Software often relies on packages from various sources, creating dependency relationships that can unknowingly introduce security vulnerabilities. When your code depends on packages with known security vulnerabilities, you become a target for attackers seeking to exploit your system—potentially gaining access to your code, data, customers, or contributors. {% data variables.product.prodname_dependabot_alerts %} notify you about vulnerable dependencies so you can upgrade to secure versions and protect your project.

{% data variables.product.prodname_dependabot %} scans your repository's default branch and sends alerts when:

{% ifversion fpt or ghec %}

• A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}{% else %}
• New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
• Your dependency graph changes—for example, when you push commits that update packages or versions

For supported ecosystems, see AUTOTITLE.

When {% data variables.product.github %} detects a vulnerable dependency, a {% data variables.product.prodname_dependabot %} alert appears on the repository's {% data variables.product.prodname_security_and_quality_tab %} tab and dependency graph. Each alert includes:

• A link to the affected file
• Details about the vulnerability and its severity
• Information about a fixed version (when available)

For information about viewing and managing alerts, see AUTOTITLE.

Repository administrators and organization owners can enable {% data variables.product.prodname_dependabot_alerts %} for their repositories{% ifversion fpt or ghec %} and organizations{% endif %}. When enabled, {% data variables.product.github %} immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies. {% ifversion fpt or ghec %} Repository administrators can grant access to additional people or teams.{% endif %}

{% data reusables.repositories.enable-security-alerts %}

See AUTOTITLE.

{% ifversion dependabot-alerts-assignees %}

Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or {% data variables.product.prodname_copilot_short %} to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.

When an alert is assigned, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress. Assigning an alert to {% data variables.product.prodname_copilot_short %} automatically generates a fix and opens a draft pull request for review.

For information about assigning alerts, see AUTOTITLE.

{% endif %}

By default, {% data variables.product.github %} sends email notifications about new alerts to people who both:

• Have write, maintain, or admin permissions to a repository
• Are watching the repository and have enabled notifications for security alerts or for all activity on the repository

{% ifversion fpt or ghec %} You can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at https://github.com/settings/notifications. {% endif %}

Regardless of your notification preferences, when {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.github %} does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled, if your notification preferences allow it.

If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See AUTOTITLE.

Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled.

{% data variables.product.prodname_dependabot_alerts %} have some limitations:

• Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
• New vulnerabilities may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
• Only advisories reviewed by {% data variables.product.github %} trigger alerts.
• {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.{% ifversion dependabot-malware-alerts %}{% else %}
• {% data variables.product.prodname_dependabot %} doesn't generate alerts for malware.{% endif %}
• {% data reusables.dependabot.dependabot-alert-actions-semver %}

{% ifversion fpt or ghec %}{% data variables.product.github %} never publicly discloses vulnerabilities for any repository. {% endif %}

{% ifversion copilot-chat-ghas-alerts %}

With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} questions about {% data variables.product.prodname_dependabot_alerts %} in your organization's repositories. For more information, see AUTOTITLE.

{% endif %}

{% ifversion dependabot-malware-alerts %}

• AUTOTITLE{% endif %}
• AUTOTITLE
• AUTOTITLE
• AUTOTITLE