Some dependency vulnerabilities require more than a version bump—they need code changes across your project. You can now assign Dependabot alerts to AI coding agents, including Copilot, Claude, and Codex, to analyze the vulnerability and open a draft pull request with a proposed fix.

How it works

From the Dependabot alert detail page, select Assign to Agent and then select your desired coding agent, including Copilot, Claude and Codex. The assigned agent will:

  1. Analyze the alert, including the advisory details and your repository’s dependency usage.
  2. Open a draft pull request with a proposed fix.
  3. Attempt to resolve any test failures introduced by the update.

You can assign multiple agents to the same alert. Each agent works independently and opens its own draft pull request, letting you compare approaches.

Tackle complex dependency updates with coding agents

Dependabot security updates already automatically open pull requests to upgrade vulnerable dependencies to the nearest patched version. For many alerts, that’s all you need: merge the pull request and move on.

However, some dependency updates aren’t that simple. A major version upgrade can introduce breaking API changes, deprecated method calls, or incompatible type signatures that require code modifications across your project. That’s where coding agents come in. Dependabot conveys the version bump, and a coding agent can pick up where Dependabot leaves off:

  • Fixing breaking changes: When a dependency update breaks your build or tests, the agent can analyze the failures, identify the root cause, and propose code changes to resolve them.
  • Package downgrades: When a dependency is compromised or contains malware and no patched version is available, the agent can downgrade to the last known safe version.
  • Creating complex pull requests: For complex update scenarios that fall outside Dependabot’s rule-based engine, a coding agent can generate a pull request to address the vulnerability.

Both tools work together: Dependabot automatically keeps your dependencies current, and coding agents help tackle the fixes that require deeper analysis.

Always review agent output

AI-generated fixes are not always correct. Coding agents can produce incomplete patches, miss edge cases, or suggest changes that introduce new issues. Always review the pull request, verify that tests pass, and confirm the fix is appropriate before merging.

Who can use this feature?

Assigning Dependabot alerts to coding agents requires GitHub Code Security and a Copilot plan that includes coding agent access. This feature is available on github.com.

Try it now

Open any Dependabot alert in your repository and select Assign to Agent to get started.

Learn more about managing Dependabot alerts and assigning alerts in the documentation.

Join the discussion within GitHub Community.