dependabot

Today, we're shipping a new filter for the Dependabot alerts list view. In the alerts list view, you can now filter for scope:development or scope:runtime. Alerts for development dependencies also feature a label in the UI.

Dependency scope information will be available for alerts opened on or after June 23, 2022.

Which ecosystems are supported?

The following ecosystems are supported as of June 23, 2022:

For more information, learn more about Dependabot alerts in our documentation.

Dependabot version updates help you keep your dependencies up-to-date by opening pull requests automatically when new versions are available.

With this release, you can now more easily enable and configure Dependabot version updates from your repository’s settings page. Within the "Dependabot" section of the "Code security and analysis" tab, you can choose to enable Dependabot version updates, which will prompt you to create a dependabot.yml config file. If a dependabot.yml file exists, you can access that from the repository settings page.

Note: you still need to configure Dependabot version updates with a dependabot.yml file to enable it.

For more information, learn more about Dependabot version updates and how to configure a dependabot.yml file.

Dependabot will now update @types dependencies alongside their corresponding packages in TypeScript projects.

Before this change, users would see separate pull requests for a package and its corresponding @types package. This could lead to packages and type definitions getting out of sync with one another, and require manual intervention. For example, if a project had dependencies on both jquery and @types/jquery, and a vulnerability triggered Dependabot to update jquery from 3.4.1 to 3.5.0, the package @types/jquery would remain at its original 3.4.x version.

Now, Dependabot can help TypeScript users keep their dependencies and @types packages up-to-date and in sync. When triggered to create an update, Dependabot will check if that package has a corresponding @types package. If so, Dependabot will update both the package and the corresponding @types package in a single PR. Or, if the @types package is no longer needed, that dependency will be removed instead.

The feature is automatically enabled on repositories containing @types packages in the project's devDependencies as listed in package.json. You can disable this behavior by setting the ignore field in your dependabot.yml file to @types/*. Let us know what you think in this feedback discussion.

A new DependabotUpdate GraphQL object connects the relevant repository's Dependabot alert(s) – aka vulnerabilityAlerts – to the Dependabot generated pull request or error.

query($repo_owner:String!, $repo_name:String!) {
  repository(owner: $repo_owner, name: $repo_name) {
    vulnerabilityAlerts(first: 1) {
      nodes {
        dependabotUpdate {
          pullRequest {
            number
            title
          }
        }
      }
    }
  }
}

{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "dependabotUpdate": {
              "pullRequest": {
                "number": 4772,
                "title": "build(deps): bump object-path from 0.11.5 to 0.11.8 in /npm_and_yarn/helpers"
              }
            }
          }
        ]
      }
    }
  }
}

In some cases, Dependabot fails to open a pull request. Previously, the error message that Dependabot generated was only visible in the Dependabot Alerts section of the Security tab.

Now, if Dependabot runs into an error when trying to open a pull request for a Dependabot alert, you can see the error in the API.

query($repo_owner:String!, $repo_name:String!) {
  repository(owner: $repo_owner, name: $repo_name) {
    vulnerabilityAlerts(first: 1) {
      nodes {
        dependabotUpdate {
          pullRequest {
            number
            title
          }
          error {
            title
            body
            errorType
          }
        }
      }
    }
  }
}

{
  "data": {
    "repository": {
      "vulnerabilityAlerts": {
        "nodes": [
          {
            "dependabotUpdate": {
              "pullRequest": null,
              "error": {
                "title": "Dependabot cannot update braces to a non-vulnerable version",
                "body": "The latest possible version of braces that can be installed is `1.8.5`.\n\nThe earliest fixed version is `2.3.1`.",
                "errorType": "security_update_not_possible"
              }
            }
          }
        ]
      }
    }
  }
}

We want your feedback! Let us know how you are using DependabotUpdate and give us your feedback in this GitHub discussion.

See the full API documentation in our GraphQL docs.

Users of Dependabot version updates can now proactively update their dependencies for Flutter or Dart projects which use the pub package manager.

To test version updates on your own Dart or Flutter repo, add the following configuration file in .github/dependabot.yaml:

version: 2
enable-beta-ecosystems: true
updates:
  - package-ecosystem: "pub"
    directory: "/"
    schedule:
      interval: "weekly"

Note the package-ecosystem: "pub" and enable-beta-ecosystems: true flags.

Limitations

Support for pub is in beta, and thus, we are aware of some limitations. For example, security updates are not supported in this release but will be in the future.

Other known limitations:

• No support for updating git-dependencies
• If the version found is ignored (by dependabot config) no update will happen (even if, an earlier version could be used)
• No support for private package repositories

We want your feedback! Please open or vote on a comment in this discussion. You can get help troubleshooting by opening an issue on dependabot-core.

Special thanks to the Dart team for collaborating with us to make this happen.

You can now reopen dismissed Dependabot alerts through the UI page for a closed alert.

This update will not affect Dependabot pull requests or the GraphQL API.

For more information, see our documentation for Dependabot alerts.

Today, we’re shipping improvements to Dependabot alerts that help you more easily understand and remediate vulnerabilities from dependencies in your codebase.

Persisted Dependabot alerts

Developers can now view alerts that have been fixed in the Dependabot alerts UI.

Included changes:

• Starting today, fixed Dependabot alerts will now persist and continue to appear under the “closed” tab in the UI
• All individual alerts now have unique numeric identifiers.

Ungrouped alerts

Previously, Dependabot alerts displayed multiple security advisories grouped by package. Dependabot alerts will now represent a single advisory, rather than being grouped by package.

Included changes:

• Alerts are now displayed individually (one per advisory and manifest)
• Previous alert details pages will redirect to a filtered list view by the package name
• Alert titles will now be more useful to developers and show information about the advisory, rather than just the package name.

This update will not affect Dependabot alert email digests or notifications, Dependabot pull requests, or the GraphQL API.

Learn more about the improvements we’re making to Dependabot alerts in our latest blog post, or read our documentation.