Angreifbare Abhängigkeiten in Deinem Repository anzeigen und aktualisieren

If GitHub discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies.

Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. Mithilfe des Dropdownmenü kannst Du die Liste der Warnungen sortieren, und Du kannst auf bestimmte Warnungen klicken, um weitere Details anzuzeigen. For more information, see "About alerts for vulnerable dependencies." |

You can enable automatic security updates for any repository that uses Dependabot alerts and the dependency graph. Weitere Informationen findest Du unter „ Über Dependabot security updates."

Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would introduce a vulnerability into your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "Reviewing dependency changes in a pull request."

About updates for vulnerable dependencies in your repository

GitHub generates Dependabot alerts when we detect that your codebase is using dependencies with known vulnerabilities. For repositories where Dependabot security updates are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Viewing and updating vulnerable dependencies

  1. Navigiere in GitHub zur Hauptseite des Repository.
  2. Klicke unter Deinem Repository-Namen auf Security (Sicherheit). Registerkarte „Security“ (Sicherheit)
  3. In the security sidebar, click Dependabot alerts. Dependabot alerts tab
  4. Klicke auf die Warnung, die angezeigt werden soll. In der Liste ausgewählte Warnung
  5. Überprüfe die Details der Schwachstelle und wenn verfügbar des Pull Requests, der das automatisierte Sicherheitsupdate enthält.
  6. Optionally, if there isn't already a Dependabot security updates update for the alert, to create a pull request to resolve the vulnerability, click Create Dependabot security update. Create Dependabot security update button
  7. Wenn Sie zum Aktualisieren Ihrer Abhängigkeit und zum Beheben Ihrer Schwachstelle bereit sind, mergen Sie den Pull Request. Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see "Managing pull requests for dependency updates."
  8. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert. Choosing reason for dismissing the alert via the "Dismiss" drop-down

Weiterführende Informationen

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Oder, learn how to contribute.