Skip to main content

About Dependabot security updates

Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates.

About Dependabot security updates

Dependabot security updates make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it. For more information, see "About Dependabot alerts" and "Configuring Dependabot security updates."

GitHub may send Dependabot alerts to repositories affected by a vulnerability disclosed by a recently published GitHub security advisory. Para obtener más información, consulta "Exploración de avisos de seguridad en GitHub Advisory Database".

Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the Dependabot alert, or reports an error on the alert. For more information, see "Troubleshooting Dependabot errors."

The Dependabot security updates feature is available for repositories where you have enabled the dependency graph and Dependabot alerts. You will see a Dependabot alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see "About the dependency graph."

Note: For npm, Dependabot will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, Dependabot is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see "Dependabot tries to update dependencies without an alert."

You can enable a related feature, Dependabot version updates, so that Dependabot raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "About Dependabot version updates."

Cuando Dependabot genera solicitudes de incorporación de cambios, pueden ser para actualizaciones de seguridad o de versión:

  • Dependabot security updates son solicitudes de incorporación de cambios automatizadas que ayudan a actualizar las dependencias con vulnerabilidades conocidas.
  • Dependabot version updates son solicitudes de incorporación de cambios automatizadas que mantienen actualizadas las dependencias, incluso cuando no tienen ninguna vulnerabilidad. Para verificar el estado de las actualizaciones de versión, navega a la pestaña de perspectivas de tu repositorio, luego a la gráfica de dependencias, y luego al Dependabot.

GitHub Actions no se requiere para que Dependabot version updates y Dependabot security updates se ejecuten en GitHub Enterprise Cloud. Pero las solicitudes de incorporación de cambios que abre Dependabot pueden desencadenar flujos de trabajo que ejecutan acciones. Para obtener más información, consulta "Automatización de Dependabot con GitHub Actions".

Dependabot security updates puede corregir dependencias vulnerables en GitHub Actions. Cuando se habilitan las actualizaciones de seguridad, Dependabot generará automáticamente una solicitud de incorporación de cambios para actualizar los datos vulnerables GitHub Actions usados en los flujos de trabajo a la versión con revisión mínima.

About pull requests for security updates

Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabot alerts for the repository.

When you merge a pull request that contains a security update, the corresponding Dependabot alert is marked as resolved for your repository. For more information about Dependabot pull requests, see "Managing pull requests for dependency updates."

Nota: Un procedimiento recomendado consiste en establecer pruebas automatizadas y procesos de aceptación para que las comprobaciones se realicen antes de que se combine la solicitud de incorporación de cambios. Esto es particularmente importante si la versión que se sugiere mejorar contiene funcionalidades adicionales o un cambio que infrinja el código de tu proyecto. Para más información sobre la integración continua, vea "Acerca de la integración continua".

About compatibility scores

Dependabot security updates may include compatibility scores to let you know whether updating a dependency could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.

About notifications for Dependabot security updates

You can filter your notifications on GitHub to show Dependabot security updates. For more information, see "Managing notifications from your inbox."