Skip to content

A quieter Dependabot

When a vulnerability is added to GitHub Advisory Database, the resulting Dependabot alert and security update notifications can be noisy. To help you focus on what matters, we've made a few changes to how Dependabot notifies you:

You can learn more about configuring your Dependabot notifications in our documentation.

We have updated how webhooks on repositories, organizations, and apps can be configured via the API. We have a new configuration resource for full or partial updates to any or all attributes of a webhook. The endpoint can also be used to read the configuration.

Also, webhooks now send a header with a SHA-256 hash of the request body if the webhook is configured with an HMAC key in the optional "secret" field. Developers verifying the authenticity of a webhook should use the SHA-256 signature because it is a more modern cryptographic hash function. SHA-1 is still retained for backwards compatibility with existing integrations, but should not be used for security purposes to verify cryptographic identity due to known collisions. See the documentation for the new delivery headers for more information.

See more

Sometimes, Dependabot security updates can't create a pull request for you because any update we could make would break the requirements of another package that you depend on. When this happens, Dependabot will now tell you the latest version of your package that you can install and the earliest version that contains the security fix. Soon, it will also tell you the name of the blocking package.

See more