Sometimes, Dependabot security updates can't create a pull request for you because any update we could make would break the requirements of another package that you depend on. When this happens, Dependabot will now tell you the latest version of your package that you can install and the earliest version that contains the security fix. Soon, it will also tell you the name of the blocking package.
We have updated how webhooks on repositories, organizations, and apps can be configured via the API. We have a new configuration resource for full or partial updates to any or all attributes of a webhook. The endpoint can also be used to read the configuration.
Also, webhooks now send a header with a SHA-256 hash of the request body if the webhook is configured with an HMAC key in the optional "secret" field. Developers verifying the authenticity of a webhook should use the SHA-256 signature because it is a more modern cryptographic hash function. SHA-1 is still retained for backwards compatibility with existing integrations, but should not be used for security purposes to verify cryptographic identity due to known collisions. See the documentation for the new delivery headers for more information.