Implement GitHub Dependabot alerts and security updates
Alerts
GitHub Dependabot detects vulnerable dependencies and sends Dependabot alerts about them in several situations:
- A new vulnerability is added to the GitHub Advisory database.
- New vulnerability data from Mend is processed.
- Dependency graph for a repository changes.
Alerts are detected in public repositories by default but can be enabled for other repositories.
Notifications can be sent via standard GitHub notification mechanisms.
For more information on Dependabot Alerts, see About alerts for vulnerable dependencies.
See Supported package ecosystems for details on the provided packages that alerts can be generated.
For notification details, see: Configuring notifications.
Security updates
A key advantage of Dependabot security updates is that they can automatically create pull requests.
A developer can then review the suggested update and triage what is required to incorporate it.
For more information on automatic security updates, see About GitHub Dependabot security updates.