Dependabot's Three Features Secure Dependencies

Dependabot scans your repo's dependency graph to manage risks: alerts notify of vulnerabilities in used packages; security updates auto-create pull requests (PRs) to patched versions; version updates raise PRs for non-security dependency bumps. Enabling all three covers detection, urgent fixes, and maintenance. GitHub auto-enables the dependency graph on first activation, pulling from package manifests like package-lock.json.

For hands-on testing, fork https://github.com/dependabot/demo repo: select owner, name it, create fork. This demo exposes a real vuln like 'Command Injection in lodash' for practice.

One-Click Enablement and Config in Repo Settings

In your forked repo, go to Settings > Advanced Security (under Security sidebar) > Enable Dependabot alerts, security updates, and version updates. GitHub generates a default dependabot.yml in /.github/ for version updates—edit it to specify package ecosystems, update schedules, directories, and ignore rules (see GitHub's example config for YAML structure with 'version: 2', 'updates' array of 'package-ecosystem' like 'npm', 'directory: "/"', 'schedule: {interval: "daily"}'). Commit changes to activate.

This setup works for user/org repos; org admins can enforce repo-wide via org settings.

View, Prioritize, and Drill into Vulnerability Details

Access alerts at repo main page > Security tab > Findings > Dependabot > Vulnerabilities (default: Open tab). Filter by severity, labels, or auto-triage rules to ignore false positives. Click an alert (e.g., lodash in javascript/package-lock.json) for:

  • Package, affected/patched versions.
  • Vuln description.
  • Severity (via CVSS score), tags, CWEs, CVE/GHSA IDs.
  • Link to GitHub Advisory Database advisory.
  • Affected repos list.
  • Auto PR link: click Review security update to inspect.

Use Closed tab for dismissed alerts; prioritize high-impact first to reduce exploit risk.

Resolve Alerts: Merge PRs or Dismiss with Justification

For fixes, click Review security update on alert—Dependabot's PR shows commits, changelog diffs. Use PR commands (via Dependabot commands/options link) like /merge to auto-merge or /rebase. Merge to apply patched version, closing the alert.

To dismiss: Alert details > Dismiss alert > Select reason (e.g., 'fixed outside Dependabot', 'not used', 'acceptable risk') > Add comment for audit trail > Confirm. Dismissed alerts move to Closed tab.

Troubleshoot PR blocks or detection issues via GitHub docs on errors and vulnerable dependency detection. Next: Customize notifications, org policies, PR management, or browse advisories.