GitHub Action for dependency review enforcement

April 6, 2022

A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.

The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.

Learn more about dependency review enforcement.

pub beta support for Dependabot version updates

April 5, 2022

Users of Dependabot version updates can now proactively update their dependencies for Flutter or Dart projects which use the pub package manager.

To test version updates on your own Dart or Flutter repo, add the following configuration file in .github/dependabot.yaml:

version: 2
enable-beta-ecosystems: true
updates:
  - package-ecosystem: "pub"
    directory: "/"
    schedule:
      interval: "weekly"

Note the package-ecosystem: "pub" and enable-beta-ecosystems: true flags.

Limitations

Support for pub is in beta, and thus, we are aware of some limitations. For example, security updates are not supported in this release but will be in the future.

Other known limitations:

No support for updating git-dependencies
If the version found is ignored (by dependabot config) no update will happen (even if, an earlier version could be used)
No support for private package repositories

We want your feedback! Please open or vote on a comment in this discussion. You can get help troubleshooting by opening an issue on dependabot-core.

Special thanks to the Dart team for collaborating with us to make this happen.

See more See more

GitHub Action for dependency review enforcement

Secret scanning webhooks for alert locations

pub beta support for Dependabot version updates

Limitations

Subscribe to The GitHub Insider