3df90fc9b8
Are you looking for something? Here is all of the GitHub Docs history in one single commit. Enjoy! 🎉
8.6 KiB
title, intro, redirect_from, versions
| title | intro | redirect_from | versions | |||||
|---|---|---|---|---|---|---|---|---|
| Configuring GitHub Dependabot security updates | You can use {{ site.data.variables.product.prodname_dependabot_security_updates }} or manual pull requests to easily update vulnerable dependencies. |
|
|
About {{ site.data.variables.product.prodname_dependabot_security_updates }}
{{ site.data.variables.product.prodname_dependabot_short }} monitors security advisories such as the {{ site.data.variables.product.prodname_advisory_database }} and WhiteSource and automatically triggers a pull request when it detects a new vulnerable dependency in the dependency graph of repositories. For more information about the {{site.data.variables.product.prodname_advisory_database }}, see "About the {{ site.data.variables.product.prodname_advisory_database }}."
{{ site.data.reusables.dependabot.upgrade-dependency-to-minimum-secure-version }}
{{ site.data.variables.product.prodname_dependabot_short }} includes a link to the pull request in the alert for the vulnerable dependency. For more information, see "About alerts for vulnerable dependencies" and "About the dependency graph."
Each security update contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {{ site.data.variables.product.prodname_dependabot_short }} alerts for the repository.
When you merge a pull request that contains a security update, the corresponding alert is marked as resolved for your repository.
{% note %}
Note {{ site.data.variables.product.prodname_dependabot_security_updates }} only resolve security vulnerabilities in the dependencies tracked by your dependency graph. Security updates are not created to resolve vulnerabilities in private registries or packages hosted in private repositories. However, indirect or transitive dependencies are included if they are explicitly defined in a lock file, or similar. For more information, see "About the dependency graph." Additionally, it's important to highlight that {{ site.data.variables.product.prodname_dependabot_security_updates }} automatically create pulls requests with proposed fixes to the lock files, for the dependencies detected as vulnerable.
{% endnote %}
You can enable {{ site.data.variables.product.prodname_dependabot_security_updates }} for any repository that uses {{ site.data.variables.product.prodname_dependabot_short }} alerts and the dependency graph. You can disable {{ site.data.variables.product.prodname_dependabot_security_updates }} for an individual repository or for all repositories owned by your user account or organization. For more information, see "Managing {{ site.data.variables.product.prodname_dependabot_security_updates }} for your repositories" below.
{{ site.data.reusables.dependabot.dependabot-tos }}
Supported repositories
{{ site.data.variables.product.prodname_dotcom }} automatically enables {{ site.data.variables.product.prodname_dependabot_security_updates }} for every repository that meets these prerequisites.
{% note %}
Note: You can manually enable {{ site.data.variables.product.prodname_dependabot_security_updates }}, even if the repository doesn't meet some of the prerequisites below. For example, you can enable {{ site.data.variables.product.prodname_dependabot_security_updates }} on a fork, or for a package manager that isn't directly supported by following the instructions in "Managing {{ site.data.variables.product.prodname_dependabot_security_updates }} for your repositories."
{% endnote %}
| Automatic enablement prerequisite | More information |
|---|---|
| Repository is not a fork | "About forks" |
| Repository is not archived | "Archiving repositories" |
| Repository is public, or repository is private and you have enabled read-only analysis by {{ site.data.variables.product.prodname_dotcom }}, dependency graph, and vulnerability alerts in the repository's settings | "Managing data use settings for your private repository." |
| Repository contains dependency manifest file from a package ecosystem that {{ site.data.variables.product.prodname_dotcom }} supports | "Supported package ecosystems" |
| {{ site.data.variables.product.prodname_dependabot_security_updates }} are not disabled for the repository | "Managing {{ site.data.variables.product.prodname_dependabot_security_updates }} for your repository" |
| Repository is not already using an integration for dependency management | "About integrations" |
If security updates are not enabled for your repository and you don't know why, first try enabling them using the instructions given in the procedural sections below. If security updates are still not working, you can contact support.
About compatibility scores
{{ site.data.variables.product.prodname_dependabot_security_updates }} also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given security update to learn whether the update causes tests to fail. An update's compatibility score is the percentage of CI runs that passed when updating between relevant versions of the dependency.
Managing {{ site.data.variables.product.prodname_dependabot_security_updates }} for your repositories
You can enable or disable {{ site.data.variables.product.prodname_dependabot_security_updates }} for an individual repository.
You can also enable or disable {{ site.data.variables.product.prodname_dependabot_security_updates }} for all repositories owned by your user account or organization. For more information, see "Managing security and analysis settings for your user account" or "Managing security and analysis settings for your organization."
{{ site.data.variables.product.prodname_dependabot_security_updates }} require specific repository settings. For more information, see "Supported repositories."
{{ site.data.reusables.repositories.navigate-to-repo }} {{ site.data.reusables.repositories.sidebar-security }} {{ site.data.reusables.repositories.sidebar-dependabot-alerts }}
- Above the list of alerts, use the drop-down menu and select or unselect {{ site.data.variables.product.prodname_dependabot_short }} security updates.
