Viewing and updating vulnerable dependencies in your repository

If GitHub discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies.

Your repository's Dependabot 警报 tab lists all open and closed Dependabot 警报 and corresponding Dependabot 安全更新. You can sort the list of alerts by selecting the drop-down menu, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."

You can enable automatic security updates for any repository that uses Dependabot 警报 and the dependency graph. For more information, see "About Dependabot 安全更新."

此外, GitHub 可以查看在针对仓库默认分支的拉取请求中添加、更新或删除的任何依赖项,并标记任何将漏洞引入项目的变化。 这允许您在易受攻击的依赖项到达您的代码库之前发现并处理它们,而不是事后处理。 更多信息请参阅“审查拉取请求中的依赖项更改”。

About updates for vulnerable dependencies in your repository

GitHub generates Dependabot 警报 when we detect that your codebase is using dependencies with known vulnerabilities. For repositories where Dependabot 安全更新 are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Viewing and updating vulnerable dependencies

  1. 在 上,导航到仓库的主页面。
  2. 在仓库名称下,单击 Security(安全)Security 选项卡
  3. 在安全侧边栏中,点击 Dependabot 警报Dependabot 警报 tab
  4. Click the alert you'd like to view. Alert selected in list of alerts
  5. Review the details of the vulnerability and, if available, the pull request containing the automated security update.
  6. Optionally, if there isn't already a Dependabot 安全更新 update for the alert, to create a pull request to resolve the vulnerability, click Create Dependabot security update. Create Dependabot security update button
  7. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see "Managing pull requests for dependency updates."
  8. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, select the "Dismiss" drop-down, and click a reason for dismissing the alert. Choosing reason for dismissing the alert via the "Dismiss" drop-down

Further reading




所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。


或者, 了解如何参与。