Your GitHub repositories with Dependabot alerts enabled and Dependabot security updates enabled will automatically generate Dependabot pull requests for vulnerable npm transitive dependencies.

Previously, Dependabot couldn't generate a security update for a transitive dependency when its parent dependency required incompatible specific version range. In this locked state, developers had to manually upgrade the parent and transitive dependencies.

Now, Dependabot will be able to create pull requests for npm projects that upgrade both the parent and child dependencies together.

For example, if a vulnerability for the transitive dependency node-forge triggers a Dependabot alert and allows a PR to be created:

2 generated security update white bg

Prior to this change Dependabot would fail to create a Dependabot security update for transitive dependencies :confused:. But not anymore! 😀 Now, Dependabot will unlock the node-forge security update by bumping the parent webpack-dev-server version in addition to patching the `node-forge dependency within the same Pull Request!

3 update PR white bg

This change will apply to pull requests generated by Dependabot that update vulnerable npm packages.