Sometimes, Dependabot security updates can't create a pull request for you because any update we could make would break the requirements of another package that you depend on. When this happens, Dependabot will now tell you the latest version of your package that you can install and the earliest version that contains the security fix. Soon, it will also tell you the name of the blocking package.
When a vulnerability is added to GitHub Advisory Database, the resulting Dependabot alert and security update notifications can be noisy. To help you focus on what matters, we've made a few changes to how Dependabot notifies you:
- You'll no longer be notified about the creation of Dependabot security update pull requests unless you're watching the repository where the pull request is created. To configure which repositories you are watching, see our documentation.
- You'll no longer receive email and web notifications for Dependabot alerts for Low- and Moderate-severity vulnerabilities. You'll still be able to see these alerts in your repository's Security tab, and if you have Dependabot security updates enabled, Dependabot will still create security update pull requests for them.
You can learn more about configuring your Dependabot notifications in our documentation.