dependabot

Subscribe to all “dependabot” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

This release adds support for viewing fixed alerts to the GraphQL API. This update also adds the ability to access and filter by state, as well as access unique numeric identifier.

The additions include these new fields to a RepositoryVulnerabilityAlert:

  • number
  • fixed_at
  • fix_reason
  • state

And we're adding the ability to filter by state on the vulnerability alert object.

For more information, see Dependabot alerts in the GraphQL API reference.

See more

Today, we’re shipping improvements to Dependabot alerts that help you more easily understand and remediate vulnerabilities from dependencies in your codebase.

Persisted Dependabot alerts

Developers can now view alerts that have been fixed in the Dependabot alerts UI.

Included changes:

  • Starting today, fixed Dependabot alerts will now persist and continue to appear under the “closed” tab in the UI
  • All individual alerts now have unique numeric identifiers.

Ungrouped alerts

Previously, Dependabot alerts displayed multiple security advisories grouped by package. Dependabot alerts will now represent a single advisory, rather than being grouped by package.

Included changes:

  • Alerts are now displayed individually (one per advisory and manifest)
  • Previous alert details pages will redirect to a filtered list view by the package name
  • Alert titles will now be more useful to developers and show information about the advisory, rather than just the package name.

This update will not affect Dependabot alert email digests or notifications, Dependabot pull requests, or the GraphQL API.

Learn more about the improvements we’re making to Dependabot alerts in our latest blog post, or read our documentation.

See more

You can now reference local reusable workflows more easily. With this release, reusable workflows that are in the same repository as the calling repository can be referenced with just the path and filename: {path}/{filename}.

For example:

jobs:
  call-workflow-in-local-repo:
    uses: ./.github/workflows/workflow-2.yml

When referenced this way, the called workflow will be from the same commit as the caller workflow.

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

Starting 12-09-2021, GitHub Actions workflows triggered by Dependabot for the create, deployment, and deployment_status events will always receive a read-only token and no secrets.

Starting 12-09-2021, GitHub Actions workflows triggered by Dependabot for the pull_request_target event on pull requests where the base ref was created by Dependabot will always receive a read-only token and no secrets.

Both changes are designed to prevent potentially malicious code from executing in a privileged workflow.

Learn more about using Actions and Dependabot together

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

GitHub Actions workflows triggered by Dependabot will now be sent the Dependabot secrets.

This change will enable you to pull from private package registries in your CI using the same secrets you have configured for Dependabot to use and will improve how Actions and Dependabot work together.

Learn more about using Actions and Dependabot together

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

In March we made a change in GitHub Actions that forced workflows triggered by Dependabot to run with a read-only token. This change was made to protect your repositories from potentially malicious dependencies in the same way we prevent pull requests from forks from having privileged access to your repository. We received a lot of feedback from you on how this impacted your workflows and while it was great to be in a safe configuration by default, you wanted to have the option to continue working as you had prior to this change.

In April we introduced the permissions key in the Actions workflow config which enables you to control which permissions are given to a particular workflow or job.

Starting October 11, 2021 workflow runs on push and pull_request events triggered by Dependabot will begin to respect the permissions specified in your workflows putting you back in control of how you manage automatic dependency updates. The default token permissions will remain read-only.

In addition to the permissions change we are working to enable workflows triggered by Dependabot to use Dependabot secrets. This change will enable you to use those secrets to pull dependencies from private repositories.

Learn more about the permissions key in Actions workflows

For questions, visit the GitHub Actions community

To see what's next for Actions, visit our public roadmap

See more

As announced in April, Dependabot Preview is shutting down today, as it has been replaced by GitHub-native Dependabot.

To keep getting pull requests that update your packages, upgrade to GitHub-native Dependabot by merging the “Upgrade to GitHub-native Dependabot” pull request in your repository. This pull request, as well as any pull requests from the Dependabot Preview bot will remain open, but the bot itself will no longer work on your GitHub accounts and organizations.

If you have any questions or need help migrating, please contact GitHub Support.

Learn more about Dependabot in our documentation, or visit our public roadmap to see what’s next for Dependabot.

See more

Unless a specific time is provided, Dependabot version updates run at 5AM UTC daily, weekly, or monthly; however, this results in large usage spikes that slow down updates for everyone.

Starting today, we no longer schedule unspecified updates at the same time. Instead, each repository is assigned a time at random, and all updates in that repository will start at that time. If you want to specify a different time for updates to begin, you can use the schedule.time and schedule.timezone properties on each update.

As an example, this config resets the /frontend/package.json to run at 5AM UTC, while specifying /backend/package.json to run at 13:30 Pacific:

updates:
- package-ecosystem: "npm"
  directory: "/frontend"
  schedule:
    interval: "daily"
    time: "05:00"
    timezone: "UTC"
- package-ecosystem: "npm"
  directory: "/backend"
  schedule:
    interval: "daily"
    time: "13:30"
    timezone: "America/Los_Angeles"

Learn more about configuring schedules for Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

See more

Dependabot version updates now have the ability to ignore major, minor, or patch updates for a specific dependency or set of dependencies. For instance, you can use this feature to quiet noisy dependencies or easily avoid major version bumps across multiple dependencies.

You can ignore semver updates by modifying the ignore configuration option to ignore one or more update-types:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      # ignore all GitHub linguist patch updates
      - dependency-name: "github-linguist"
        update-types: ["version-update:semver-patch"]

Note: this feature only applies to version updates. If you have security updates enabled, you will still get pull requests updating you to the minimum patched version.

Learn more about Dependabot ignore conditions.

To see what's next for Dependabot, visit the public roadmap.

See more

Millions of repos use Dependabot to keep their dependencies up to date, either by updating when a Dependabot alert lets them know about a vulnerable dependency (security updates), or on a fixed schedule (version updates). Dependabot security updates have been generally available for over a year, and it's time that version updates join them in general availability.

Dependabot version updates extend the functionality provided by security updates by creating pull requests updating all configured dependencies to their latest versions, staying ahead of potential security vulnerabilities. You can configure it to update selected ecosystems on your schedule, including or excluding desired dependencies.

Thanks to all Dependabot users who have filed issues, provided feedback, and helped us achieve this milestone.

Learn more about Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

See more

We now group multiple Dependabot alerts together if they're discovered at the same time. This significantly reduces the volume of Dependabot alert notifications that users receive.

A user with admin permissions to a repository or who has been granted access to a repository's Dependabot alerts will receive a notification regarding Dependabot alerts when:

  • Dependabot is first enabled on a repository.
  • Vulnerable dependencies are added to a repository.
  • A new vulnerability is discovered and added to GitHub's Advisory Database. This will send a notification including all repositories in an organization.

The new notification format is automatically enabled for repositories where you receive Dependabot alert notifications. These apply to email, web, and mobile notifications.

Learn more about configuring your Dependabot alert notifications

See more

Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.

To enable this feature, add a registries section to your dependabot.yml, reference your new registries in the relevant updates, and add any secrets to Dependabot’s secret store. For example, here’s how to use GitHub Packages with Dependabot:

registries:
  npm-ghp-octocat:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{secrets.GITHUB_PERSONAL_ACCESS_TOKEN}} # make sure to store this in your Dependabot secrets!

updates:
    package-ecosystem: npm
    directory: "/"
    registries: 
      - npm-ghp-octocat
    schedule:
      interval: daily

This complements your ability to give Dependabot version updates access to private repositories, which is common for ecosystems like go modules and npm.

Learn more about Dependabot version updates

To see what’s next for Dependabot, visit the public roadmap

See more