Managing vulnerabilities in your project's dependencies
You can track your repository's dependencies and receive Dependabot alerts when GitHub detects vulnerable dependencies.
About managing vulnerable dependencies→
GitHub helps you to avoid using third-party software that contains known vulnerabilities.
Browsing security vulnerabilities in the GitHub Advisory Database→
The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.
About alerts for vulnerable dependencies→
GitHub sends Dependabot alerts when we detect vulnerabilities affecting your repository.
Configuring notifications for vulnerable dependencies→
Optimize how you receive notifications about Dependabot alerts.
About Dependabot security updates→
Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates.
Configuring Dependabot security updates→
You can use Dependabot security updates or manual pull requests to easily update vulnerable dependencies.
Viewing and updating vulnerable dependencies in your repository→
If GitHub discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.
Troubleshooting the detection of vulnerable dependencies→
If the dependency information reported by GitHub is not what you expected, there are a number of points to consider, and various things you can check.
Troubleshooting Dependabot errors→
Sometimes Dependabot is unable to raise a pull request to update your dependencies. You can review the error and unblock Dependabot.