docs/content/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/viewing-and-updating-vulnerable-dependencies-in-your-repository.md

title, intro, redirect_from, permissions, shortTitle, versions, topics

title	intro	redirect_from	permissions	shortTitle	versions	topics
Viewing and updating vulnerable dependencies in your repository	If {% data variables.product.product_name %} discovers vulnerable dependencies in your project, you can view them on the Dependabot alerts tab of your repository. Then, you can update your project to resolve or dismiss the vulnerability.	/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository /github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository /code-security/supply-chain-security/viewing-and-updating-vulnerable-dependencies-in-your-repository	Repository administrators and organization owners can view and update dependencies.	Viewing and updating vulnerable dependencies	free-pro-team enterprise-server * >=3.0	Security

Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %}{% if currentVersion == "free-pro-team@latest" %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}{% endif %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."

{% if currentVersion == "free-pro-team@latest" %} You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "About {% data variables.product.prodname_dependabot_security_updates %}."

{% data reusables.repositories.dependency-review %}

About updates for vulnerable dependencies in your repository

{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect that your codebase is using dependencies with known vulnerabilities. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency in the default branch, {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. {% endif %}

Viewing and updating vulnerable dependencies

{% if currentVersion == "free-pro-team@latest" %} {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-dependabot-alerts %}

1. Click the alert you'd like to view.
2. Review the details of the vulnerability and, if available, the pull request containing the automated security update.
3. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click Create {% data variables.product.prodname_dependabot %} security update.
4. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see "Managing pull requests for dependency updates."
5. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert.

{% elsif currentVersion ver_gt "enterprise-server@3.0" %} {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-dependabot-alerts %}

1. Click the alert you'd like to view.
2. Review the details of the vulnerability and determine whether or not you need to update the dependency.
3. When you merge a pull request that updates the manifest or lock file to a secure version of the dependency, this will resolve the alert. Alternatively, if you decide not to update the dependency, click the Dismiss drop-down, and select a reason for dismissing the alert.

{% else %} {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} {% data reusables.repositories.click-dependency-graph %}

1. Click the version number of the vulnerable dependency to display detailed information.
2. Review the details of the vulnerability and determine whether or not you need to update the dependency. When you merge a pull request that updates the manifest or lock file to a secure version of the dependency, this will resolve the alert.
3. The banner at the top of the Dependencies tab is displayed until all the vulnerable dependencies are resolved or you dismiss it. Click Dismiss in the top right corner of the banner and select a reason for dismissing the alert. {% endif %}

Further reading

• "About alerts for vulnerable dependencies"{% if currentVersion == "free-pro-team@latest" %}
• "Configuring {% data variables.product.prodname_dependabot_security_updates %}"{% endif %}
• "Managing security and analysis settings for your repository"
• "Troubleshooting the detection of vulnerable dependencies"{% if currentVersion == "free-pro-team@latest" %}
• "Troubleshooting {% data variables.product.prodname_dependabot %} errors"{% endif %}