GitHub uses the dependency graph and security alerts to scan your repository and notify you of potential dependency updates
If any dependencies are out-of-date, Dependabot opens a pull request to update each one
If tests pass, and the updated version looks good, you simply merge the pull request
Configuring automated security updates
You can enable automated security updates for any repository that uses security alerts and the dependency graph. You can disable automated security updates for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security updates in every repository that uses security alerts and the dependency graph.
Here, we have a security alert on the debug dependency. Clicking on debug will show you the pull request created by Dependabot to update the dependency. We just updated to 2.6.9 but Dependabot noticed we are still outdated.
If you navigate to your pull requests, you'll notice Dependabot has done its job and is trying to bump, or update, the version of debug. Feel free to approve and merge the pull request.
Automated dependency updates with Dependabot
Manually going through your dependencies for alerts and outdated versions is tedious work. Let's automate this process!
Meet Dependabot
Dependabot creates pull requests to keep your dependencies secure and up-to-date!
How does Dependabot work?
Dependabot is the actor for GitHub's automated security updates.
Configuring automated security updates
You can enable automated security updates for any repository that uses security alerts and the dependency graph. You can disable automated security updates for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security updates in every repository that uses security alerts and the dependency graph.
Here, we have a security alert on the debug dependency. Clicking on debug will show you the pull request created by Dependabot to update the dependency. We just updated to
2.6.9
but Dependabot noticed we are still outdated.If you navigate to your pull requests, you'll notice Dependabot has done its job and is trying to bump, or update, the version of
debug
. Feel free to approve and merge the pull request.Close this issue when done
I'll respond below when you close the issue.