Actualizaciones de seguridad del Dependabot de GitHub make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a Dependabot de GitHub alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot de GitHub automatically tries to fix it. For more information, see "About alerts for vulnerable dependencies" and "Configuring Actualizaciones de seguridad del Dependabot de GitHub."
GitHub may send Dependabot de GitHub alerts to repositories affected by a vulnerability disclosed by a recently published GitHub security advisory. For more information, see "About GitHub Security Advisories."
Dependabot de GitHub checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot de GitHub raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the Dependabot de GitHub alert, or reports an error on the alert. For more information, see "Troubleshooting Dependabot de GitHub errors."
The Actualizaciones de seguridad del Dependabot de GitHub feature is available for repositories where you have enabled the dependency graph and Alertas del Dependabot de GitHub. You will see a Dependabot de GitHub alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. Dependabot de GitHub is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "About the dependency graph."
You can enable a related feature, Actualizaciones de versión para el Dependabot de GitHub, so that Dependabot de GitHub raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "About Dependabot de GitHub version updates."
When Dependabot de GitHub raises pull requests, these pull requests could be for security or version updates:
- Actualizaciones de seguridad del Dependabot de GitHub are automated pull requests that help you update dependencies with known vulnerabilities.
- Actualizaciones de versión para el Dependabot de GitHub are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the Insights tab of your repository, then Dependency Graph, and Dependabot de GitHub.
Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Alertas del Dependabot de GitHub for the repository.
When you merge a pull request that contains a security update, the corresponding Dependabot de GitHub alert is marked as resolved for your repository. For more information about Dependabot de GitHub pull requests, see "Managing pull requests for dependency updates."
Note: It's good practice to have automated tests and acceptance processes in place so that checks are carried out before the pull request is merged. This is particularly important if the suggested version to upgrade to contains additional functionality, or a change that breaks your project's code. For more information about continuous integration, see "About continuous integration."
Actualizaciones de seguridad del Dependabot de GitHub may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.
You can filter your notifications on GitHub to show Dependabot de GitHub security updates. For more information, see "Managing notifications from your inbox."