About GitHub Dependabot security updates
GitHub Dependabot security updates are automated pull requests that GitHub Dependabot raises to fix vulnerable dependencies in the dependency graph of repositories. For repositories where it's enabled, when GitHub detects a vulnerable dependency Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. Dependabot includes a link to the pull request in the alert for the vulnerable dependency. For more information, see "About alerts for vulnerable dependencies" and "About the dependency graph."
Each security update contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabot alerts for the repository.
When you merge a pull request that contains a security update, the corresponding alert is marked as resolved for your repository.
Note: GitHub Dependabot security updates only resolve security vulnerabilities in the dependencies tracked by your dependency graph. Security updates are not created to resolve vulnerabilities in private registries or packages hosted in private repositories. However, indirect or transitive dependencies are included if they are explicitly defined in a lock file, or similar. For more information, see "About the dependency graph."
You can enable GitHub Dependabot security updates for any repository that uses Dependabot alerts and the dependency graph. You can disable GitHub Dependabot security updates for an individual repository or for all repositories owned by your user account or organization. For more information, see "Managing GitHub Dependabot security updates for your repository", "Managing GitHub Dependabot security updates for your user account", and "Managing GitHub Dependabot security updates for your organization" below.
Supported repositories
GitHub automatically enables GitHub Dependabot security updates for every repository that meets these requirements.
Note: For repositories created before November 2019, GitHub has automatically enabled GitHub Dependabot security updates if the repository meets the following criteria and has received at least one push since May 23, 2019.
| Requirement | More information |
|---|---|
| Repository is not a fork | "About forks" |
| Repository is not archived | "Archiving repositories" |
| Repository is public, or repository is private and you have enabled read-only analysis by GitHub, dependency graph, and vulnerability alerts in the repository's settings | "Managing data use settings for your private repository." |
| Repository contains dependency manifest file from a package ecosystem that GitHub supports | "Supported package ecosystems" |
| GitHub Dependabot security updates are not disabled for the repository | "Managing GitHub Dependabot security updates for your repository" |
| Repository is not already using an integration for dependency management | "About integrations" |
If security updates are not enabled for your repository and you don't know why, you can contact support.
About compatibility scores
GitHub Dependabot security updates also include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. We look at previously-passing CI tests from public repositories where we've generated a given security update to learn whether the update causes tests to fail. An update's compatibility score is the percentage of CI runs that passed when updating between relevant versions of the dependency.
Managing GitHub Dependabot security updates for your repository
You can enable or disable GitHub Dependabot security updates for an individual repository.
GitHub Dependabot security updates require specific repository settings. For more information, see "Supported repositories."
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Security.
- In the security sidebar, click Dependabot alerts.
- Above the list of alerts, use the drop-down menu and select or unselect Dependabot security updates.
Managing GitHub Dependabot security updates for your user account
You can disable GitHub Dependabot security updates for all repositories owned by your user account. If you do, you can still enable GitHub Dependabot security updates for individual repositories owned by your user account.
- In the upper-right corner of any page, click your profile photo, then click Settings.
- In the left sidebar, click Security & analysis.
- To the right of "Dependabot security updates", click Disable all or Enable all.
Managing GitHub Dependabot security updates for your organization
Organization owners can disable GitHub Dependabot security updates for all repositories owned by the organization. If you do, anyone with admin permissions to an individual repository owned by the organization can still enable GitHub Dependabot security updates on that repository.
-
In the top right corner of GitHub, click your profile photo, then click Your profile.
-
On the left side of your profile page, under "Organizations", click the icon for your organization.
-
Under your organization name, click Settings.
-
In the left sidebar, click Organization security.
-
To the right of "Dependabot security updates", click Disable all or Enable all.