Skip to main content

This version of GitHub Enterprise will be discontinued on 2022-02-16. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Viewing and updating vulnerable dependencies in your repository

If GitHub Enterprise Server discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies.

Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts. You can sort the list of alerts by selecting the drop-down menu, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."

Viewing and updating vulnerable dependencies

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.
  2. Under your repository name, click Insights. Insights tab in the main repository navigation bar
  3. In the left sidebar, click Dependency graph. Dependency graph tab in the left sidebar
  4. Click the version number of the vulnerable dependency to display detailed information. Detailed information on the vulnerable dependency
  5. Review the details of the vulnerability and determine whether or not you need to update the dependency. When you merge a pull request that updates the manifest or lock file to a secure version of the dependency, this will resolve the alert.
  6. The banner at the top of the Dependencies tab is displayed until all the vulnerable dependencies are resolved or you dismiss it. Click Dismiss in the top right corner of the banner and select a reason for dismissing the alert. Dismiss security banner

Further reading