{"meta":{"title":"About Dependabot security updates","intro":"Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/concepts","title":"Concepts"},{"href":"/en/code-security/concepts/supply-chain-security","title":"Supply chain security"},{"href":"/en/code-security/concepts/supply-chain-security/about-dependabot-security-updates","title":"Dependabot security updates"}],"documentType":"article"},"body":"# About Dependabot security updates\n\nDependabot can fix vulnerable dependencies for you by raising pull requests with security updates.\n\n\n\n## About Dependabot security updates\n\nDependabot security updates make it easier for you to fix vulnerable dependencies in your repository.\n\nIf you enable Dependabot security updates, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it. For more information, see [About Dependabot alerts](/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [Configuring Dependabot security updates](/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates).\n\nYou can add a `dependabot.yml` configuration file to your repository to customize Dependabot behavior, including update schedules, pull request settings, and which dependencies to monitor. For more information, see [About the dependabot.yml file](/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file). You then configure options in this file to tell Dependabot how to secure the dependencies your repository relies on.\n\nFor information on the supported repositories and ecosystems, see [Dependabot supported ecosystems and repositories](/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories).\n\n> \\[!NOTE]\n> There is no interaction between the settings specified in the `dependabot.yml` file and Dependabot security alerts, other than the fact that alerts will be closed when related pull requests generated by Dependabot for security updates are merged.\n\nDependabot signs its own commits by default, even if commit signing is not a requirement for the repository. For more information about verified commits, see [About commit signature verification](/en/authentication/managing-commit-signature-verification/about-commit-signature-verification).\n\n> \\[!NOTE]\n> When Dependabot security updates are enabled for a repository, Dependabot will automatically try to open pull requests to resolve **every** open Dependabot alert that has an available patch. If you prefer to customize which alerts Dependabot opens pull requests for, you should leave Dependabot security updates **disabled** and create an auto-triage rule. For more information, see [Customizing auto-triage rules to prioritize Dependabot alerts](/en/code-security/dependabot/dependabot-auto-triage-rules/customizing-auto-triage-rules-to-prioritize-dependabot-alerts).\n\nGitHub may send Dependabot alerts to repositories affected by a vulnerability disclosed by a recently published GitHub security advisory. For more information, see [Browsing security advisories in the GitHub Advisory Database](/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database).\n\nDependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the Dependabot alert, or reports an error on the alert. For more information, see [Dependabot errors](/en/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors).\n\nThe Dependabot security updates feature is available for repositories where you have enabled the dependency graph and Dependabot alerts. You will see a Dependabot alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. For more information, see [About the dependency graph](/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included).\n\n> \\[!NOTE]\n> For npm, Dependabot will raise a pull request to update an explicitly defined dependency to a secure version, even if it means updating the parent dependency or dependencies, or even removing a sub-dependency that is no longer needed by the parent. For other ecosystems, Dependabot is unable to update an indirect or transitive dependency if it would also require an update to the parent dependency. For more information, see [Dependabot errors](/en/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-errors#dependabot-tries-to-update-dependencies-without-an-alert).\n\nYou can enable a related feature, Dependabot version updates, so that Dependabot raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see [About Dependabot version updates](/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).\n\nWhen Dependabot raises pull requests, these pull requests could be for *security* or *version* updates:\n\n* *Dependabot security updates* are automated pull requests that help you update dependencies with known vulnerabilities.\n* *Dependabot version updates* are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the **Insights** tab of your repository, then select **Dependency Graph**, and Dependabot.\n\nIf you enable *Dependabot security updates*, parts of the configuration may also affect pull requests created for *Dependabot version updates*. This is because some configuration settings are common to both types of updates. For more information, see [Customizing pull requests for Dependabot security updates](/en/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs).\n\nPull requests opened by Dependabot can trigger workflows that run actions. For more information, see [Automating Dependabot with GitHub Actions](/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions).\n\nDependabot security updates can fix vulnerable dependencies in GitHub Actions. When security updates are enabled, Dependabot will automatically raise a pull request to update vulnerable GitHub Actions used in your workflows to the minimum patched version.\n\n## About grouped security updates\n\nTo further reduce the number of pull requests you may be seeing, you can enable grouped security updates to group sets of dependencies together (per package ecosystem). Dependabot then raises a single pull request to update as many vulnerable dependencies as possible in the group to secure versions at the same time.\n\nFor security updates, Dependabot will only group dependencies from different directories per ecosystem under certain conditions and configurations. Dependabot **will not** group dependencies from different package ecosystems together, and it **will not** group security updates with version updates.\n\nYou can enable grouped pull requests for Dependabot security updates in one, or both, of the following ways.\n\n* To group as many available security updates together as possible, across directories and per ecosystem, enable grouping in the \"Advanced Security\" settings for your repository, or in \"Global settings\" under Advanced Security for your organization.\n* For more granular control of grouping, such as grouping by package name, development/production dependencies, SemVer level, or across multiple directories per ecosystem, add configuration options to the `dependabot.yml` configuration file in your repository.\n\n> \\[!NOTE]\n> If you have configured group rules for Dependabot security updates in a `dependabot.yml` file, all available updates will be grouped according to the rules you've specified. Dependabot will only group across those directories not configured in your `dependabot.yml` if the setting for grouped security updates at the organization or repository level is also enabled.\n\nFor more information, see [Configuring Dependabot security updates](/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#grouping-dependabot-updates-into-a-single-pull-request).\n\n## About compatibility scores\n\nDependabot security updates may include compatibility scores to let you know whether updating a dependency could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.\n\n## About automatic deactivation of Dependabot updates\n\nWhen maintainers of a repository stop interacting with Dependabot pull requests, Dependabot temporarily pauses its updates and lets you know, see [Dependabot update pull requests no longer generated](/en/code-security/dependabot/troubleshooting-dependabot/dependabot-updates-stopped).\n\n## About notifications for Dependabot security updates\n\nYou can filter your notifications on GitHub to show Dependabot security updates. For more information, see [Managing notifications from your inbox](/en/account-and-profile/managing-subscriptions-and-notifications-on-github/viewing-and-triaging-notifications/managing-notifications-from-your-inbox#dependabot-custom-filters)."}