Skip to main content
ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

About Dependabot security updates

Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates.

Note: Dependabot security and version updates are currently in private beta and subject to change. Please contact your account management team for instructions on enabling Dependabot updates.

Note: Your site administrator must set up Dependabot updates for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Enabling Dependabot for your enterprise."

About Dependabotセキュリティアップデート

Dependabotセキュリティアップデート make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it. For more information, see "About Dependabotアラート" and "Configuring Dependabotセキュリティアップデート."

GitHub may send Dependabotアラート to repositories affected by a vulnerability disclosed by a recently published GitHub security advisory. For more information about advisory data, see "Browsing security vulnerabilities in the GitHub Advisory Database" in the GitHub.com documentation.

Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the Dependabot alert, or reports an error on the alert. For more information, see "Troubleshooting Dependabot errors."

Note

The Dependabotセキュリティアップデート feature is available for repositories where you have enabled the dependency graph and Dependabotアラート. You will see a Dependabot alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. Dependabot is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "About the dependency graph."

You can enable a related feature, Dependabotバージョンアップデート, so that Dependabot raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "About Dependabot version updates."

DependabotがPull Requestを起こす場合、それらのPull Requestはセキュリティもしくはバージョンアップデートです。

  • Dependabotセキュリティアップデート are automated pull requests that help you update dependencies with known vulnerabilities.
  • Dependabotバージョンアップデート are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. バージョンアップデートの状態をチェックするには、リポジトリのInsights(インサイト)タブ、続いてDependency Graph(依存関係グラフ)、そしてDependabotにアクセスしてください。

About pull requests for security updates

Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabotアラート for the repository.

When you merge a pull request that contains a security update, the corresponding Dependabot alert is marked as resolved for your repository. For more information about Dependabot pull requests, see "Managing pull requests for dependency updates."

ノート: 自動テキストと受け入れプロセスを持っておき、Pull Requestがマージされる前にチェックが行われるようにしておくのは良い習慣です。 これは特に、アップグレードが提案されたバージョンに追加機能があったり、プロジェクトのコードを破壊するような変更がある場合に重要です。 継続的インテグレーションに関する詳しい情報については「継続的インテグレーション」を参照してください。

About notifications for Dependabot security updates

You can filter your notifications on GitHub to show Dependabot security updates. For more information, see "Managing notifications from your inbox."