About GitHub Dependabot security updates
Dependabot monitors security advisories such as the GitHub Advisory Database and WhiteSource and automatically triggers a pull request when it detects a new vulnerable dependency in the dependency graph of repositories. For more information about the GitHub Advisory Database, see "About the GitHub Advisory Database."
The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.
Note: It's good practice to have automated tests and acceptance processes in place so that checks are carried out before the pull request is merged. This is particularly important if the suggested version to upgrade to contains additional functionality, or a change that breaks your project's code. For more information about continuous integration, see "About continuous integration."
Dependabot includes a link to the pull request in the alert for the vulnerable dependency. For more information, see "About alerts for vulnerable dependencies" and "About the dependency graph."
Each security update contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabot alerts for the repository.
When you merge a pull request that contains a security update, the corresponding alert is marked as resolved for your repository.
Note GitHub Dependabot security updates only resolve security vulnerabilities in the dependencies tracked by your dependency graph. Security updates are not created to resolve vulnerabilities in private registries or packages hosted in private repositories. However, indirect or transitive dependencies are included if they are explicitly defined in a lock file, or similar. For more information, see "About the dependency graph." Additionally, it's important to highlight that GitHub Dependabot security updates automatically create pulls requests with proposed fixes to the lock files, for the dependencies detected as vulnerable.
You can enable GitHub Dependabot security updates for any repository that uses Dependabot alerts and the dependency graph. You can disable GitHub Dependabot security updates for an individual repository or for all repositories owned by your user account or organization. For more information, see "Managing GitHub Dependabot security updates for your repository", "Managing GitHub Dependabot security updates for your user account", and "Managing GitHub Dependabot security updates for your organization" below.
GitHub Dependabot and all related features are covered by GitHub's Terms of Service.
Supported repositories
GitHub automatically enables GitHub Dependabot security updates for every repository that meets these prerequisites.
Note: You can manually enable GitHub Dependabot security updates, even if the repository doesn't meet some of the requirements below, using the instructions described in Managing GitHub Dependabot security updates for your repository, Managing GitHub Dependabot security updates for your user account, or Managing GitHub Dependabot security updates for your organization.
| Automatic enablement prerequisite | More information |
|---|---|
| Repository is not a fork | "About forks" |
| Repository is not archived | "Archiving repositories" |
| Repository is public, or repository is private and you have enabled read-only analysis by GitHub, dependency graph, and vulnerability alerts in the repository's settings | "Managing data use settings for your private repository." |
| Repository contains dependency manifest file from a package ecosystem that GitHub supports | "Supported package ecosystems" |
| GitHub Dependabot security updates are not disabled for the repository | "Managing GitHub Dependabot security updates for your repository" |
| Repository is not already using an integration for dependency management | "About integrations" |
If security updates are not enabled for your repository and you don't know why, first try enabling them using the instructions given in the procedural sections below. If security updates still aren't working, you can contact support.
About compatibility scores
GitHub Dependabot security updates also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given security update to learn whether the update causes tests to fail. An update's compatibility score is the percentage of CI runs that passed when updating between relevant versions of the dependency.
Managing GitHub Dependabot security updates for your repository
You can enable or disable GitHub Dependabot security updates for an individual repository.
GitHub Dependabot security updates require specific repository settings. For more information, see "Supported repositories."
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Security.
- In the security sidebar, click Dependabot alerts.
- Above the list of alerts, use the drop-down menu and select or unselect Dependabot security updates.
Managing GitHub Dependabot security updates for your user account
You can disable GitHub Dependabot security updates for all repositories owned by your user account. If you do, you can still enable GitHub Dependabot security updates for individual repositories owned by your user account.
- In the upper-right corner of any page, click your profile photo, then click Settings.
- In the left sidebar, click Security & analysis.
- To the right of "Dependabot security updates", click Disable all or Enable all.
Managing GitHub Dependabot security updates for your organization
Organization owners can disable GitHub Dependabot security updates for all repositories owned by the organization. If you do, anyone with admin permissions to an individual repository owned by the organization can still enable GitHub Dependabot security updates on that repository.
-
In the top right corner of GitHub, click your profile photo, then click Your profile.
-
On the left side of your profile page, under "Organizations", click the icon for your organization.
-
Under your organization name, click Settings.
-
In the left sidebar, click Organization security.
-
To the right of "Dependabot security updates", click Disable all or Enable all.