Dependabot malware alerts

Dependabot malware alerts help you identify malware in your dependencies to protect your project and its users.

Who can use this feature?

Repositories with Dependabot alerts enabled

In this article

Software often relies on packages from various sources, creating dependency relationships that can threaten your project's security. For example, bad actors can use malicious packages to execute malware attacks, gaining access to your code, data, users, and contributors.

To help keep your project secure, Dependabot can check your dependencies for known malicious packages, then create alerts with suggested remediation steps.

When Dependabot sends malware alerts

Dependabot sends malware alerts when a package in your repository's default branch is flagged as malicious. Alerts for existing dependencies are generated as soon as the package is flagged on the GitHub Advisory Database.

Alerts are also generated when you push commits that add a known malicious package or update a package to a known malicious version.

Note

If the ecosystem, name, and version of an internal package match those of a malicious public package, Dependabot may generate a false positive alert.

Alert contents

When Dependabot detects a malicious dependency, a malware alert appears on the repository's Security tab. Each alert includes:

  • A link to the affected file
  • Details about the malicious package, including the package name, affected versions, and the patched version (when available)
  • Remediation steps

Availability

Currently, Dependabot malware alerts are available for packages in the npm ecosystem.

Alert notifications

By default, GitHub sends email notifications about new alerts to people who both:

  • Have write, maintain, or admin permissions to a repository
  • Are watching the repository and have enabled notifications for security alerts or for all activity on the repository

On GitHub.com, you can override the default behavior by choosing the type of notifications you want to receive, or switching notifications off altogether in the settings page for your user notifications at https://github.com/settings/notifications.

If you are concerned about receiving too many notifications, we recommend leveraging Dependabot auto-triage rules to auto-dismiss low-risk alerts. See About Dependabot auto-triage rules.

Limitations

Dependabot malware alerts have some limitations:

  • Alerts can't catch every security issue. Always review your dependencies and keep manifest and lock files up to date for accurate detection.
  • New malware may take time to appear in the GitHub Advisory Database and trigger alerts.
  • Only advisories reviewed by GitHub trigger alerts.
  • Dependabot doesn't scan archived repositories.
  • For GitHub Actions, alerts are only generated for actions that use semantic versioning, not SHA versioning.

GitHub never publicly discloses malicious dependencies for any repository.

Next steps

To start protecting your project from malicious dependencies, see Configuring Dependabot malware alerts.