Diese Version von GitHub Enterprise Server wird eingestellt am 2026-03-17. Es wird keine Patch-Freigabe vorgenommen, auch nicht für kritische Sicherheitsprobleme. Für bessere Leistung, verbesserte Sicherheit und neue Features aktualisiere auf die neueste Version von GitHub Enterprise Server. Wende dich an den GitHub Enterprise-Support, um Hilfe zum Upgrade zu erhalten.

Informationen zu Dependabot-Warnungen

Dependabot alerts helfen Ihnen, anfällige Abhängigkeiten zu finden und zu beheben, bevor sie zu Sicherheitsrisiken werden.

Wer kann dieses Feature verwenden?

Dependabot alerts sind für unternehmenseigene und benutzereigene Repositorien verfügbar.

In diesem Artikel

Software often relies on packages from various sources, creating dependency relationships that can unknowingly introduce security vulnerabilities. When your code depends on packages with known security vulnerabilities, you become a target for attackers seeking to exploit your system—potentially gaining access to your code, data, customers, or contributors. Dependabot alerts notify you about vulnerable dependencies so you can upgrade to secure versions and protect your project.

When Dependabot sends alerts

Dependabot scans your repository's default branch and sends alerts when:

For supported ecosystems, see Dependency graph supported package ecosystems.

Understanding alerts

When GitHub detects a vulnerable dependency, a Dependabot alert appears on the repository's Security tab and dependency graph. Each alert includes:

  • A link to the affected file
  • Details about the vulnerability and its severity
  • Information about a fixed version (when available)

For information about notifications, viewing, and managing alerts, see Viewing and updating Dependabot alerts.

Enabling alerts

Repository administrators and organization owners can enable Dependabot alerts for their repositories. When enabled, GitHub immediately generates the dependency graph and creates alerts for any vulnerable dependencies it identifies. By default, people with write, maintain, or admin permissions receive notifications.

Enterprise owners must enable Dependabot alerts for your GitHub Enterprise Server instance before you can use this feature. For more information, see Enabling Dependabot for your enterprise.

See Configuring Dependabot alerts.

Limitations

Dependabot alerts have some limitations:

  • Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
  • New vulnerabilities may take time to appear in the GitHub Advisory Database and trigger alerts.
  • Only advisories reviewed by GitHub trigger alerts.
  • Dependabot doesn't scan archived repositories.
  • Dependabot doesn't generate alerts for malware.
  • For GitHub Actions, Dependabot alerts are only generated for actions that use semantic versioning, not SHA versioning.

Further reading