---
title: About Dependabot alerts
intro: '{% data variables.product.prodname_dependabot_alerts %} help you find and fix vulnerable dependencies before they become security risks.'
product: '{% data reusables.gated-features.dependabot-alerts %}'
redirect_from:
  - /articles/about-security-alerts-for-vulnerable-dependencies
  - /github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies
  - /github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
  - /code-security/supply-chain-security/about-alerts-for-vulnerable-dependencies
  - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies
  - /code-security/dependabot/dependabot-alerts/about-dependabot-alerts
versions:
  fpt: '*'
  ghes: '*'
  ghec: '*'
shortTitle: Dependabot alerts
contentType: concepts
category:
  - Secure your dependencies
---

Software often relies on packages from various sources, creating dependency relationships that can unknowingly introduce security vulnerabilities. When your code depends on packages with known security vulnerabilities, you become a target for attackers seeking to exploit your system—potentially gaining access to your code, data, customers, or contributors. {% data variables.product.prodname_dependabot_alerts %} notify you about vulnerable dependencies so you can upgrade to secure versions and protect your project.

## When {% data variables.product.prodname_dependabot %} sends alerts

{% data variables.product.prodname_dependabot %} scans your repository's default branch and sends alerts when:

{% ifversion fpt or ghec %}
* A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}{% else %}
* New advisory data is synchronized to {% data variables.product.prodname_dotcom %} each hour from {% data variables.product.prodname_dotcom_the_website %}. {% data reusables.security-advisory.link-browsing-advisory-db %}{% endif %}
* Your dependency graph changes—for example, when you push commits that update packages or versions

For supported ecosystems, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems).

## Understanding alerts

When {% data variables.product.github %} detects a vulnerable dependency, a {% data variables.product.prodname_dependabot %} alert appears on the repository's **{% data variables.product.prodname_security_and_quality_tab %}** tab and dependency graph. Each alert includes:

* A link to the affected file
* Details about the vulnerability and its severity
* Information about a fixed version (when available)

For information about viewing and managing alerts, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts).

## Who can enable alerts?

Repository administrators and organization owners can enable {% data variables.product.prodname_dependabot_alerts %} for their repositories{% ifversion fpt or ghec %} and organizations{% endif %}. When enabled, {% data variables.product.github %} immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies. {% ifversion fpt or ghec %} Repository administrators can grant access to additional people or teams.{% endif %}

{% data reusables.repositories.enable-security-alerts %}

See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts).

{% ifversion dependabot-alerts-assignees %}

## Alert ownership and assignments

Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or {% data variables.product.prodname_copilot_short %} to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.

When an alert is assigned, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress. Assigning an alert to {% data variables.product.prodname_copilot_short %} automatically generates a fix and opens a draft pull request for review.

For information about assigning alerts, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-prioritizing-dependabot-alerts).

{% endif %}

## How alert notifications work

By default, {% data variables.product.github %} sends email notifications about new alerts to people who both:

* Have write, maintain, or admin permissions to a repository
* Are watching the repository and have enabled notifications for security alerts or for all activity on the repository

{% ifversion fpt or ghec %}
You can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at [https://github.com/settings/notifications](https://github.com/settings/notifications).
{% endif %}

Regardless of your notification preferences, when {% data variables.product.prodname_dependabot %} is first enabled, {% data variables.product.github %} does not send notifications for all vulnerable dependencies found in your repository. Instead, you will receive notifications for new vulnerable dependencies identified after {% data variables.product.prodname_dependabot %} is enabled, if your notification preferences allow it.

If you are concerned about receiving too many notifications, we recommend leveraging {% data variables.dependabot.auto_triage_rules %} to auto-dismiss low-risk alerts. Rules are applied before alert notifications are sent, so alerts that are auto-dismissed upon creation do not send notifications. See [AUTOTITLE](/code-security/dependabot/dependabot-auto-triage-rules/about-dependabot-auto-triage-rules).

Alternatively, you can opt into the weekly email digest, or even completely turn off notifications while keeping {% data variables.product.prodname_dependabot_alerts %} enabled.

## Limitations

{% data variables.product.prodname_dependabot_alerts %} have some limitations:

* Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
* New vulnerabilities may take time to appear in the {% data variables.product.prodname_advisory_database %} and trigger alerts.
* Only advisories reviewed by {% data variables.product.github %} trigger alerts.
* {% data variables.product.prodname_dependabot %} doesn't scan archived repositories.{% ifversion dependabot-malware-alerts %}{% else %}
* {% data variables.product.prodname_dependabot %} doesn't generate alerts for malware.{% endif %}
* {% data reusables.dependabot.dependabot-alert-actions-semver %}

{% ifversion fpt or ghec %}{% data variables.product.github %} never publicly discloses vulnerabilities for any repository. {% endif %}

{% ifversion copilot-chat-ghas-alerts %}

## {% data variables.copilot.copilot_chat %} integration

With a {% data variables.copilot.copilot_enterprise %} license, you can ask {% data variables.copilot.copilot_chat_short %} questions about {% data variables.product.prodname_dependabot_alerts %} in your organization's repositories. For more information, see [AUTOTITLE](/copilot/using-github-copilot/asking-github-copilot-questions-in-githubcom#asking-questions-about-alerts-from-github-advanced-security-features).

{% endif %}

## Further reading

{% ifversion dependabot-malware-alerts %}
* [AUTOTITLE](/code-security/concepts/supply-chain-security/dependabot-malware-alerts){% endif %}
* [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)
* [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)
* [AUTOTITLE](/code-security/getting-started/auditing-security-alerts)