Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn about and how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - Scripting & automation
    How GitHub engineers use scripting and automation.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - Surveys
    What developers and industry leaders say matters most.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open source
- Open source
  Everything open source on GitHub.
  - Documentation
    Tips for creating and maintaining documentation.
  - Gaming
    Open source games on GitHub.
  - Git
    The latest Git updates.
  - Licenses
    Open source licenses, explained.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

dependabot

Subscribe to all “dependabot” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Dependabot unlocks transitive dependencies for npm projects

September 7, 2022

Your GitHub repositories with Dependabot alerts enabled and Dependabot security updates enabled will automatically generate Dependabot pull requests for vulnerable npm transitive dependencies.

Previously, Dependabot couldn't generate a security update for a transitive dependency when its parent dependency required incompatible specific version range. In this locked state, developers had to manually upgrade the parent and transitive dependencies.

Now, Dependabot will be able to create pull requests for npm projects that upgrade both the parent and child dependencies together.

For example, if a vulnerability for the transitive dependency node-forge triggers a Dependabot alert and allows a PR to be created:

2 generated security update white bg

Prior to this change Dependabot would fail to create a Dependabot security update for transitive dependencies 😕. But not anymore! 😁 Now, Dependabot will unlock the node-forge security update by bumping the parent webpack-dev-server version in addition to patching the `node-forge dependency within the same Pull Request!

3 update PR white bg

This change will apply to pull requests generated by Dependabot that update vulnerable npm packages.

See more See more

Dependabot alerts: optional dismissal comment

August 22, 2022

Dependabot alerts users can now add an optional comment when dismissing an alert. These comments (maximum 280 characters) are viewable in the alert timeline and via the new dismissComment field in the GraphQL API.

Dependabot alert optional dismissal comment

Learn more about Dependabot alerts and the GraphQL API.

See more See more

Dependabot alerts are ranked by most important priority at the organization level

August 15, 2022

Dependabot alerts listed at the organization level are now easier to prioritize with the new "Most Important" sort, which released recently for the repository list view of Dependabot alerts.

Learn more about Dependabot alerts and the Security overview.

See more See more

Dependabot alerts: timeline of events on the alert details page

July 28, 2022

Dependabot alerts will now show more information on an alert's activity. In the details page for a Dependabot alert, you will see a timeline of events (e.g. opened, fixed, reopened). Events will also show additional metadata when available, like relevant pull requests.

Dependabot alerts timeline

For more information, see our documentation for Dependabot alerts.

See more See more

Differentiating triggering actor from executing actor

July 19, 2022

Starting next week, workflow re-runs in GitHub Actions will use the initial run’s actor for privilege evaluation. The actor who triggered the re-run will continue to be displayed in the UI, and can be accessed in a workflow via the triggering_actor field in the github context.

Currently, the privileges (e.g. – secrets, permissions) of a run are derived from the triggering actor. This poses a challenge in situations where the actor triggering a re-run is different than the original executing actor. The upcoming change will differentiate the initial executing actor from the triggering actor, enabling the stable execution of re-runs.

For more details see Re-running workflows and jobs.

For questions, visit the GitHub Actions community.

To see what’s next for Actions, visit our public roadmap.

See more See more

Dependabot alerts are now ranked by most important priority

July 15, 2022

Dependabot alerts will now be easier to prioritize with a new “Most Important” sort. For the alerts repository list view, by default, alerts will be sorted in a way to help you determine which alerts matter most. You will still be able to access additional sort options, like sort by Newest, CVSS severity, and Manifest path in the UI.

This “Most Important” sort considers CVSS score as the primary factor, along with additional factors across vulnerability impact (potential risk), relevancy, and actionability (how easy the vulnerability is to fix). For example, when supported, this sort calculation takes into consideration whether you’re calling a vulnerable function, as well as dependency scope (e.g. if an alert is a devDependency). This calculation will be improved over time.

This functionality will not affect Dependabot pull requests, the org-level list view of Dependabot alerts, or the GraphQL API.

For more information, see our documentation for Dependabot alerts.

See more See more

Dependabot alerts paused for malware advisories

July 1, 2022

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.

GitHub has conducted a rapid root cause investigation and found that the majority of those alerts in question were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, in the hope a malicious version would be consumed. Dependabot doesn’t look at project configuration to determine if the packages are coming from a private registry, so it has been triggering an alert for packages with the same name from the public npm registry. While this does mean that your package was the target of a substitution attack it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.

While we work to determine how to best notify customers of being the target of a substitution attack, we will be pausing all Dependabot notifications on malware advisories. For non-Enterprise-Server users, Malware advisories will still exist in the Advisory Database and send alerts on npm audit. We are not making any changes to existing alerts on github.com at this time.

For GitHub Enterprise Server users, who were the most impacted, no new advisories will come through GitHub Connect. If you are struggling with too many alerts, please reach out to support and we can share a script for you to run that will delete all malware advisories and alerts.

See more See more

Dependabot alerts: Dependency scope filter via GraphQL API

June 29, 2022

When using the GraphQL API, you can now filter Dependabot alerts by the scope of the dependency affected. The possible scopes are DEVELOPMENT or RUNTIME.

Dependency scope information is available for alerts opened on or after June 23, 2022, and can also be viewed in the Dependabot alerts UI as of last week.

For more information, see Dependabot alerts in the GraphQL API reference or learn more about Dependabot alerts in our documentation.

See more See more

Dependabot alerts: Filter alerts by the scope of the dependency (runtime and development)

June 23, 2022

Today, we're shipping a new filter for the Dependabot alerts list view. In the alerts list view, you can now filter for scope:development or scope:runtime. Alerts for development dependencies also feature a label in the UI.

Dependency scope information will be available for alerts opened on or after June 23, 2022.

Which ecosystems are supported?

The following ecosystems are supported as of June 23, 2022:

Language	Ecosystem	Dependency Scope
Ruby	RubyGems	✅
JavaScript	npm	✅
JavaScript	Yarn	No, defaults to runtime
PHP	Composer	✅
Go	Go modules	No, defaults to runtime
Java	Maven	✅ `test` maps to development, all else default to runtime
Python	Poetry	✅
Python	pip	✅ for `pipfile`, for `requirements.txt` scope is development if the filename contains “test” or “dev”, else it is runtime
.NET	NuGet	✅ only for `.nuspec` when tag != runtime; for all other cases defaults to runtime
Rust	Cargo	✅

For more information, learn more about Dependabot alerts in our documentation.

See more See more

Advisory Database supports malware advisories

June 15, 2022

GitHub's Advisory Database now supports listing malware advisories. You can see them by searching "type:malware" on https://github.com/advisories.

If you have enabled Dependabot alerts on your repositories, GitHub will send Dependabot alerts for malware automatically. Note that Dependabot does not send update pull requests for malware as the only resolution is to delete the package and find an alternative.

See more See more

Dismiss or reopen a selection of Dependabot alerts

June 13, 2022

Today, we're shipping the ability to select multiple Dependabot alerts to reopen or dismiss from the index page UI. For example, from the Closed alerts tab, you can now select multiple alerts that have been previously dismissed, and then reopen them at once.

Dependabot alerts bulk dismiss

For more information, see our documentation for Dependabot alerts.

See more See more

Enable Dependabot version updates from the repository settings page

June 2, 2022

Dependabot version updates help you keep your dependencies up-to-date by opening pull requests automatically when new versions are available.

With this release, you can now more easily enable and configure Dependabot version updates from your repository’s settings page. Within the "Dependabot" section of the "Code security and analysis" tab, you can choose to enable Dependabot version updates, which will prompt you to create a dependabot.yml config file. If a dependabot.yml file exists, you can access that from the repository settings page.

Note: you still need to configure Dependabot version updates with a dependabot.yml file to enable it.

For more information, learn more about Dependabot version updates and how to configure a dependabot.yml file.

See more See more

Dependabot alerts show all affected files for vulnerable function calls (Python Beta)

May 16, 2022

Dependabot alerts now show all affected files if your repository code is calling known vulnerable functions from the dependency’s vulnerability. Previously, we only highlighted one of these matches on an alert’s detail page, but now users can view all affected files.

This feature supports our public beta of exposure detection for Python alerts. After beta testing with Python we will add support for other ecosystems. Keep an eye on the public roadmap for more information.

For more information, see our product documentation.

See more See more

Dependabot keeps `@types` dependencies in sync with updated packages

May 10, 2022

Dependabot will now update @types dependencies alongside their corresponding packages in TypeScript projects.

Before this change, users would see separate pull requests for a package and its corresponding @types package. This could lead to packages and type definitions getting out of sync with one another, and require manual intervention. For example, if a project had dependencies on both jquery and @types/jquery, and a vulnerability triggered Dependabot to update jquery from 3.4.1 to 3.5.0, the package @types/jquery would remain at its original 3.4.x version.

Now, Dependabot can help TypeScript users keep their dependencies and @types packages up-to-date and in sync. When triggered to create an update, Dependabot will check if that package has a corresponding @types package. If so, Dependabot will update both the package and the corresponding @types package in a single PR. Or, if the @types package is no longer needed, that dependency will be removed instead.

The feature is automatically enabled on repositories containing @types packages in the project's devDependencies as listed in package.json. You can disable this behavior by setting the ignore field in your dependabot.yml file to @types/*. Let us know what you think in this feedback discussion.

See more See more

Dependabot alerts show vulnerable function calls (Python Beta)

April 14, 2022

Dependabot alerts now show if your repository code is calling known vulnerable functions from the dependency's vulnerability. If your code is calling vulnerable code paths, this information is surfaced via a "vulnerable call" label and code snippet in the Dependabot alerts UI. You can also filter for these alerts with has:vulnerable-calls from the Dependabot alert's search field.

Vulnerable functions are curated as part of GitHub's publishing process for the Advisory Database. New incoming Python advisories will be supported, and we're working on backfilling known vulnerable functions for historical Python advisories. After beta testing with Python we will add support for other ecosystems. Keep an eye on the public roadmap for more information.

This feature is enabled for supported Dependabot alerts on public repositories, as well as on repositories with GitHub Advanced Security enabled.

For more information on what we're shipping, read our post in the GitHub blog.

See more See more

View more changes