{"meta":{"title":"Viewing and updating Dependabot alerts","intro":"If GitHub discovers insecure dependencies in your project, you can view alert details on the Dependabot tab of your repository. Then, you can update your project to resolve or dismiss the alert.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/how-tos","title":"How-tos"},{"href":"/en/code-security/how-tos/manage-security-alerts","title":"Manage security alerts"},{"href":"/en/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts","title":"Dependabot alerts"},{"href":"/en/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts","title":"View Dependabot alerts"}],"documentType":"article"},"body":"# Viewing and updating Dependabot alerts\n\nIf GitHub discovers insecure dependencies in your project, you can view alert details on the Dependabot tab of your repository. Then, you can update your project to resolve or dismiss the alert.\n\nYour repository's Dependabot tab lists all open and closed Dependabot alerts and corresponding Dependabot security updates. You can filter alerts by package, ecosystem, or manifest. You can sort the list of alerts, and you can click into specific alerts for more details. You can also dismiss or reopen alerts, either one by one or by selecting multiple alerts at once. For more information, see [About Dependabot alerts](/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).\n\n## About updates for vulnerable dependencies in your repository\n\nEach Dependabot alert has a unique numeric identifier and the Dependabot tab lists an alert for every detected vulnerability. Legacy Dependabot alerts grouped vulnerabilities by dependency and generated a single alert per dependency. If you navigate to a legacy Dependabot alert, you will be redirected to a Dependabot tab filtered for that package.\n\nYou can filter and sort Dependabot alerts using a variety of filters and sort options available on the user interface. For more information, see [Viewing and prioritizing Dependabot alerts](#viewing-and-prioritizing-dependabot-alerts) below.\n\nYou can also audit actions taken in response to Dependabot alerts. For more information, see [Auditing security alerts](/en/code-security/getting-started/auditing-security-alerts).\n\n## Viewing and prioritizing Dependabot alerts\n\nYou can view, sort, and filter Dependabot alerts to focus on the alerts that matter most.\n\nBy default, alerts are sorted by **Most important**, which helps you prioritize fixes based on factors such as potential impact, actionability, and relevance. This prioritization is continuously improved and considers signals like CVSS score, dependency scope, and whether vulnerable function calls are detected.\n\nYou can view all open and closed Dependabot alerts and corresponding Dependabot security updates in your repository's Dependabot tab.\n\nWhen you assign an alert to an AI agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee of the alert. You can click **View Session** on the alert timeline to review the agent's log and understand why no pull request was created. Only a user can remove the agent as an assignee.\n\n1. On GitHub, navigate to the main page of the repository.\n\n2. Under the repository name, click the ** Security and quality** tab. If you cannot see the \" Security and quality\" tab, select the **** dropdown menu, and then click ** Security and quality**.\n\n3. In the \"Findings\" section of the sidebar, select the **Dependabot** dropdown menu, then click **Vulnerabilities**.\n\n4. Optionally, refine the list of alerts:\n * Use the dropdown menus at the top of the list to sort or filter alerts.\n\n \n\n * Type directly in the search bar to filter alerts, including full-text search across alert details and related security advisories.\n\n * Click a label on an alert to automatically filter the list by that label.\n\n * To identify alerts that affect development dependencies, filter by the `scope:development` filter or look for alerts labeled \"Development\". This can help you prioritize alerts that affect production dependencies first.\n\n \n\n5. Click an alert to view its details. Alerts for development-scoped dependencies include a \"Development\" label in the \"Tags\" section on the alert details page.\n\n \n\n6. On the right panel, assign ownership for the alert:\n\n * Click the dropdown menu next to \"Assignees\" to select a user, team, or AI agent from the list. You can also click **Assign to Agent** to assign directly to an agent.\n\n When you assign an alert to an agent, a dialog appears where you can optionally:\n\n * Add a custom prompt with additional context about the fix.\n * Select a different repository.\n * Select the AI model to use.\n * Select a custom agent you have configured (recommended for specialized tasks).\n\n7. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the GitHub Advisory Database**. See [Editing security advisories in the GitHub Advisory Database](/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).\n\n### Tips for prioritizing alerts\n\n* Use the **Most important** sort order to focus on alerts with the highest potential impact.\n* Prioritize alerts that affect production dependencies over development dependencies.\n* Use the **Assignees** feature to clarify who is responsible for addressing each alert, so your team can track and remediate vulnerabilities more effectively.\n* Use Dependabot auto-triage rules to automatically prioritize or manage alerts. See [About Dependabot auto-triage rules](/en/code-security/concepts/supply-chain-security/about-dependabot-auto-triage-rules).\n\nFor more information about supported ecosystems and manifest files for dependency scope, see [Supported ecosystems and manifests for dependency scope](/en/code-security/reference/supply-chain-security/supported-ecosystems-and-manifests-for-dependency-scope).\n\nFor a complete list of available filters, see [Dependabot alert filters](/en/code-security/reference/supply-chain-security/dependabot-alerts-filters).\n\nTo retrieve alerts programmatically, see the [REST API endpoints for Dependabot alerts](/en/rest/dependabot/alerts).\n\n## Reviewing and fixing alerts\n\nYou can review the details of a Dependabot alert to understand the vulnerability and how to fix it.\n\n### Fixing vulnerable dependencies\n\n1. View the details for an alert. For more information, see [Viewing and prioritizing Dependabot alerts](#viewing-and-prioritizing-dependabot-alerts) (above).\n\n2. If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click **Create Dependabot security update** at the top of the alert details page to create a pull request.\n\n \n\n3. Optionally, if you do not use Dependabot security updates, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.\n\n4. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.\n\n Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see [Managing pull requests for dependency updates](/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands).\n\n## Dismissing Dependabot alerts\n\n> \\[!NOTE]\n> You can only dismiss open alerts.\n\nIf you schedule extensive work to upgrade a dependency, or decide that an alert does not need to be fixed, you can dismiss the alert. Dismissing alerts that you have already assessed makes it easier to triage new alerts as they appear.\n\n1. [Viewing and prioritizing Dependabot alerts](#viewing-and-prioritizing-dependabot-alerts) (above).\n\n2. Select the \"Dismiss\" dropdown, and click a reason for dismissing the alert. Unfixed dismissed alerts can be reopened later.\n\n3. Optionally, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can retrieve or set a comment by using the GraphQL API. The comment is contained in the `dismissComment` field. For more information, see [Objects](/en/graphql/reference/objects#repositoryvulnerabilityalert) in the GraphQL API documentation.\n\n \n\n4. Click **Dismiss alert**.\n\n### Dismissing multiple alerts at once\n\n1. View the open Dependabot alerts.\n2. Optionally, filter the list of alerts by selecting a dropdown menu, then clicking the filter that you would like to apply. You can also type filters into the search bar.\n3. To the left of each alert title, select the alerts that you want to dismiss.\n \n4. Optionally, at the top of the list of alerts, select all alerts on the page.\n \n5. Select the \"Dismiss alerts\" dropdown, and click a reason for dismissing the alerts.\n \n\n## Viewing and updating closed alerts\n\nYou can view all open alerts, and you can reopen alerts that have been previously dismissed. Closed alerts that have already been fixed cannot be reopened.\n\n1. On GitHub, navigate to the main page of the repository.\n\n2. Under the repository name, click the ** Security and quality** tab. If you cannot see the \" Security and quality\" tab, select the **** dropdown menu, and then click ** Security and quality**.\n\n3. In the \"Findings\" section of the sidebar, select the **Dependabot** dropdown menu, then click **Vulnerabilities**.\n\n4. To just view closed alerts, click **Closed**.\n\n \n\n5. Click the alert that you would like to view or update.\n\n6. Optionally, if the alert was dismissed and you wish to reopen it, click **Reopen**. Alerts that have already been fixed cannot be reopened.\n\n \n\n### Reopening multiple alerts at once\n\n1. View the closed Dependabot alerts.\n2. To the left of each alert title, select the alerts that you want to reopen by clicking the checkbox adjacent to each alert.\n3. Optionally, at the top of the list of alerts, select all closed alerts on the page.\n \n4. Click **Reopen** to reopen the alerts. Alerts that have already been fixed cannot be reopened.\n\n## Reviewing the audit logs for Dependabot alerts\n\nWhen a member of your organization performs an action related to Dependabot alerts, you can review the actions in the audit log. For more information about accessing the log, see [Reviewing the audit log for your organization](/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#accessing-the-audit-log).\n\n\n\nEvents in your audit log for Dependabot alerts include details such as who performed the action, what the action was, and when the action was performed. The event also includes a link to the alert itself. When a member of your organization dismisses an alert, the event displays the dismissal reason and comment. For information on the Dependabot alerts actions, see the `repository_vulnerability_alert` category in [Audit log events for your organization](/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization#repository_vulnerability_alert)."}