Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

GitHub Dependabot Alerts

GitHub reviews every security vulnerability to identify and alert affected repositories. For project owners, we’ll always share the details you need to understand and remediate risks with confidence.

If GitHub discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.

Repository administrators and organization owners can view and update dependencies.

Your repository’s GitHub Dependabot alerts tab lists all open and closed GitHub Dependabot alerts and corresponding GitHub Dependabot security updates. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see About alerts for vulnerable dependencies.

You can enable automatic security updates for any repository that uses GitHub Dependabot alerts and the dependency graph. For more information, see Configuring GitHub Dependabot security updates.

Actions to take

  1. Review ecosystem compatibility
  2. Enable Dependabot on your repository