dependabot

Removing the security vulnerability banner

The yellow banner stating "We found potential security vulnerabilities in your dependencies" is being removed. Please use the "Security" alert count in your repository navigation as an indicator for when your repository has Dependabot alerts. You can also adjust your notifications settings to opt-in to email and web notifications, as well as email digests for your Dependabot alerts.

About this change

We've been working to steadily improve our security alert notifications and indicators. As part of our notifications strategy, we are removing this legacy banner.

Available alert notifications and indicators

Today, when Dependabot detects a dependency-based vulnerability, Dependabot lets you know based on your user notifications settings and repository watching settings. You can opt to receive:

• Web-based notifications on alerts in your GitHub inbox
• Email based notifications on alerts
• Email digests (weekly or daily roll-ups of alerts).

From the UI, you can also use the "Security" alert count in your repository navigation as an indicator for when your repository has alerts. This Security tab includes the count for all active Dependabot alerts, code scanning alerts, secret scanning alerts, and any security advisories that you have permissions to view.

Learn more about GitHub Advanced Security, Dependabot alerts, and configuring notifications for alerts.

Dependabot now supports updates to Python dependencies for pyproject.toml files that follow the PEP 621 standard for our supported Python package managers.

Learn more about Dependabot's supported ecosystems and package managers.

Dependabot now supports now supports the increase-if-necessary versioning strategy for the Python ecosystem.

This allows you to reduce Dependabot version updates when your current dependency requirement is already satisfied by a new version.

Learn more about configuring versioning strategies in your dependabot.yml file.

Dependabot has added support for updating dependencies in Yarn v2 and Yarn v3 manifests (package.json, and yarn.lock files). This is in addition to the existing support for Yarn v1. There is no action required for existing repositories where Dependabot security updates is enabled, however, if you would like to receive proactive updates with Dependabot version updates, you should add configuration for the npm ecosystem to your dependabot.yml file.

For more information:

• Configuring Dependabot version updates
• Dependabot supported ecosystems and package managers

We’ve been responding to your feedback – here’s a recap of some changes recently made to Dependabot alerts.

• Dependabot Alerts details pages now auto-magically refresh after PR generation attempts are completed, rather than spinning forever
• Alerts are more accurately mapped to Dependabot pull requests
• Labels in the Dependabot Alerts row page now act as filters
• You can now suggest improvements to an advisory directly from the alert details page (shown below).

Let us know of other improvements you’d like to see in our GitHub community discussion page.

When resolving security alerts for vulnerable transitive npm dependencies, it is possible that updating a direct dependency will remove the vulnerable transitive dependency from the tree. Dependabot can now resolve these security alerts by creating a pull request that removes the unnecessary transitive dependency.

You can now programmatically view and act on Dependabot alerts via the REST API. New endpoints to view, list, and update Dependabot alerts are available in a public beta.

For more information, see Dependabot alerts in the REST API reference or learn more about Dependabot alerts in our documentation.

Your GitHub repositories with Dependabot alerts enabled and Dependabot security updates enabled will automatically generate Dependabot pull requests for vulnerable npm transitive dependencies.

Previously, Dependabot couldn't generate a security update for a transitive dependency when its parent dependency required incompatible specific version range. In this locked state, developers had to manually upgrade the parent and transitive dependencies.

Now, Dependabot will be able to create pull requests for npm projects that upgrade both the parent and child dependencies together.

For example, if a vulnerability for the transitive dependency node-forge triggers a Dependabot alert and allows a PR to be created:

Prior to this change Dependabot would fail to create a Dependabot security update for transitive dependencies 😕. But not anymore! 😁 Now, Dependabot will unlock the node-forge security update by bumping the parent webpack-dev-server version in addition to patching the `node-forge dependency within the same Pull Request!

This change will apply to pull requests generated by Dependabot that update vulnerable npm packages.

Dependabot alerts users can now add an optional comment when dismissing an alert. These comments (maximum 280 characters) are viewable in the alert timeline and via the new dismissComment field in the GraphQL API.

Learn more about Dependabot alerts and the GraphQL API.

Dependabot alerts listed at the organization level are now easier to prioritize with the new "Most Important" sort, which released recently for the repository list view of Dependabot alerts.

Learn more about Dependabot alerts and the Security overview.

Dependabot alerts will now show more information on an alert's activity. In the details page for a Dependabot alert, you will see a timeline of events (e.g. opened, fixed, reopened). Events will also show additional metadata when available, like relevant pull requests.

For more information, see our documentation for Dependabot alerts.

Dependabot alerts will now be easier to prioritize with a new “Most Important” sort. For the alerts repository list view, by default, alerts will be sorted in a way to help you determine which alerts matter most. You will still be able to access additional sort options, like sort by Newest, CVSS severity, and Manifest path in the UI.

This “Most Important” sort considers CVSS score as the primary factor, along with additional factors across vulnerability impact (potential risk), relevancy, and actionability (how easy the vulnerability is to fix). For example, when supported, this sort calculation takes into consideration whether you’re calling a vulnerable function, as well as dependency scope (e.g. if an alert is a devDependency). This calculation will be improved over time.

This functionality will not affect Dependabot pull requests, the org-level list view of Dependabot alerts, or the GraphQL API.

For more information, see our documentation for Dependabot alerts.

When using the GraphQL API, you can now filter Dependabot alerts by the scope of the dependency affected. The possible scopes are DEVELOPMENT or RUNTIME.

Dependency scope information is available for alerts opened on or after June 23, 2022, and can also be viewed in the Dependabot alerts UI as of last week.

For more information, see Dependabot alerts in the GraphQL API reference or learn more about Dependabot alerts in our documentation.

Today, we're shipping a new filter for the Dependabot alerts list view. In the alerts list view, you can now filter for scope:development or scope:runtime. Alerts for development dependencies also feature a label in the UI.

Dependency scope information will be available for alerts opened on or after June 23, 2022.

Which ecosystems are supported?

The following ecosystems are supported as of June 23, 2022:

For more information, learn more about Dependabot alerts in our documentation.