Your repository's Dependabot alerts tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. You can filter alerts by package, ecosystem, or manifest. You can also sort the list of alerts, and you can click into specific alerts for more details. For more information, see "About alerts for vulnerable dependencies."
You can enable automatic security updates for any repository that uses Dependabot alerts and the dependency graph. For more information, see "About Dependabot security updates."
Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would introduce a vulnerability into your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. For more information, see "Reviewing dependency changes in a pull request."
About updates for vulnerable dependencies in your repository
GitHub generates Dependabot alerts when we detect that your codebase is using dependencies with known vulnerabilities. For repositories where Dependabot security updates are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.
You can sort and filter Dependabot alerts with the dropdown menus in the Dependabot alerts tab or by typing filters as key:value pairs into the search bar. The available filters are repository (for example, repo:my-repository), package (for example, package:django), ecosystem (for example, ecosystem:npm), manifest (for example, manifest:webwolf/pom.xml), state (for example, is:open), and whether an advisory has a patch (for example, has: patch).
Each Dependabot alert has a unique numeric identifier and the Dependabot alerts tab lists an alert for every detected vulnerability. Legacy Dependabot alerts grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy Dependabot alert, you will be redirected to a Dependabot alerts tab filtered for that package.
Viewing and updating vulnerable dependencies
- On GitHub.com, navigate to the main page of the repository.
- Under your repository name, click Security.

- In the security sidebar, click Dependabot alerts.

- Optionally, to filter alerts, select the Repository, Package, Ecosystem, or Manifest dropdown menu then click the filter that you would like to apply. You can also type filters into the search bar. For example,
ecosystem:npmorhas:patch. To sort alerts, select the Sort dropdown menu then click the option that you would like to sort by.
- Click the alert that you would like to view.

- Review the details of the vulnerability and, if available, the pull request containing the automated security update.
- Optionally, if there isn't already a Dependabot security updates update for the alert, to create a pull request to resolve the vulnerability, click Create Dependabot security update.

- When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see "Managing pull requests for dependency updates."
- Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, select the "Dismiss" drop-down, and click a reason for dismissing the alert.


