Dependabot security updates now supports the GitHub Actions ecosystem, making it easier for you to fix vulnerable GitHub Actions dependencies. With security updates enabled, Dependabot will automatically raise a pull request to update vulnerable GitHub Actions used in your workflows to the minimum patched version.
Repository archive date now shown in UI
In a small but frequently requested improvement, GitHub now shows the date that an archived repository was put into read-only mode to indicate it is no longer actively maintained.
Previously, you could see that a repo was in the 'archived' state and probably infer from the commit log when it last saw activity, but the actual date the archiving happened was not surfaced anywhere. Now there's a date included in the "this repo is read-only" banner at the top of the repository view.
Repositories archived prior to November 9th, 2022, will display a more generic message.
Dependabot expands its existing Hex private registry support beyond Hex organizations by adding support for self-hosted Hex repositories. You can configure your self-hosted Hex package repository as a private registry for use with Dependabot version updates. Special thanks to @sorentwo for their contribution to Dependabot!
Learn more about configuring Dependabot version updates and its supported ecosystems and package managers.