Dependabot 安全更新 make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it. For more information, see "About Dependabot 警报" and "Configuring Dependabot 安全更新."
GitHub may send Dependabot 警报 to repositories affected by a vulnerability disclosed by a recently published GitHub security advisory. 更多信息请参阅“浏览 GitHub Advisory Database 中的安全通告”。
Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the Dependabot alert, or reports an error on the alert. For more information, see "Troubleshooting Dependabot errors."
The Dependabot 安全更新 feature is available for repositories where you have enabled the dependency graph and Dependabot 警报. You will see a Dependabot alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. Dependabot is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "About the dependency graph."
You can enable a related feature, Dependabot 版本更新, so that Dependabot raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "About Dependabot version updates."
当 Dependabot 提出拉取请求时，这些拉取请求可以是安全性或版本更新：
- Dependabot 安全更新 是自动拉取请求，帮助您更新已知漏洞的信赖项。
- Dependabot 版本更新 是自动拉取请求，即使它们没有任何漏洞，也会保持更新您的依赖项。 要检查版本更新的状态，请依次导航到仓库的 Insights（见解）选项卡、Dependency Graph（依赖关系图）、Dependabot。
Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabot 警报 for the repository.
When you merge a pull request that contains a security update, the corresponding Dependabot alert is marked as resolved for your repository. For more information about Dependabot pull requests, see "Managing pull requests for dependency updates."
注：自动化测试和验收过程是一项好做法，这样可在合并拉取请求之前进行检查。 如果建议的升级版本包含额外的功能，或者更改会中断您的项目代码，这种做法尤其重要。 有关持续集成的更多信息，请参阅“关于持续集成”。
Dependabot 安全更新 may include compatibility scores to let you know whether updating a dependency could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.
You can filter your notifications on GitHub to show Dependabot security updates. For more information, see "Managing notifications from your inbox."