La pestaña de Las alertas del dependabot de tu repositorio lista todas lasLas alertas del dependabot abiertas y cerradas. Puedes sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts. For more information, see "About Las alertas del dependabot."
Viewing Las alertas del dependabot
- En tu instancia de GitHub Enterprise Server, visita la página principal del repositorio.
- Debajo de tu nombre de repositorio, da clic en Seguridad.
- En la barra lateral de seguridad, da clic en Las alertas del dependabot. Si no encuentras esta opción, significa que no tienes acceso a las alertas de seguridad y necesitas que te lo otorguen. Para obtener más información, consulta la sección "Administrar los ajustes de seguridad y análisis de tu repositorio".
- Haz clic en la alerta que quieres ver.
Reviewing and fixing alerts
It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.
If a patched version of the dependency is available, you can generate a Dependabot pull request to update this dependency directly from a Dependabot alert. If you have Actualizaciones de seguridad del dependabot enabled, the pull request may be linked will in the Dependabot alert.
In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. When you click through to view a Dependabot alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.
Fixing vulnerable dependencies
-
Ver los detalles de una alerta. For more information, see "Viewing Las alertas del dependabot" (above).
-
You can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to the manifest or lock file to a secure version.
-
Cuando estés listo para actualizar tu dependencia y resolver la vulnerabilidad, fusiona la solicitud de extracción.
Dismissing Las alertas del dependabot
Tip: You can only dismiss open alerts.
If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.
- Ver los detalles de una alerta. For more information, see "Viewing vulnerable dependencies" (above).
- Select the "Dismiss" dropdown, and click a reason for dismissing the alert.