Understand your software’s supply chain with GitHub’s dependency graph
The GitHub dependency graph maps every direct and transitive dependency in your project, so you can identify risks, prioritize fixes, and keep your code secure.
Home / Dependabot
Dependabot
Cutting through the noise: How to prioritize Dependabot alerts
Learn how to effectively prioritize alerts using severity (CVSS), exploitation likelihood (EPSS), and repository properties, so you can focus on the most critical vulnerabilities first.
How we’re making security easier for the average developer
Security should be native to your workflow, not a painful separate process.
Video: How to run dependency audits with GitHub Copilot
Learn to automate dependency management using GitHub Copilot, GitHub Actions, and Dependabot to eliminate manual checks, improve security, and save time for what really matters.
Dependabot on GitHub Actions and self-hosted runners is now generally available
A quick guide on the advantages of Dependabot as a GitHub Actions workflow and the benefits this unlocks, including self-hosted runner support.
Do you know if all your repositories have up-to-date dependencies?
Consider deploying the GitHub Action: Evergreen so that you know each of your repositories are leveraging active dependency management with Dependabot.
Introducing auto-triage rules for Dependabot
Make quick work of alerts with preset and custom rules.
A faster way to manage version updates with Dependabot
Now, you can group multiple version updates in a single pull request.
Dependabot relieves alert fatigue from npm devDependencies
A new alert rules engine for Dependabot leverages alert metadata to identify and auto-dismiss up to 15% of alerts as false positives.
3 ways to meet compliance needs without slowing down agility
Learn how to enable developer productivity and collaboration while staying secure and compliant. Stay compliant without slowing down your business. From security to CI/CD, automate every step of your software workflow—so your developers can stay focused on what matters most: building.
Unlocking security updates for transitive dependencies with npm
How Dependabot integrated with npm to address security vulnerabilities on transitive dependencies and increase the likelihood of success for JavaScript security updates by 40%.
Dependabot alerts are now visible to more developers
Default settings will allow developers with write and maintain access to see and resolve Dependabot alerts.
A smarter, quieter Dependabot
Dependabot is getting a little smarter—and, a little quieter—by reducing bot-based noise from repositories based on your interaction with Dependabot.
Release Radar · November 2022 Edition
We promised we’d be back soon and here we are! There has been an incredible amount of open source projects shipping major version releases before the year wraps up. I…
5 tips for prioritizing Dependabot alerts
Dependabot alerts can give you the ability to secure your project by keeping dependency-based vulnerabilities out of your code. Here are some tips to more efficiently prioritize and take action on your alerts, so you can get back to building.
The world's largest developer platform
GitHub
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
GitHub Universe 2025
Last chance: Save $700 on your IRL pass to Universe and join us on Oct. 28-29 in San Francisco.