Configuring GitHub Dependabot security updates

You can use GitHub Dependabot security updates or manual pull requests to easily update vulnerable dependencies.

In this article

Did this doc help you?

About GitHub Dependabot security updates

Dependabot monitors security advisories such as the GitHub Advisory Database and WhiteSource and automatically triggers a pull request when it detects a new vulnerable dependency in the dependency graph of repositories. For more information about the GitHub Advisory Database, see "About the GitHub Advisory Database."

The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Note: It's good practice to have automated tests and acceptance processes in place so that checks are carried out before the pull request is merged. This is particularly important if the suggested version to upgrade to contains additional functionality, or a change that breaks your project's code. For more information about continuous integration, see "About continuous integration."

Dependabot includes a link to the pull request in the alert for the vulnerable dependency. For more information, see "About alerts for vulnerable dependencies" and "About the dependency graph."

Each security update contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabot alerts for the repository.

When you merge a pull request that contains a security update, the corresponding alert is marked as resolved for your repository.

Note GitHub Dependabot security updates only resolve security vulnerabilities in the dependencies tracked by your dependency graph. Security updates are not created to resolve vulnerabilities in private registries or packages hosted in private repositories. However, indirect or transitive dependencies are included if they are explicitly defined in a lock file, or similar. For more information, see "About the dependency graph." Additionally, it's important to highlight that GitHub Dependabot security updates automatically create pulls requests with proposed fixes to the lock files, for the dependencies detected as vulnerable.

You can enable GitHub Dependabot security updates for any repository that uses Dependabot alerts and the dependency graph. You can disable GitHub Dependabot security updates for an individual repository or for all repositories owned by your user account or organization. For more information, see "Managing GitHub Dependabot security updates for your repositories" below.

GitHub Dependabot and all related features are covered by GitHub's Terms of Service.

Supported repositories

GitHub automatically enables GitHub Dependabot security updates for every repository that meets these prerequisites.

Note: You can manually enable GitHub Dependabot security updates, even if the repository doesn't meet some of the prerequisites below. For example, you can enable GitHub Dependabot security updates on a fork, or for a package manager that isn't directly supported by following the instructions in "Managing GitHub Dependabot security updates for your repositories."

Automatic enablement prerequisiteMore information
Repository is not a fork"About forks"
Repository is not archived"Archiving repositories"
Repository is public, or repository is private and you have enabled read-only analysis by GitHub, dependency graph, and vulnerability alerts in the repository's settings"Managing data use settings for your private repository."
Repository contains dependency manifest file from a package ecosystem that GitHub supports"Supported package ecosystems"
GitHub Dependabot security updates are not disabled for the repository"Managing GitHub Dependabot security updates for your repository"
Repository is not already using an integration for dependency management"About integrations"

If security updates are not enabled for your repository and you don't know why, first try enabling them using the instructions given in the procedural sections below. If security updates are still not working, you can contact support.

About compatibility scores

GitHub Dependabot security updates also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given security update to learn whether the update causes tests to fail. An update's compatibility score is the percentage of CI runs that passed when updating between relevant versions of the dependency.

Managing GitHub Dependabot security updates for your repositories

You can enable or disable GitHub Dependabot security updates for an individual repository.

You can also enable or disable GitHub Dependabot security updates for all repositories owned by your user account or organization. For more information, see "Managing security and analysis settings for your user account" or "Managing security and analysis settings for your organization."

GitHub Dependabot security updates require specific repository settings. For more information, see "Supported repositories."

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Security.
    Security tab
  3. In the security sidebar, click Dependabot alerts.
    Dependabot alerts tab
  4. Above the list of alerts, use the drop-down menu and select or unselect Dependabot security updates.
    Drop-down menu with the option to enable GitHub Dependabot security updates

Further reading

Did this doc help you?