👋 We've unified all of GitHub's product documentation in one place! Check out the content for REST API, GraphQL API, and Developers. Learn more on the GitHub blog.

Viewing and updating vulnerable dependencies in your repository

If GitHub discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies.

Were you able to find what you were looking for?

Your repository's GitHub Dependabot alerts tab lists all open and closed GitHub Dependabot alerts and corresponding GitHub Dependabot security updates. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."

You can enable automatic security updates for any repository that uses GitHub Dependabot alerts and the dependency graph. For more information, see "Configuring GitHub Dependabot security updates."

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Security.
    Security tab
  3. In the security sidebar, click Dependabot alerts.
    Dependabot alerts tab
  4. Click the alert you'd like to view.
    Alert selected in list of alerts
  5. Review the details of the vulnerability and, if available, the pull request containing the automated security update.
  6. Optionally, if there isn't already a GitHub Dependabot security updates update for the alert, to create a pull request to resolve the vulnerability, click Create Dependabot security update.
    Create Dependabot security update button
  7. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.
  8. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert.
    Choosing reason for dismissing the alert via the "Dismiss" drop-down

Further reading

Were you able to find what you were looking for?

Ask a human

Can't find what you're looking for?

Contact us