Viewing and updating Dependabot alerts

Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see 关于 Dependabot 警报.

You can enable automatic security updates for any repository that uses Dependabot alerts and the dependency graph. For more information, see 关于 Dependabot 安全更新.

About updates for vulnerable dependencies in your repository

GitHub generates Dependabot alerts when we detect that the default branch of your codebase is using dependencies with known security risks. For repositories where Dependabot security updates are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Dependabot 不会为恶意软件生成 Dependabot alerts。 有关详细信息，请参阅“关于 GitHub 公告数据库”。

Each Dependabot alert has a unique numeric identifier and the Dependabot alerts tab lists an alert for every detected vulnerability. Legacy Dependabot alerts grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy Dependabot alert, you will be redirected to a Dependabot alerts tab filtered for that package.

You can filter and sort Dependabot alerts using a variety of filters and sort options available on the user interface. For more information, see Prioritizing Dependabot alerts below.

You can also audit actions taken in response to Dependabot alerts. For more information, see 审核安全警报.

Prioritizing Dependabot alerts

GitHub helps you prioritize fixing Dependabot alerts. By default, Dependabot alerts are sorted by importance. The "Most important" sort order helps you prioritize which Dependabot alerts to focus on first. Alerts are ranked based on their potential impact, actionability, and relevance. Our prioritization calculation is constantly being improved and includes factors like CVSS score, dependency scope, and whether vulnerable function calls are found for the alert. You can also use Dependabot 自动分类规则 to prioritize Dependabot alerts. For more information, see “关于 Dependabot 自动分类规则.”

可以通过将筛选器作为 key:value 对输入到搜索栏中，对 Dependabot alerts 进行排序和筛选。

选项	说明	示例
CVE-ID	显示与此 CVE-ID 关联的警报	CVE-2020-28482 将显示其基础咨询具有此 CVE ID 编号的任何警报。
ecosystem	显示有关所选生态系统的警报	使用 ecosystem:npm 显示 npm 的 Dependabot alerts
GHSA-ID	显示与此 GHSA-ID 关联的警报	GHSA-49wp-qq6x-g2rf 将显示其基础咨询具有此 GitHub Advisory Database ID 的任何警报。
has	显示符合所选筛选条件的警报	使用 has:patch 显示与具有补丁的公告相关的警报
is	基于警报状态显示警报	使用 is:open 显示打开的警报
manifest	显示有关所选清单的警报	使用 manifest:webwolf/pom.xml 显示有关 webwolf 应用程序的 pom.xml 文件的警报
package	显示有关所选包的警报	使用 package:django 显示有关 django 的警报
resolution	显示所选解决状态的警报	使用 resolution:no-bandwidth 显示以前因缺乏用于修复的资源或时间而停止的警报
repo	基于相关存储库显示警报 请注意，此筛选器仅适用于安全概述。 有关详细信息，请参阅“关于安全概述”	使用 repo:octocat-repo 显示名为 octocat-repo 的存储库中的警报
scope	基于相关依赖项范围显示警报	使用 scope:development 显示仅在开发过程中使用的依赖项的警报
severity	基于严重性级别显示警报	使用 severity:high 显示严重性为“高”的警报
epss_percentage	根据 EPSS 预测的利用概率显示警报	使用 epss_percentage:>0.01 查看 EPSS 百分比大于 1% 的警报
sort	根据所选排序顺序显示警报	警报的默认排序选项是 sort:most-important，这会按重要性对警报进行排名 使用 sort:newest 显示由 Dependabot 报告的最新警报 使用 sort:epss-percentage 显示按 EPSS 分数降序排序的警报。
team	显示指定团队具有写入访问权限或管理员访问权限的所有仓库的数据。 有关仓库角色的详细信息，请参阅 组织的存储库角色。	使用 team:octo-team 针对 octo-team 团队具有写入访问权限的仓库显示警报。
topic	显示按特定主题分类的所有存储库的数据。 有关仓库主题的详细信息，请参阅 使用主题对仓库分类。	使用 topic:nextjs 针对使用 nextjs 主题分类的仓库显示警报。

In addition to the filters available via the search bar, you can sort and filter Dependabot alerts using the dropdown menus at the top of the alert list. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list.

The search bar also allows for full text searching of alerts and related security advisories. You can search for part of a security advisory name or description to return the alerts in your repository that relate to that security advisory. For example, searching for yaml.load() API could execute arbitrary code will return Dependabot alerts linked to PyYAML insecurely deserializes YAML strings leading to arbitrary code execution as the search string appears in the advisory description.

You can also use the REST API to get a list of Dependabot alerts sorted using your filter of choice, for your repository, organization, or enterprise. For more information about API endpoints, see 适用于 Dependabot alerts 的 REST API 终结点.

Supported ecosystems and manifests for dependency scope

下表总结了各种生态系统和清单是否支持依赖项范围，即 Dependabot 是否可以识别依赖项用于开发还是生产。

语言	生态系统	清单文件	支持的依赖项范围
Dart	酒馆	pubspec.yaml
Dart	酒馆	pubspec.lock
Go	Go 模块	go.mod	否，默认为运行时
Java	Maven	pom.xml	test 映射到开发，否则范围默认为运行时
JavaScript	npm	package.json
JavaScript	npm	package-lock.json
JavaScript	npm	pnpm-lock.yaml
JavaScript	yarn v1	yarn.lock	否，默认为运行时
PHP	编辑器	composer.json
PHP	编辑器	composer.lock
Python	诗歌	poetry.lock
Python	诗歌	pyproject.toml
Python	pip	requirements.txt	如果文件名包含 test 或 dev，则范围为开发，否则为运行时
Python	pip	pipfile.lock
Python	pip	pipfile
Ruby	RubyGems	Gemfile
Ruby	RubyGems	Gemfile.lock	否，默认为运行时
Rust	Cargo	Cargo.toml
Rust	Cargo	Cargo.lock	否，默认为运行时
YAML	GitHub Actions	-	否，默认为运行时
.NET（C#、F#、VB 等）	NuGet	.csproj/.vbproj .vcxproj/.fsproj	否，默认为运行时
.NET	NuGet	packages.config	否，默认为运行时
.NET	NuGet	.nuspec	When the tag != runtime

Alerts for packages listed as development dependencies are marked with the Development label on the Dependabot alerts page and are also available for filtering via the scope filter.

The alert details page of alerts on development-scoped packages shows a "Tags" section containing a Development label.

Viewing Dependabot alerts

你可以在存储库的 Dependabot alerts 选项卡中查看所有打开和关闭的 Dependabot alerts 以及对应的 Dependabot security updates。 You can sort and filter Dependabot alerts by selecting a filter from the dropdown menu.

To view summaries of alerts for all or a subset of repositories owned by your organization, use security overview. For more information, see 关于安全概述.

1. 在 GitHub 上，导航到存储库的主页面。

2. 在仓库名称下，单击 “Security”****。 如果看不到“Security”选项卡，请选择 下拉菜单，然后单击“Security”********。

   

3. 在安全概览的“漏洞警报”边栏中，单击“Dependabot”。 如果缺少此选项，则表示你无权访问安全警报，需要被授予访问权限。 有关详细信息，请参阅“管理存储库的安全和分析设置”。

   

4. Optionally, to filter alerts, select a filter in a dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. Alternatively, to filter by label, click a label assigned to an alert to automatically apply that filter to the alert list. For more information about filtering and sorting alerts, see Prioritizing Dependabot alerts.

   

5. Click the alert that you would like to view.

6. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click Suggest improvements for this advisory on the GitHub Advisory Database. For more information, see 在 GitHub Advisory Database 中编辑安全公告.

   

Reviewing and fixing alerts

It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application.

If a patched version of the dependency is available, you can generate a Dependabot pull request to update this dependency directly from a Dependabot alert. If you have Dependabot security updates enabled, the pull request may be linked in the Dependabot alert.

In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. When you click through to view a Dependabot alert, you can see the full details of the security advisory for the dependency including the affected functions. You can then check whether your code calls the impacted functions. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security advisory.

Fixing vulnerable dependencies

1. View the details for an alert. For more information, see Viewing Dependabot alerts (above).

2. If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.

   

3. Optionally, if you do not use Dependabot security updates, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.

4. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

   Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see 管理依赖项更新的所有拉取请求.

Dismissing Dependabot alerts

If you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.

1. View the details for an alert. For more information, see Viewing vulnerable dependencies (above).

2. Select the "Dismiss" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later.

3. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the dismissComment field. For more information, see 对象 in the GraphQL API documentation.

   

4. Click Dismiss alert.

Dismissing multiple alerts at once

1. View the open Dependabot alerts. For more information, see Viewing and updating Dependabot alerts.
2. Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar.
3. To the left of each alert title, select the alerts that you want to dismiss.
   
4. Optionally, at the top of the list of alerts, select all alerts on the page.
   
5. Select the "Dismiss alerts" dropdown, and click a reason for dismissing the alerts.
   

Viewing and updating closed alerts

You can view all open alerts, and you can reopen alerts that have been previously dismissed. Closed alerts that have already been fixed cannot be reopened.

1. 在 GitHub 上，导航到存储库的主页面。

2. 在仓库名称下，单击 “Security”****。 如果看不到“Security”选项卡，请选择 下拉菜单，然后单击“Security”********。

   

3. 在安全概览的“漏洞警报”边栏中，单击“Dependabot”。 如果缺少此选项，则表示你无权访问安全警报，需要被授予访问权限。 有关详细信息，请参阅“管理存储库的安全和分析设置”。

   

4. To just view closed alerts, click Closed.

   

5. Click the alert that you would like to view or update.

6. Optionally, if the alert was dismissed and you wish to reopen it, click Reopen. Alerts that have already been fixed cannot be reopened.

   

Reopening multiple alerts at once

1. View the closed Dependabot alerts. For more information, see Viewing and updating Dependabot alerts (above).
2. To the left of each alert title, select the alerts that you want to reopen by clicking the checkbox adjacent to each alert.
3. Optionally, at the top of the list of alerts, select all closed alerts on the page.
   
4. Click Reopen to reopen the alerts. Alerts that have already been fixed cannot be reopened.

Reviewing the audit logs for Dependabot alerts

When a member of your organization or enterprise performs an action related to Dependabot alerts, you can review the actions in the audit log. For more information about accessing the log, see 审查组织的审核日志 and 访问企业的审核日志.

Events in your audit log for Dependabot alerts include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the Dependabot alerts actions, see the repository_vulnerability_alert category in 组织的审核日志事件 and 企业的审核日志事件.