **Enable** "Dependency graph." 
-
-### :keyboard: Activity 1.2: Add a new dependency and view your dependency graph
-
-1. Navigate to the **Code** tab and locate the `code/src/AttendeeSite` folder.
-1. Add the following content to the `package-lock.json` file after the third to last bracket `}` and before the last two brackets.
-   ```
-   ,
-    "follow-redirects": {
-      "version": "1.14.1",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
-      "integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
-    }
-   ```
-1. Navigate to the **Insights** tab.
-1. Select **Dependency graph** from the side navigation bar.
-1. Review all the dependencies on the **Dependencies** tab.
-1. Search for `follow-redirects` and review the new dependency you just added.
-   ![Screen Shot showing the "follow-redirects" dependency.](https://user-images.githubusercontent.com/6351798/196288729-734e3319-c5d7-4f35-a19c-676c12f0e27d.png)
+1. Display the settings for **Code security and analysis**.
+1. **Enable** Dependabot alerts.
+1. **Wait about 60 seconds for Dependabot to check for alerts.**
+1. Navigate to the **Security** tab.
+1. Under "Vulnerability alerts" in the side bar, select **Dependabot** to view a list of the Dependabot alerts for the default branch.
+
+Dependabot has alerted us to vulnerabilities in the dependencies that we use. We can also use Dependabot to help us address these vulnerabilities by creating pull requests to update the dependency to a safe version.
+
+Let's see how this would work by using Dependabot to create a pull request for one of the alerts!
+
+### :keyboard: Activity 2.3: Create a pull request based on a Dependabot alert
+
+1. In the list of Dependabot alerts, click the "Prototype Pollution in minimist" to display more information.
+1. Click the **Create Dependabot security update** button to create a pull request to update the dependency. This could take up to 2 minutes.
+1. When the pull request is open, the alert page is updated to show a **Review security update** button.
+1. Click the **Review security update** button to display the pull request.
+   - You can view the pull request and **Files changed** tab to review the update.
+1. Navigate back to the **Conversation** tab and merge the pull request.
 
 Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.