Skip to main content

Viewing and updating Dependabot alerts

If GitHub Enterprise Server discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies, as well as users and teams with explicit access.

Note: Dependabot security and version updates are currently in private beta and subject to change. Please contact your account management team for instructions on enabling Dependabot updates.

Note: Your site administrator must set up Dependabot updates for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Enabling Dependabot for your enterprise."

Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. You can sort the list of alerts, and you can click into specific alerts for more details. For more information, see "About Dependabot alerts."

You can enable automatic security updates for any repository that uses Dependabot alerts and the dependency graph. For more information, see "About Dependabot security updates."

Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would introduce a vulnerability into your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "Reviewing dependency changes in a pull request."

About updates for vulnerable dependencies in your repository

GitHub Enterprise Server generates Dependabot alerts when we detect that your codebase is using dependencies with known vulnerabilities. For repositories where Dependabot security updates are enabled, when GitHub Enterprise Server detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Viewing vulnerable dependencies

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.
  2. Under your repository name, click Security. Security tab
  3. In the security sidebar, click Dependabot alerts. If this option is missing, it means you don't have access to security alerts and need to be given access. For more information, see "Managing security and analysis settings for your repository."Dependabot alerts tab
  4. Click the alert you'd like to view. Alert selected in list of alerts

Reviewing and fixing vulnerable dependencies

It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.

If a patched version is available, you can generate a Dependabot pull request to update this dependency directly from a Dependabot alert. If you have Dependabot security updates enabled, the pull request may be linked will in the Dependabot alert.

In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. When you click through to view a Dependabot alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security vulnerability.

Fixing vulnerable dependencies

  1. View the details for an alert. For more information, see "Viewing vulnerable dependencies" (above).

  2. If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request. Create Dependabot security update button

  3. Optionally, if you do not use Dependabot security updates, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.

  4. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

    Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see "Managing pull requests for dependency updates."

Dismissing Dependabot alerts

If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.

  1. View the details for an alert. For more information, see "Viewing vulnerable dependencies" (above).
  2. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Choosing reason for dismissing the alert via the "Dismiss" drop-down