If GitHub discovers vulnerable dependencies in your project, you can view them using your repository's dependency graph. Then, you can update your project to resolve the vulnerability.

The dependency graph is available for every public repository. Repository administrators can also set up the dependency graph for private repositories. For more information on enabling the dependency graph for your private repository, see "Listing the packages that a repository depends on."

Vulnerable dependencies are highlighted in yellow and listed first on the dependency graph. You can use a drop-down menu to view the severity level for the vulnerability and, if available, a suggested version to update your dependency to.

Security alert in dependency graph with severity level, suggested update, and link to more information on the vulnerability

Viewing and updating vulnerable dependencies

GitHub recommends keeping all dependencies up-to-date.

Note: After you learn about a vulnerable dependency in your repository, you should investigate its impact on your project and verify that the vulnerability is resolved by the version change before you update the dependency. If a safe recommended version does not exist, we recommend removing the dependency altogether in favor of a similar, safe dependency, if one is available. For more information, see "About security alerts for vulnerable dependencies."

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Insights. Insights tab in the main repository navigation bar

  3. In the left sidebar, click Dependency graph. Dependency graph tab in the left sidebar

  4. Next to a highlighted dependency, click the drop-down menu.

  5. To view the affected line in your project, click View vulnerability info .
  6. When you're ready to update your dependency to resolve the vulnerability, you can:
    • Update your file in the GitHub interface. For more information, see "Editing files in your repository."
    • Update your file locally and push your changes to GitHub.

Troubleshooting the dependency graph

If your project has dependencies, but no dependencies are detected in your graph, there may be a problem with the file containing your dependencies. Check your project's file to ensure that it's correctly formatted for the file type.

Further reading