我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

Troubleshooting Dependabot errors

Sometimes Dependabot is unable to raise a pull request to update your dependencies. You can review the error and unblock Dependabot.

本文内容

注: Dependabot version updates 目前处于测试阶段,可能会有变动。 要使用测试版功能,请在配置文件中登记,告诉 Dependabot 为您保留哪些依赖项。 详情请参阅“启用和禁用版本更新。”

About Dependabot errors

Dependabot 提出拉取请求,以更新依赖项。 Dependabot 可能会针对版本更新和/或安全更新提出拉取请求,具体取决于仓库的配置方式。 您可以按与任何其他拉取请求相同的方式管理这些拉取请求,但也有一些额外的可用命令。 有关启用 Dependabot 依赖项更新的更多信息,请参阅“配置 Dependabot security updates”和“启用和禁用版本更新”。

If anything prevents Dependabot from raising a pull request, this is reported as an error.

Investigating errors with Dependabot security updates

When Dependabot is blocked from creating a pull request to fix a Dependabot alert, it posts the error message on the alert. The Dependabot alerts view shows a list of any alerts that have not been resolved yet. To access the alerts view, click Dependabot alerts on the Security tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.

Dependabot alerts view showing a pull request link

There are three reasons why an alert may have no pull request link:

  1. Dependabot security updates are not enabled for the repository.
  2. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file.
  3. An error blocked Dependabot from creating a pull request.

If an error blocked Dependabot from creating a pull request, you can display details of the error by clicking the alert.

Dependabot alert showing the error that blocked the creation of a pull request

Investigating errors with Dependabot version updates

When Dependabot is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by Dependabot are listed on the Dependabot tab. To access this tab, on the Insights tab for the repository click Dependency graph, and then click the Dependabot tab.

Dependabot view showing an error

To see the log file for any manifest file, click the Last checked TIME ago link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed.

Dependabot version update error and log

Understanding Dependabot errors

Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and Dependabot configuration files. Consequently, some errors are specific to one type of update.

Dependabot cannot update DEPENDENCY to a non-vulnerable version

Security updates only. Dependabot cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository.

Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem.

The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. 更多信息请参阅“启用和禁用版本更新”。

Dependabot cannot update to the required version as there is already an open pull request for the latest version

Security updates only. Dependabot will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version.

There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "Triggering a Dependabot pull request manually."

Dependabot timed out during its update

Dependabot took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of package.json files. Updates to the Composer ecosystem also take longer to assess and may time out.

This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the allow parameter or, alternatively, use the ignore parameter to exclude some dependencies from updates. Updating your configuration might allow Dependabot to review the version update and generate the pull request in the time available.

If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. 更多信息请参阅“启用和禁用版本更新”。

Dependabot cannot open any more pull requests

There's a limit on the number of open pull requests Dependabot will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests.

There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the open-pull-requests-limit parameter in the configuration file. 更多信息请参阅“依赖项更新的配置选项。”

The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "Triggering a Dependabot pull request manually."

Triggering a Dependabot pull request manually

If you unblock Dependabot, you can manually trigger a fresh attempt to create a pull request.

  • Security updates—display the Dependabot alert that shows the error you have fixed and click Create Dependabot security update.
  • Version updates—display the log file for the manifest that shows the error that you have fixed and click Check for updates.

此文档对您有帮助吗?

Privacy policy

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或, 了解如何参与。