Managing security vulnerabilities in your project's dependencies
You can track your repository's dependencies and receive alerts when GitHub detects vulnerable dependencies.
About security alerts for vulnerable dependencies
GitHub tracks reported vulnerabilities in certain dependencies and provides security alerts to affected repositories.
Configuring automated security fixes
You can use automated or manual pull requests to easily update vulnerable dependencies.
Viewing and updating vulnerable dependencies in your repository
If GitHub discovers vulnerable dependencies in your project, you can view them on the Alerts tab of your repository. Then, you can update your project to resolve the vulnerability.
Managing alerts for vulnerable dependencies in your organization's repositories
Organization owners and repository admins receive security alerts when GitHub detects a vulnerable dependency in an organization repository. You can specify additional organization members or teams with write access to also receive security alerts for vulnerable dependencies.