Viewing and updating vulnerable dependencies in your repository

If GitHub Enterprise Server discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies.

Your repository's Dependabot 警报 tab lists all open and closed Dependabot 警报. You can sort the list of alerts by selecting the drop-down menu, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."

此外, GitHub 可以查看在针对仓库默认分支的拉取请求中添加、更新或删除的任何依赖项,并标记任何将漏洞引入项目的变化。 这允许您在易受攻击的依赖项到达您的代码库之前发现并处理它们,而不是事后处理。 更多信息请参阅“审查拉取请求中的依赖项更改”。

Viewing and updating vulnerable dependencies

  1. 在 your GitHub Enterprise Server instance 上,导航到仓库的主页面。
  2. 在仓库名称下,单击 Security(安全)Security 选项卡
  3. 在安全侧边栏中,点击 Dependabot 警报Dependabot 警报 tab
  4. Click the alert you'd like to view. Alert selected in list of alerts
  5. Review the details of the vulnerability and determine whether or not you need to update the dependency.
  6. When you merge a pull request that updates the manifest or lock file to a secure version of the dependency, this will resolve the alert. Alternatively, if you decide not to update the dependency, select the Dismiss drop-down, and click a reason for dismissing the alert. Choosing reason for dismissing the alert via the "Dismiss" drop-down

Further reading

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。