Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.

Viewing and updating vulnerable dependencies in your repository

If GitHub discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies.

En este artículo

Your repository's Dependabot de GitHub alerts tab lists all open and closed Alertas del Dependabot de GitHub and corresponding Actualizaciones de seguridad del Dependabot de GitHub. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."

You can enable automatic security updates for any repository that uses Alertas del Dependabot de GitHub and the dependency graph. For more information, see "About Actualizaciones de seguridad del Dependabot de GitHub."

Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would introduce a vulnerability into your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "Reviewing dependency changes in a pull request."

About updates for vulnerable dependencies in your repository

GitHub generates Alertas del Dependabot de GitHub when we detect that your codebase is using dependencies with known vulnerabilities. For repositories where Actualizaciones de seguridad del Dependabot de GitHub are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot de GitHub creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Viewing and updating vulnerable dependencies

  1. En GitHub, visita la página principal del repositorio.
  2. Debajo de tu nombre de repositorio, da clic en Seguridad. Pestaña de seguridad
  3. En la barra lateral de seguridad, da clic en alertas del . Pestaña de alertas del
  4. Click the alert you'd like to view. Alert selected in list of alerts
  5. Review the details of the vulnerability and, if available, the pull request containing the automated security update.
  6. Optionally, if there isn't already a Actualizaciones de seguridad del Dependabot de GitHub update for the alert, to create a pull request to resolve the vulnerability, click Create Dependabot de GitHub security update. Create Dependabot de GitHub security update button
  7. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by Dependabot de GitHub includes information on commands you can use to control Dependabot de GitHub. For more information, see "Managing pull requests for dependency updates."
  8. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert. Choosing reason for dismissing the alert via the "Dismiss" drop-down

Further reading

¿Te ayudó este documento?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.