| title | intro | product | shortTitle | redirect_from | versions | type | topics | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
About Dependabot security updates |
{% data variables.product.prodname_dependabot %} can fix vulnerable dependencies for you by raising pull requests with security updates. |
{% data reusables.gated-features.dependabot-security-updates %} |
Dependabot security updates |
|
|
overview |
|
{% data reusables.dependabot.enterprise-enable-dependabot %}
{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. You typically add a dependabot.yml file to your repository to enable {% data variables.product.prodname_dependabot_security_updates %}. You then configure options in this file to tell {% data variables.product.prodname_dependabot %} how to maintain your repository.
If you enable {% data variables.product.prodname_dependabot_security_updates %}, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "AUTOTITLE" and "AUTOTITLE."
Note
There is no interaction between the settings specified in the dependabot.yml file and {% data variables.product.prodname_dependabot %} security alerts, other than the fact that alerts will be closed when related pull requests generated by {% data variables.product.prodname_dependabot %} for security updates are merged.
{% data reusables.dependabot.dependabot-updates-signed-commits %}
{% data reusables.dependabot.dependabot-security-updates-disable-for-alert-rules %}
{% data variables.product.prodname_dotcom %} may send {% data variables.product.prodname_dependabot_alerts %} to repositories affected by a vulnerability disclosed by a recently published {% data variables.product.prodname_dotcom %} security advisory. {% data reusables.security-advisory.link-browsing-advisory-db %}
{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "AUTOTITLE."
The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see "AUTOTITLE."
{% note %}
Note: For npm, {% data variables.product.prodname_dependabot %} will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see "AUTOTITLE."
{% endnote %}
You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "AUTOTITLE."
{% data reusables.dependabot.pull-request-security-vs-version-updates %}
If you enable {% data variables.product.prodname_dependabot_security_updates %}, parts of the configuration may also affect pull requests created for {% data variables.product.prodname_dependabot_version_updates %}. This is because some configuration settings are common to both types of updates. For more information, see "AUTOTITLE."
{% data reusables.dependabot.dependabot-updates-prs-and-actions %}
{% ifversion dependabot-on-actions-opt-in %}{% data reusables.dependabot.dependabot-updates-and-actions %} For more information, see "AUTOTITLE."{% endif %}
{% data reusables.dependabot.dependabot-actions-support %}
Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository.
When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see "AUTOTITLE."
{% data reusables.dependabot.automated-tests-note %}
{% ifversion dependabot-grouped-security-updates-config %}
To further reduce the number of pull requests you may be seeing, you can enable grouped security updates to group sets of dependencies together (per package ecosystem). {% data variables.product.prodname_dependabot %} then raises a single pull request to update as many vulnerable dependencies as possible in the group to secure versions at the same time.
For security updates, {% data variables.product.prodname_dependabot %} will only group dependencies from different directories per ecosystem under certain conditions and configurations. {% data variables.product.prodname_dependabot %} will not group dependencies from different package ecosystems together, and it will not group security updates with version updates.
{% data reusables.dependabot.dependabot-grouped-security-updates-how-enable %} {% data reusables.dependabot.dependabot-grouped-security-updates-order %}
For more information, see "AUTOTITLE."
{% endif %}
{% ifversion fpt or ghec %}
{% data variables.product.prodname_dependabot_security_updates %} may include compatibility scores to let you know whether updating a dependency could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.
{% endif %}
{% ifversion dependabot-updates-paused %}
{% data reusables.dependabot.automatically-pause-dependabot-updates %}
{% endif %}
You can filter your notifications on {% data variables.product.company_short %} to show {% data variables.product.prodname_dependabot %} security updates. For more information, see "AUTOTITLE."