Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.

Troubleshooting Dependabot errors

Sometimes Dependabot de GitHub is unable to raise a pull request to update your dependencies. You can review the error and unblock Dependabot de GitHub.

En este artículo

Nota: Las Actualizaciones de versión para el Dependabot de GitHub se encuentran actualmente en beta y están sujetas a cambios. Para utilizar la característica del beta, revisa el archivo de configuración para indicar al Dependabot de GitHub cuáles dependencias debe mantener para ti. Para obtener más detalles, consulta la sección "Habilitar e inhabilitar las actualizaciones de versión."

About Dependabot de GitHub errors

Dependabot de GitHub raises pull requests to update dependencies. Depending on how your repository is configured, Dependabot de GitHub may raise pull requests for version updates and/or for security updates. You manage these pull requests in the same way as any other pull request, but there are also some extra commands available. For information about enabling Dependabot de GitHub dependency updates, see "Configuring Actualizaciones de seguridad del Dependabot de GitHub" and "Enabling and disabling version updates."

If anything prevents Dependabot de GitHub from raising a pull request, this is reported as an error.

Investigating errors with Actualizaciones de seguridad del Dependabot de GitHub

When Dependabot de GitHub is blocked from creating a pull request to fix a Dependabot de GitHub alert, it posts the error message on the alert. The Alertas del Dependabot de GitHub view shows a list of any alerts that have not been resolved yet. To access the alerts view, click Alertas del Dependabot de GitHub on the Security tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request.

Alertas del Dependabot de GitHub view showing a pull request link

There are three reasons why an alert may have no pull request link:

  1. Actualizaciones de seguridad del Dependabot de GitHub are not enabled for the repository.
  2. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file.
  3. An error blocked Dependabot de GitHub from creating a pull request.

If an error blocked Dependabot de GitHub from creating a pull request, you can display details of the error by clicking the alert.

Dependabot de GitHub alert showing the error that blocked the creation of a pull request

Investigating errors with Actualizaciones de versión para el Dependabot de GitHub

When Dependabot de GitHub is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by Dependabot de GitHub are listed on the Dependabot de GitHub tab. To access this tab, on the Insights tab for the repository click Dependency graph, and then click the Dependabot de GitHub tab.

Dependabot de GitHub view showing an error

To see the log file for any manifest file, click the Last checked TIME ago link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed.

Dependabot de GitHub version update error and log

Understanding Dependabot de GitHub errors

Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and Dependabot de GitHub configuration files. Consequently, some errors are specific to one type of update.

Dependabot de GitHub cannot update DEPENDENCY to a non-vulnerable version

Security updates only. Dependabot de GitHub cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository.

Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem.

The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "Enabling and disabling version updates."

Dependabot de GitHub cannot update to the required version as there is already an open pull request for the latest version

Security updates only. Dependabot de GitHub will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version.

There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "Triggering a Dependabot de GitHub pull request manually."

Dependabot de GitHub timed out during its update

Dependabot de GitHub took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of package.json files. Updates to the Composer ecosystem also take longer to assess and may time out.

This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the allow parameter or, alternatively, use the ignore parameter to exclude some dependencies from updates. Updating your configuration might allow Dependabot de GitHub to review the version update and generate the pull request in the time available.

If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "Enabling and disabling version updates."

Dependabot de GitHub cannot open any more pull requests

There's a limit on the number of open pull requests Dependabot de GitHub will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests.

There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the open-pull-requests-limit parameter in the configuration file. For more information, see "Configuration options for dependency updates."

The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "Triggering a Dependabot de GitHub pull request manually."

Dependabot de GitHub can't resolve your dependency files

If Dependabot de GitHub attempts to check whether dependency references need to be updated in a repository, but can't access one or more of the referenced files, the operation will fail with the error message "Dependabot de GitHub can't resolve your LANGUAGE dependency files." The API error type is git_dependencies_not_reachable.

To allow Dependabot de GitHub to update the dependency references successfully, make sure that all of the referenced dependencies are hosted at accessible locations.

Version updates only. When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, Dependabot de GitHub must be able to access the location at which those dependencies are hosted. Organization owners can grant Dependabot de GitHub access to private repositories containing dependencies for a project within the same organization. For more information, see "Managing security and analysis settings for your organization."

Currently, Dependabot de GitHub version updates doesn't support manifest or lock files that contain any dependencies hosted in private registries, or in private GitHub repositories that belong to a different organization than the dependent project. Additionally, Dependabot de GitHub doesn't support private GitHub dependencies for all package managers. For more information, see "About Dependabot version updates."

Triggering a Dependabot de GitHub pull request manually

If you unblock Dependabot de GitHub, you can manually trigger a fresh attempt to create a pull request.

  • Security updates—display the Dependabot de GitHub alert that shows the error you have fixed and click Create Dependabot de GitHub security update.
  • Version updates—on the Insights tab for the repository click Dependency graph, and then click the Dependabot tab. Click Last checked TIME ago to see the log file that Dependabot de GitHub generated during the last check for version updates. Click Check for updates.

¿Te ayudó este documento?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.