Skip to content

dependabot

Subscribe to all “dependabot” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Code security configurations can now be enforced

Configurations are collections of security settings that organization administrators and security managers can define to help roll out GitHub security products at scale.

Starting today, you can enforce configurations. This new feature allows you to prevent users at the repository level from changing the security features that have been enabled and disabled in the configuration attached to their repository.

You can mark a configuration as enforced or unenforced at the bottom of the configurations edit page under the policy section:
Configuration Enforcement

Security configurations are currently available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about security configurations or send us your feedback.

See more

dependabot-core is now open source with an MIT license

We’re excited to announce that the dependabot-core project is being relicensed under the MIT License, making it easier for the community to contribute to Dependabot.

Keeping dependencies updated is a crucial part of securing your software supply chain, and Dependabot has been helping GitHub users do this since 2019. It’s used by millions of developers each month to keep their dependencies up-to-date and free of known security vulnerabilities. We don’t charge anyone to use Dependabot, because we think everyone should be able to use open source without fear of vulnerabilities.

dependabot-core is the component of Dependabot that defines the logic to create pull requests for dependency updates across the 20+ languages and package managers it supports today. The update logic in dependabot-core is tightly integrated with the rest of GitHub’s Dependabot features, such as grouped updates and auto-triage rules, and contributions from collaborators have helped with its support of Swift and improvements to NuGet. By adopting the MIT license, we will simplify the process for members of the community to contribute to Dependabot and innovate together.

Dependabot-core was previously available under the Prosperity Public License 2.0, and has received contributions from more than 300 developers over the past few years. Now, the MIT license will make it easier than ever for members of the community to join our cause to improve the security of all the world’s software. If you’d like to learn more about contributing to dependabot-core, please check out the repository, and drop us an issue or pull request!

See more

Security alerts tool trends on the security overview dashboard

The new Tool group-by option on the security overview trends graph provides a visualization of alert trends, organized by the security tools that detected each vulnerability. It’s designed to improve your ability to track and analyze the effectiveness of your scanning tools, enabling more strategic decision-making.

Example of the alert trends chart grouped by security tool

With this new functionality, you can:
* Pinpoint which tools are detecting the most critical vulnerabilities.
* Monitor the performance of your scanners over time.
* Prioritize your remediation efforts based on detailed insights.

To access this feature, navigate to the Security tab at the organization level on GitHub, and choose the Tool option in the Group by dropdown.

This functionality is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard for your organization and send us your feedback

See more

Dependabot pull requests jobs are now available to run on self hosted GitHub Actions runners

Previously, developers who used private registries to host their packages on internal networks could not use Dependabot to update the versions of those packages in their code.

With this change, users can choose to run Dependabot pull request jobs on their private networks with self-hosted GitHub Actions runners, allowing Dependabot to access on-premises private registries and update those packages.

A prerequisite for enabling self-hosted runners includes enabling GitHub Actions for the repositories of interest. It’s important to note that running Dependabot does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone.

To get started, check out our documentation on managing self-hosted runners with Dependabot Updates.

If you’re interested in learning more about what it means to run Dependabot as a GitHub Actions workflow, check out our changelog and FAQ or Dependabot on Actions documentation.

See more

Dependabot multi-directory configuration public beta now available

This public beta enables developers to use a directories key to list multiple directories for the same ecosystem configuration in the dependabot.yml file.

Previously, developers with multiple package manifests for the same ecosystem (e.g. npm, pip, gradle) across multiple directories had to create separate dependabot.yml configurations for each of those directories. This could lead to many duplicated configurations, and high maintenance costs if a developer wished to make a change that spanned multiple directories.

A new dependabot.yml key, directories, is now available in public beta. The directories key accepts a list of strings representing directories, and can be used instead of directory.

Below is an example dependabot.yml multi-directory configuration setup, including how you can use the directories key:

version: 2
updates:
  - package-ecosystem: "bundler"
    directories:
      - "/frontend"
      - "/backend"
      - "/admin"
    schedule:
      interval: "weekly"

This example configuration applies to both security and version updates.

Wildcards and globbing support (i.e. using * to represent a pattern of directories) is coming soon in our next public beta releases, with an expected public beta launch within the next few months. Stay tuned for more!

If a developer still wishes to explicitly enumerate configurations for the same ecosystem using directory, they can still choose to do so; the directory key still accepts single-directory entries. For more information on the directory key, check out the dependabot.yml configuration options for the directory key documentation.

See more

Enterprise enablement trends for security products (public beta)

For enterprise owners and security managers dedicated to managing security products, we are excited to announce a new capability: you can now gain historical insights into security products enablement trends across your GitHub enterprise. This overview helps you understand how security product coverage is being implemented across your company.

Following our March announcement of the public beta of the enablement trends report for organizations, which allowed monitoring of enablement trends for all security products within your GitHub organization, we’ve expanded this capability to the enterprise level. The addition of an owner filter further simplifies the navigation of metrics for repositories owned by specific organizations.

Enterprise enablement trends report

Explore enablement trends and gain historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends report, navigate to your enterprise account. In the enterprise account sidebar, click Code Security.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview and join the discussion within the GitHub Community

See more

Dependabot Updates on Actions for GitHub Enterprise Cloud and Free, Pro, and Teams Users

Starting today, developers using GitHub Enterprise Cloud (GHEC) and Free, Pro, and Teams accounts can enable their repositories and/or organizations to run Dependabot updates as an Actions workflow. With this change, the job that Dependabot runs to generate pull requests will run in GitHub Actions. This is the start of an effort to consolidate Dependabot’s compute platform to Actions, with further migration plans to be announced later.

Who can opt-in?

GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions today.

What if I’m on Enterprise Server (GHES)?

GitHub Enterprise Server (GHES) and Proxima users already run Dependabot on Actions; no further steps are required to enable Dependabot on Actions for these users.

Why choose to run Dependabot as an Actions workflow today?

Enabling Dependabot on Actions will yield performance benefits like faster Dependabot runs and increased visibility into errors to manually detect and troubleshoot failed runs. Actions APIs and webhooks will also be able to detect failed runs and perform downstream processing should developers wish to configure this in their CI/CD pipelines. There will be no change or impact to the Dependabot functionality, and there will be no impact to billed Actions minutes (i.e. Dependabot runs are free).

Will this count towards Actions minutes or costs?

This does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone. Beginning today, using Dependabot as an Actions workflow is free for everyone and generally available on all repositories.

What’s the next migration phase for Dependabot on Actions?

Over the course of the next year, we are migrating all Dependabot workflows to run on Actions compute infrastructure. You can opt-in today to gain access to these benefits, but they’ll be coming soon to all repos without needing to opt-in as well. We’re excited for faster runs, increased troubleshooting visibility, and other future benefits running Dependabot on Actions will unlock. We’ll be in close contact with those organizations who own repositories with Actions disabled and Dependabot enabled as we kick off the compute infrastructure migration. If you have questions or concerns, please contribute to our community discusson or contact our support team.

How to enable Dependabot on Actions?

GHEC, Free, Pro, and Teams administrator users can enable Dependabot on Actions runners at either the repository or organization level from the Code security and analysis settings pages. For more information, see our documentation on enabling Dependabot on Actions runners.

When will Dependabot support self-hosted runners and larger GitHub-Hosted runners?

May 2024

When will VNETs be supported?

This work is still in progress; we don’t yet have an estimated date when these will be available.

Can I use Actions workflows and APIs to trigger Dependabot jobs?

Today, Dependabot jobs can only be triggered from the Dependabot UI, and not by Actions workflows or APIs.

If I see a Dependabot job fail in Actions, how can I restart it?

Check out our documentation on re-running a verison updates job or re-running a security updates job.

If I enable Dependabot on Actions, can I later opt-out?

At this time, you can opt out of enabling Dependabot on Actions. However, this ability will change within the next year as we consolidate Dependabot’s compute platform to Actions.

What if I don’t want to turn on Actions for my repository or organization? What happens if Actions is disabled in a repository but Dependabot is enabled to run on Actions?

During this opt-in phase of the compute infrastructure migration, if you enable Dependabot on Actions but disable Actions at the repository or organization level, Dependabot will run on the legacy compute infrastructure. Please enable Actions either in your Dependabot-enabled repository or across your organization if you wish to opt in to run Dependabot on Actions.

Read more about Dependabot on GitHub Actions runners.

Join the discussion within GitHub Community.

See more

Advanced filtering capabilities for the security overview dashboard

Today, we’re releasing security tool-specific filters for the security overview dashboard and secret scanning metrics page.

Security tool-centric filters in the filter bar drop-down on the overview dashboard

Have you ever wondered, “How well is my organization handling SQL injections?” or “How quickly are we responding to [partner name] secret leaks?” Maybe you’re curious about the pace of updating your npm dependencies. Well, wonder no more!

With our new security tool filters, you can tailor your search to the exact details you’re curious about, giving you a more focused and relevant report for your needs.

Discover the new filters that are designed to transform your security analysis:

  • Dependabot filters: Zero in on a specific ecosystem, package, and dependency scope.
  • CodeQL/third-party filters: Drill down to the rule that matters most to you.
  • Secret scanning filters: Get granular with filters for secret type, provider, push protection bypassed status and validity.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about security overview and send us your feedback

See more

Code security configurations let organizations easily roll out GitHub security products at scale

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings that can be applied to groups of repositories. Your organization can apply the ‘GitHub recommended’ security configuration, which applies GitHub’s suggested settings for Dependabot, secret scanning, and code scanning. Alternatively, you can instead create your own custom security configurations. For example, an organization could create a ‘High risk’ security configuration for production repositories, and a ‘Minimum protection’ security configuration for internal repositories. This lets you manage security settings based on different risk profiles and security needs. Your organization can also set a default security configuration which is automatically applied to new repositories, avoiding any gaps in your coverage.

With security configurations, you can also see the additional number of GitHub Advanced Security (GHAS) licenses that are required to apply a configuration, or made available by disabling GHAS features on selected repositories. This lets you understand license usage when you roll out GitHub’s code security features in your organization.

Security configurations are now available in public beta on GitHub.com, and will be available in GitHub Enterprise Server 3.14. You can learn more about security configurations or send us your feedback.

See more

Dependabot grouped security updates generally available

Dependabot grouped security updates are now generally available. This feature automatically groups Dependabot pull requests, lets you specify several additional options to fine tune your groupings.

You can enable grouped security updates for Dependabot at the repository or organization-level. To enable this feature, go to your repository or organization settings page, then go to the Code security and analysis tab, and click “Enable” for grouped security updates (this also requires each affected repository to enable Dependency graph, Dependabot alerts, and Dependabot security updates). When you enable this feature, Dependabot will collect all available security updates in a repository and attempt to open one pull request with all of them, per ecosystem, across directories.

If you would like more granular control over Dependabot’s grouping, you can also configure the dependabot.yml file in a repository to group by any of the following:

  • Package name
  • Dependency type (production vs development)
  • Semver update level (patch, minor, major)

For additional information, check out the Dependabot configuration file documentation.

For GitHub Enterprise Server users, grouped security updates will be available in Version 3.14.

See more

Improvements to security overview insights, secret scanning metrics

Today, we’re releasing a host of new insights to the security overview dashboard, as well as an enhanced secret scanning metrics page.

New dashboard insights

overview dashboard with third-party tools, the trend indicator for age of alerts, and reopened alerts tile highlighted

  • Third-party alerts integration: Beyond GitHub’s own CodeQL, secret scanning, and Dependabot security tools, you can now view alert metrics for third-party tools directly on the overview dashboard. Use tool:[third-party-tool name] to view metrics for a specific third-party security tool, or tool:third-party to view metrics for all third-party security alerts.
  • Reopened alerts tracking: Uncover recurring vulnerabilities with the new reopened alerts metric tile, which identifies vulnerabilities that have resurfaced after being previously resolved. This data point helps assess the long-term effectiveness of your remediation efforts.
  • Trend indicators: Review changes over time with trend indicators for key metrics like age of alerts, mean time to remediate, net resolve rate, and total alert count. These indicators offer a clear view of performance shifts and trends between a given date range and that same range reflected backward in time.
  • Advisories tab: Stay informed with the new advisories table, which details the top 10 alert advisories affecting your organization, including the advisories’ CVE IDs, ecosystems, open alert counts, and severities.

Secret scanning metrics page enhancements

secret scanning metrics page with filter bar highlighted

You can now refine your insights with filters for dates, repository custom properties, teams, and more on the secret scanning metrics page. These new filters empower you to pinpoint specific repositories and view changes over time, enabling a more targeted analysis. Additionally, if you are an organization member, you can now view metrics for the repositories you have access to.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and send us your feedback

See more

Security overview dashboard: Alert age trends, custom repository and severity filters, and date pickers

Starting today, you can take advantage of the new “age” grouping for the alert trends graph and explore enhanced filter options on the security overview dashboard, aimed at improving your analytical process and security management.

alert trends grouped by age

Explore the dynamics of your security alerts with the new alert age grouping on the alert trends graph. This new functionality offers a refined view into the lifecycle of your security alerts, enabling you to better evaluate the timeliness and effectiveness of your response strategies.

New filter options

repository custom property filter on the security overview page

Leverage enhanced filters to fine-tune your security insights on the overview dashboard:
* Custom repository property filters: With repository custom properties, you can now tag your repositories with descriptive metadata, aiding in efficient organization and analysis across security overview.
* Severity filters: Severity-based filters allow you to concentrate on the vulnerabilities that matter most, streamlining the process of security risk assessment and prioritization.
* Improved date picker controls: Navigate through time with ease using the new date picker options, allowing for quick selection of rolling periods like “Last 14 days,” “Last 30 days,” or “Last 90 days.” Bookmark your preferred time window to keep your analysis current with each visit.

You can access these new functionalities in security overview by navigating to the “Security” tab at the organization level.

These features are now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and send us your feedback

See more

Improved error handling for Dependabot updates for NuGet

Dependabot will now fail gracefully with informative error messages when an unsupported NuGet project type is encountered. If you were using an unsupported project type previously, Dependabot might have failed silently without producing updates. Dependabot is able to process updates to NuGet project files in the .csproj, .vbproj, and .fsproj formats.

See more

Enablement trends for security products (public beta)

You can now monitor enablement trends for all security products within your GitHub organization. This functionality is designed to give you a detailed overview of how your organization is implementing security product coverage.

new tool adoption report

Explore enablement trends for historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends page, visit security overview at the organization level. You can find security overview by clicking on the “Security” tab.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and join the discussion within the GitHub Community

See more

Dependabot security updates work with private registries even if target branch is specified

Previously, if you specified your private registry configuration in the dependabot.yml file and also had a configuration block for that ecosystem using the target-branch key, Dependabot security updates wouldn’t utilize the private registry information as expected. Starting today, Dependabot now uses private registry configurations specified in the dependabot.yml file as expected, even if there is a configuration with target-branch. This ensures that security updates are applied correctly, regardless of your repository’s configuration settings. Note that security updates still does not support target-branch configuration.

Learn more about configuring private registries for Dependabot in the Dependabot documentation.

See more

Dependabot will now pause scheduled jobs after 15 failures

Previously, if Dependabot encountered 30 consecutive failures, it would stop running scheduled jobs until manual intervention via updating the dependency graph or manifest file. Dependabot will now pause scheduled jobs after 15 failures. This will give an earlier indication of potential issues while still ensuring that critical security updates will continue to be applied without interruption.

Read more in the Dependabot Docs. 

See more

Group Configuration Options for Dependabot Security Updates – Public Beta

Dependabot security updates help you keep your dependencies secure by opening pull requests when a Dependabot alert is raised. With today’s release, you can now use flexible grouping options in dependabot.yml to control how Dependabot structures its security pull requests to make them more mergeable for you based on your context. Whether you’d like to simply update as many dependencies at once as possible (patterns: '*') or minimize the risk of breaking changes (dependency-type: development or update-types: "patch"), there are grouping options for you.

By specifying applies-to: security-updates in your group rule configuration, you can specify how you would like Dependabot to group your security updates. If you would like Dependabot to group together all possible updates for an ecosystem, you can instead use the UI located in your repository settings to do so. To learn more about this, check out our documentation here.

The available grouping options are:

  • patterns, which will match based on package names
  • dependency-type, which will group based on development or production dependencies, for ecosystems where this is supported, and
  • update-types, which will group based on SemVer level update

Learn more about grouping configuration options here.

See more

Dependabot support for pub private repositories and registries

If you use private hosted pub repositories or registries to manage your Dart dependencies, Dependabot can now automatically update those dependencies. By adding the details of the private repository or registry to dependabot.yml, Dependabot will be able to access and update these dependencies.

See more

Gradle starter workflows now automatically submit transitive dependencies

If you’re using starter workflows to prepare the build and release steps for your Java projects that use Gradle, these projects will now have more comprehensive dependency graph information in GitHub. The Gradle starter workflows have been updated to automatically submit transitive dependencies to GitHub, improving the quality of dependency graph data and Dependabot updates for these apps.

Learn more about the action these starter workflows use by checking out the Build with Gradle action on the GitHub Marketplace. Thank you Gradle for making these updates!

Join the discussion within GitHub Community.

See more
View more changes