Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see "About Dependabot alerts."
You can enable automatic security updates for any repository that uses Dependabot alerts and the dependency graph. For more information, see "About Dependabot security updates."
GitHub generates Dependabot alerts when we detect that your codebase is using dependencies with known security risks. For repositories where Dependabot security updates are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.
You can sort and filter Dependabot alerts with the dropdown menus in the Dependabot alerts tab or by typing filters as
key:value pairs into the search bar. The available filters are repository (for example,
repo:my-repository), package (for example,
package:django), ecosystem (for example,
ecosystem:npm), manifest (for example,
manifest:webwolf/pom.xml), state (for example,
is:open), and whether an advisory has a patch (for example,
has: patch). You can also filter alerts with dependency scope data using
scope, for example:
scope:development, the list of alerts will only show dependencies used during development, not production.
Each Dependabot alert has a unique numeric identifier and the Dependabot alerts tab lists an alert for every detected vulnerability. Legacy Dependabot alerts grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy Dependabot alert, you will be redirected to a Dependabot alerts tab filtered for that package.
The table below summarizes whether dependency scope is supported for various ecosystems and manifests, that is, whether Dependabot can identify if a dependency is used for development or production.
|Language||Ecosystem||Manifest file||Dependency scope supported|
|Go||Go modules||go.mod||No, defaults to runtime|
|Go||Go modules||go.sum||No, defaults to runtime|
|Python||pip||requirements.txt||✔ Scope is development if the filename contains |
|Ruby||RubyGems||Gemfile.lock||No, defaults to runtime|
|Rust||Cargo||Cargo.lock||No, defaults to runtime|
|YAML||GitHub Actions||-||No, defaults to runtime|
|.NET (C#, F#, VB, etc.)||NuGet||.csproj / .vbproj .vcxproj / .fsproj||No, defaults to runtime|
|.NET||NuGet||packages.config||No, defaults to runtime|
|.NET||NuGet||.nuspec||✔ When the tag != runtime|
Alerts for packages listed as development dependencies are marked with the
Development label on the Dependabot alerts page and are also available for filtering via the
The alert details page of alerts on development-scoped packages shows a "Tags" section containing a
The detection of calls to vulnerable functions by Dependabot is in beta and subject to change.
Detection of vulnerable calls is enabled on public repositories. This analysis is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have licensed GitHub Advanced Security. For more information, see "About GitHub Advanced Security."
When Dependabot tells you that your repository uses a vulnerable dependency, you need to determine what the vulnerable functions are and check whether you are using them. Once you have this information, then you can determine how urgently you need to upgrade to a secure version of the dependency.
For supported languages, Dependabot automatically detects whether you use a vulnerable function and adds the label "Vulnerable call" to affected alerts. You can use this information in the Dependabot alerts view to triage and prioritize remediation work more effectively.
Note: During the beta release, this feature is available only for new Python advisories created after April 14, 2022, and for a subset of historical Python advisories. GitHub is working to backfill data across additional historical Python advisories, which are added on a rolling basis. Vulnerable calls are highlighted only on the Dependabot alerts pages.
You can filter the view to show only alerts where Dependabot detected at least one call to a vulnerable function using the
has:vulnerable-calls filter in the search field.
For alerts where vulnerable calls are detected, the alert details page shows additional information:
- One or more code blocks showing where the function is used.
- An annotation listing the function itself, with a link to the line where the function is called.
For more information, see "Reviewing and fixing alerts" below.
On GitHub.com, navigate to the main page of the repository.
Under your repository name, click Security.
In the security sidebar, click Dependabot alerts. If this option is missing, it means you don't have access to security alerts and need to be given access. For more information, see "Managing security and analysis settings for your repository."
Optionally, to filter alerts, select the Repository, Package, Ecosystem, or Manifest dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. For example,
scope:development. To sort alerts, select the Sort dropdown menu then click the option that you would like to sort by.
You can also click a label on an alert to only show alerts of that type. For example, clicking the
Developmentlabel in the list of alerts will only show alerts relating to dependencies used in development, not production. For information about the list of ecosystems supported, see "Supported ecosystems and manifests for dependency scope ."
Click the alert that you would like to view.
It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities or malware in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.
If a patched version of the dependency is available, you can generate a Dependabot pull request to update this dependency directly from a Dependabot alert. If you have Dependabot security updates enabled, the pull request may be linked will in the Dependabot alert.
In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. When you click through to view a Dependabot alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.
For supported languages, Dependabot detects calls to vulnerable functions for you. When you view an alert labeled as "Vulnerable call", the details include the name of the function and a link to the code that calls it. Often you will be able to take decisions based on this information, without exploring further.
View the details for an alert. For more information, see "Viewing Dependabot alerts" (above).
If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.
Optionally, if you do not use Dependabot security updates, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.
When you're ready to update your dependency and resolve the vulnerability, merge the pull request.
Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see "Managing pull requests for dependency updates."
Tip: You can only dismiss open alerts.
If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.
- View the details for an alert. For more information, see "Viewing vulnerable dependencies" (above).
- Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later.
- View the open Dependabot alerts. For more information, see "Viewing Dependabot alerts".
- Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar.
- To the left of each alert title, select the alerts that you want to dismiss.
- Optionally, at the top of the list of alerts, select all alerts on the page.
- Select the "Dismiss alerts" dropdown, and click a reason for dismissing the alerts.
Tip: You can only reopen alerts that have been previously dismissed. Closed alerts that have already been fixed cannot be reopened.
- On GitHub.com, navigate to the main page of the repository.
- Under your repository name, click Security.
- In the security sidebar, click Dependabot alerts. If this option is missing, it means you don't have access to security alerts and need to be given access. For more information, see "Managing security and analysis settings for your repository."
- To just view closed alerts, click Closed.
- Click the alert that you would like to view or update.
- Optionally, if the alert was dismissed and you wish to reopen it, click Reopen. Alerts that have already been fixed cannot be reopened.
- View the closed Dependabot alerts. For more information, see "Viewing and updating closed alerts" (above).
- To the left of each alert title, select the alerts that you want to reopen.
- Optionally, at the top of the list of alerts, select all closed alerts on the page.
- Click Reopen to reopen the alerts. Alerts that have already been fixed cannot be reopened.