Viewing and updating vulnerable dependencies in your repository
If GitHub discovers vulnerable dependencies in your project, you can view them on the Alerts tab of your repository. Then, you can update your project to resolve the vulnerability.
Your repository's Alerts tab lists all open and closed security alerts and corresponding automated security updates. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "About security alerts for vulnerable dependencies."
You can enable automatic security updates for any repository that uses security alerts and the dependency graph. For more information, see "Configuring automated security updates."
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Security.
- Click the alert you'd like to view.
- Review the details of the vulnerability and, if available, the pull request containing the automated security update.
- Optionally, if there isn't already an automated security update for the alert, to create a pull request to resolve the vulnerability, click Create automated security update.
- When you're ready to update your dependency and resolve the vulnerability, merge the pull request.