我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

About Dependabot security updates

Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates.

本文内容

关于 Dependabot security updates

Dependabot security updates make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it. For more information, see "About alerts for vulnerable dependencies" and "Configuring Dependabot security updates."

Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the Dependabot alert, or reports an error on the alert. For more information, see "Troubleshooting Dependabot errors."

The Dependabot security updates feature is available for repositories where you have enabled the dependency graph and Dependabot alerts. You will see a Dependabot alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. Dependabot is unable to update an indirect or transitive dependency that is not explicitly defined. 更多信息请参阅“关于依赖关系图”。

About pull requests for security updates

Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. 这包括漏洞的相关信息,如发行说明、变更日志条目和提交详细信息。 Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabot alerts for the repository.

When you merge a pull request that contains a security update, the corresponding Dependabot alert is marked as resolved for your repository. For more information about Dependabot pull requests, see "Managing pull requests for dependency updates."

注:自动化测试和验收过程是一项好做法,这样可在合并拉取请求之前进行检查。 如果建议的升级版本包含额外的功能,或者更改会中断您的项目代码,这种做法尤其重要。 有关持续集成的更多信息,请参阅“关于持续集成”。

关于兼容性分数

Dependabot security updates may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.

此文档对您有帮助吗?

Privacy policy

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或, 了解如何参与。