You can track your repository's dependencies and receive alerts when GitHub detects vulnerable dependencies.
GitHub tracks reported vulnerabilities in certain dependencies and provides security alerts to affected repositories.
If GitHub discovers vulnerable dependencies in your project, you can view them on the Alerts tab of your repository. Then, you can update your project to resolve the vulnerability.
Organization owners and repository admins receive security alerts when GitHub detects a vulnerable dependency in an organization repository. You can specify additional organization members or teams with write access to also receive security alerts for vulnerable dependencies.