Configuring notifications for vulnerable dependencies

Optimize how you receive notifications about Dependabot de GitHub alerts.

About notifications for vulnerable dependencies

When Dependabot de GitHub detects vulnerable dependencies in your repositories, we generate a Dependabot de GitHub alert and display it on the Security tab for the repository. GitHub notifies the maintainers of affected repositories about the new alert according to their notification preferences. Dependabot de GitHub is enabled by default on all public repositories. For Alertas del Dependabot de GitHub, by default, you will receive Alertas del Dependabot de GitHub by email, grouped by the specific vulnerability.

If you're an organization owner, you can enable or disable Alertas del Dependabot de GitHub for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "Managing security and analysis settings for your organization."

Configuring notifications for Alertas del Dependabot de GitHub

When a new Dependabot de GitHub alert is detected, GitHub notifies all users with access to Alertas del Dependabot de GitHub for the repository according to their notification preferences. You will receive alerts if you are watching the repository, have enabled notifications for security alerts or for all the activity on the repository, and are not ignoring the repository. For more information, see "Configuring notifications."

You can configure notification settings for yourself or your organization from the Manage notifications drop-down shown at the top of each page. For more information, see "Configuring notifications."

You can choose the delivery method for notifications, as well as the frequency at which the notifications are sent to you.

By default, you will receive notifications:

  • by email, an email is sent when Dependabot de GitHub is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (Email each time a vulnerability is found option).
  • in the user interface, a warning is shown in your repository's file and code views if there are any vulnerable dependencies (UI alerts option).
  • on the command line, warnings are displayed as callbacks when you push to repositories with any vulnerable dependencies (Command Line option).
  • in your inbox, as web notifications. A web notification is sent when Dependabot de GitHub is enabled for a repository, when a new manifest file is committed to the repository, and when a new vulnerability with a critical or high severity is found (Web option).
  • on GitHub para móvil, as web notifications. For more information, see "Enabling push notifications with GitHub for mobile."

Note: The email and web/GitHub para móvil notifications are:

  • per repository when Dependabot de GitHub is enabled on the repository, or when a new manifest file is committed to the repository.

  • per organization when a new vulnerability is discovered.

You can customize the way you are notified about Alertas del Dependabot de GitHub. For example, you can receive a weekly digest email summarizing alerts for up to 10 of your repositories using the Email a digest summary of vulnerabilities and Weekly security email digest options.

Alertas del Dependabot de GitHub options

Note: You can filter your notifications on GitHub to show Dependabot de GitHub alerts. For more information, see "Managing notifications from your inbox."

Las notificaciones de correo electrónico para Alertas del Dependabot de GitHub que afecten a uno o más repositorios incluyen el campo de encabezado X-GitHub-Severity. Puedes utilizar el valor del campo de encabezado X-GitHub-Severity para filtrar las notificaciones de correo electrónico para Alertas del Dependabot de GitHub. For more information, see "Configuring notifications."

How to reduce the noise from notifications for vulnerable dependencies

If you are concerned about receiving too many notifications for Alertas del Dependabot de GitHub, we recommend you opt into the weekly email digest, or turn off notifications while keeping Alertas del Dependabot de GitHub enabled. You can still navigate to see your Alertas del Dependabot de GitHub in your repository's Security tab. For more information, see "Viewing and updating vulnerable dependencies in your repository."

Further reading

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.