Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts. You can sort the list of alerts by selecting the drop-down menu, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."
Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would introduce a vulnerability into your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "Reviewing dependency changes in a pull request."
- On your GitHub Enterprise Server instance, navigate to the main page of the repository.
- Under your repository name, click Security.
- In the security sidebar, click Dependabot alerts.
- Click the alert you'd like to view.
- Review the details of the vulnerability and determine whether or not you need to update the dependency.
- When you merge a pull request that updates the manifest or lock file to a secure version of the dependency, this will resolve the alert. Alternatively, if you decide not to update the dependency, select the Dismiss drop-down, and click a reason for dismissing the alert.