Viewing and updating vulnerable dependencies in your repository

If GitHub discovers vulnerable dependencies in your project, you can view them on the Alerts tab of your repository. Then, you can update your project to resolve the vulnerability.

The Alerts tab lists all open and closed security vulnerability alerts for your repository. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details and a suggested fix, if one is available. For more information, see "About security alerts for vulnerable dependencies."

Security alerts on Alerts tab with severity level

Viewing and updating vulnerable dependencies

GitHub recommends keeping all dependencies up-to-date.

Note: After you learn about a vulnerable dependency in your repository, you should investigate its impact on your project and verify that the vulnerability is resolved by the version change before you update the dependency. If a safe recommended version does not exist, we recommend removing the dependency altogether in favor of a similar, safe dependency, if one is available. For more information, see "About security alerts for vulnerable dependencies."

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Insights.

    Insights tab in the main repository navigation bar

  3. In the left sidebar, click Alerts.

    Alerts tab in the left sidebar

  4. Click the alert you'd like to view.

    Alert selected in list of alerts

  5. Review the details of the vulnerability and the remediation suggestion, if available.

  6. When you're ready to update your dependency to resolve the vulnerability, you can:

    • Update your file in the GitHub interface. For more information, see "Editing files in your repository."
    • Update your file locally and push your changes to GitHub.

Troubleshooting the dependency graph

If your project has dependencies, but no dependencies are detected in your graph, there may be a problem with the file containing your dependencies. Check your project's file to ensure that it's correctly formatted for the file type.

Further reading

Ask a human

Can't find what you're looking for?

Contact us