If GitHub discovers vulnerable dependencies in your project, you can view them on the Alerts tab of your repository. Then, you can update your project to resolve the vulnerability.
The Alerts tab lists all open and closed security vulnerability alerts for your repository. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details and a suggested fix, if one is available. For more information, see "About security alerts for vulnerable dependencies."
Viewing and updating vulnerable dependencies
GitHub recommends keeping all dependencies up-to-date.
Note: After you learn about a vulnerable dependency in your repository, you should investigate its impact on your project and verify that the vulnerability is resolved by the version change before you update the dependency. If a safe recommended version does not exist, we recommend removing the dependency altogether in favor of a similar, safe dependency, if one is available. For more information, see "About security alerts for vulnerable dependencies."
On GitHub, navigate to the main page of the repository.
Under your repository name, click Insights.
In the left sidebar, click Alerts.
- Click the alert you'd like to view.
- Review the details of the vulnerability and the remediation suggestion, if available.
- When you're ready to update your dependency to resolve the vulnerability, you can:
- Update your file in the GitHub interface. For more information, see "Editing files in your repository."
- Update your file locally and push your changes to GitHub.
Troubleshooting the dependency graph
If your project has dependencies, but no dependencies are detected in your graph, there may be a problem with the file containing your dependencies. Check your project's file to ensure that it's correctly formatted for the file type.