diff --git a/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md b/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md index 843cf0bcc0..8d25c497ef 100644 --- a/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md +++ b/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md @@ -1,11 +1,11 @@ --- title: Enabling alerts for vulnerable dependencies on GitHub Enterprise Server -intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies in repositories in your instance.' +intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies in repositories in your instance.' redirect_from: - /enterprise/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server - /enterprise/admin/configuration/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server - /enterprise/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server -permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}.' +permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}.' versions: enterprise-server: '*' --- @@ -14,11 +14,11 @@ versions: {% data reusables.repositories.tracks-vulnerabilities %} For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." -You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, then sync vulnerability data to your instance and generate {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts in repositories with a vulnerable dependency. +You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, then sync vulnerability data to your instance and generate {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts in repositories with a vulnerable dependency. -After connecting {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} and enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}. +After connecting {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} and enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}. -{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate {% data variables.product.prodname_dependabot_short %} alerts. You can customize how you receive {% data variables.product.prodname_dependabot_short %} alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-github-dependabot-alerts)." +{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate {% data variables.product.prodname_dependabot_alerts %}. You can customize how you receive {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-dependabot-alerts)." {% endif %} {% if currentVersion == "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate security alerts. You can customize how you receive security alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-security-alerts)." @@ -28,23 +28,25 @@ After connecting {% data variables.product.product_location %} to {% data variab {% endif %} {% if currentVersion ver_gt "enterprise-server@2.21" %} -### Enabling {% data variables.product.prodname_dependabot_short %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %} +### Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %} {% else %} ### Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %} {% endif %} -Before enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}, you must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." +Before enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}, you must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." {% if currentVersion ver_gt "enterprise-server@2.20" %} -{% if currentVersion ver_gt "enterprise-server@2.21" %}We recommend configuring {% data variables.product.prodname_dependabot_short %} alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_short %} alerts as usual.{% endif %} +{% if currentVersion ver_gt "enterprise-server@2.21" %}We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.{% endif %} {% if currentVersion == "enterprise-server@2.21" %}We recommend configuring security alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive security alerts as usual.{% endif %} {% endif %} {% data reusables.enterprise_site_admin_settings.sign-in %} -1. In the administrative shell, enable the {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}: + +1. In the administrative shell, enable the {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}: + ``` shell $ ghe-dep-graph-enable ``` diff --git a/content/github/administering-a-repository/about-github-dependabot-version-updates.md b/content/github/administering-a-repository/about-dependabot-version-updates.md similarity index 54% rename from content/github/administering-a-repository/about-github-dependabot-version-updates.md rename to content/github/administering-a-repository/about-dependabot-version-updates.md index d765f55cfb..faa1362b55 100644 --- a/content/github/administering-a-repository/about-github-dependabot-version-updates.md +++ b/content/github/administering-a-repository/about-dependabot-version-updates.md @@ -1,8 +1,10 @@ --- -title: About GitHub Dependabot version updates +title: About Dependabot version updates intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the packages you use updated to the latest versions.' redirect_from: - - /github/administering-a-repository/about-github-dependabot + - /github/administering-a-repository/about-dependabot + - /github/administering-a-repository/about-github-dependabot-version-updates + versions: free-pro-team: '*' --- @@ -13,11 +15,11 @@ versions: {% data variables.product.prodname_dependabot %} takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. -You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. {% data variables.product.prodname_dependabot_short %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot_short %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository, rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. +You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository, rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. -When {% data variables.product.prodname_dependabot_short %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot_short %} raises a pull request to directly replace the outdated dependency with the new version. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." +When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to directly replace the outdated dependency with the new version. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." -If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." {% data reusables.dependabot.dependabot-tos %} @@ -27,7 +29,7 @@ You specify how often to check each ecosystem for new versions in the configurat {% data reusables.dependabot.initial-updates %} -If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot_short %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency. +If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency. ### Supported repositories and ecosystems diff --git a/content/github/administering-a-repository/about-releases.md b/content/github/administering-a-repository/about-releases.md index c28637462b..96354c437a 100644 --- a/content/github/administering-a-repository/about-releases.md +++ b/content/github/administering-a-repository/about-releases.md @@ -30,7 +30,7 @@ People with admin permissions to a repository can choose whether {% data variabl {% endif %} {% if currentVersion == "free-pro-team@latest" %} -If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_short %} alerts to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." +If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." You can view the **Dependents** tab of the dependency graph to see which repositories and packages depend on code in your repository, and may therefore be affected by a new release. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)." {% endif %} diff --git a/content/github/administering-a-repository/about-securing-your-repository.md b/content/github/administering-a-repository/about-securing-your-repository.md index 63214df232..9965531c8e 100644 --- a/content/github/administering-a-repository/about-securing-your-repository.md +++ b/content/github/administering-a-repository/about-securing-your-repository.md @@ -21,14 +21,14 @@ The first step to securing a repository is to set up who can see and modify your Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage them to upgrade. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)." -- **{% data variables.product.prodname_dependabot_short %} alerts and security updates** +- **{% data variables.product.prodname_dependabot_alerts %} and security updates** View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" - and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." + and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." -- **{% data variables.product.prodname_dependabot_short %} version updates** +- **{% data variables.product.prodname_dependabot %} version updates** - Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot-version-updates)." + Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)." - **{% data variables.product.prodname_code_scanning_capc %} alerts** @@ -44,6 +44,6 @@ The first step to securing a repository is to set up who can see and modify your * Ecosystems and packages that your repository depends on * Repositories and packages that depend on your repository -You must enable the dependency graph before {% data variables.product.prodname_dotcom %} can generate {% data variables.product.prodname_dependabot_short %} alerts for dependencies with security vulnerabilities. +You must enable the dependency graph before {% data variables.product.prodname_dotcom %} can generate {% data variables.product.prodname_dependabot_alerts %} for dependencies with security vulnerabilities. You can find the dependency graph on the **Insights** tab for your repository. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)." diff --git a/content/github/administering-a-repository/configuration-options-for-dependency-updates.md b/content/github/administering-a-repository/configuration-options-for-dependency-updates.md index da6eb3422b..717819bb6a 100644 --- a/content/github/administering-a-repository/configuration-options-for-dependency-updates.md +++ b/content/github/administering-a-repository/configuration-options-for-dependency-updates.md @@ -12,7 +12,7 @@ versions: The {% data variables.product.prodname_dependabot %} configuration file, *dependabot.yml*, uses YAML syntax. If you're new to YAML and want to learn more, see "[Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes)." -You must store this file in the `.github` directory of your repository. When you add or update the *dependabot.yml* file, this triggers an immediate check for version updates. Any options that also affect security updates are used the next time a security alert triggers a pull request with for security update. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." +You must store this file in the `.github` directory of your repository. When you add or update the *dependabot.yml* file, this triggers an immediate check for version updates. Any options that also affect security updates are used the next time a security alert triggers a pull request with for security update. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." ### Configuration options for *dependabot.yml* @@ -56,13 +56,13 @@ In addition, the [`open-pull-requests-limit`](#open-pull-requests-limit) option Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options. -In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." +In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." {% endnote %} ### `package-ecosystem` -**Required** You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot_short %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below. +**Required** You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below. {% data reusables.dependabot.supported-package-managers %} @@ -308,7 +308,7 @@ updates: {% note %} -**Note**: {% data variables.product.prodname_dependabot_version_updates %} can't run version updates for any dependencies in manifests containing private git dependencies or private git registries, even if you add the private dependencies to the `ignore` option of your configuration file. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot#supported-repositories-and-ecosystems)." +**Note**: {% data variables.product.prodname_dependabot_version_updates %} can't run version updates for any dependencies in manifests containing private git dependencies or private git registries, even if you add the private dependencies to the `ignore` option of your configuration file. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot#supported-repositories-and-ecosystems)." {% endnote %} @@ -544,7 +544,7 @@ updates: ### `vendor` -Use the `vendor` option to tell {% data variables.product.prodname_dependabot_short %} to vendor dependencies when updating them. +Use the `vendor` option to tell {% data variables.product.prodname_dependabot %} to vendor dependencies when updating them. ```yaml # Configure version updates for both dependencies defined in manifests and vendored dependencies @@ -559,7 +559,7 @@ updates: interval: "weekly" ``` -{% data variables.product.prodname_dependabot_short %} only updates the vendored dependencies located in specific directories in a repository. +{% data variables.product.prodname_dependabot %} only updates the vendored dependencies located in specific directories in a repository. | Package manager | Required file path for vendored dependencies | More information | |------------------|-------------------------------|--------| diff --git a/content/github/administering-a-repository/customizing-dependency-updates.md b/content/github/administering-a-repository/customizing-dependency-updates.md index 26f64bba21..95340f31d2 100644 --- a/content/github/administering-a-repository/customizing-dependency-updates.md +++ b/content/github/administering-a-repository/customizing-dependency-updates.md @@ -20,7 +20,7 @@ After you've enabled version updates, you can customize how {% data variables.pr For more information about the configuration options, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates)." -When you update the *dependabot.yml* file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot_short %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see "[Listing dependencies configured for version updates](/github/administering-a-repository/listing-dependencies-configured-for-version-updates)." +When you update the *dependabot.yml* file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see "[Listing dependencies configured for version updates](/github/administering-a-repository/listing-dependencies-configured-for-version-updates)." ### Impact of configuration changes on security updates diff --git a/content/github/administering-a-repository/enabling-and-disabling-version-updates.md b/content/github/administering-a-repository/enabling-and-disabling-version-updates.md index c3e997f0dc..51734816e3 100644 --- a/content/github/administering-a-repository/enabling-and-disabling-version-updates.md +++ b/content/github/administering-a-repository/enabling-and-disabling-version-updates.md @@ -10,7 +10,7 @@ versions: ### About version updates for dependencies -You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a *dependabot.yml* configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot_short %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." +You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a *dependabot.yml* configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." {% data reusables.dependabot.initial-updates %} For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)." @@ -72,7 +72,7 @@ On a fork, you also need to explicitly enable {% data variables.product.prodname ### Checking the status of version updates -After you enable version updates, you'll see a new **Dependabot** tab in the dependency graph for the repository. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot_short %} last checked for new versions. +After you enable version updates, you'll see a new **Dependabot** tab in the dependency graph for the repository. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot %} last checked for new versions. ![Repository Insights tab, Dependency graph, Dependabot tab](/assets/images/help/dependabot/dependabot-tab-view-beta.png) diff --git a/content/github/administering-a-repository/index.md b/content/github/administering-a-repository/index.md index 553b78e911..ecae8ec4f0 100644 --- a/content/github/administering-a-repository/index.md +++ b/content/github/administering-a-repository/index.md @@ -91,11 +91,11 @@ versions: {% topic_link_in_list /keeping-your-dependencies-updated-automatically %} - {% link_in_list /about-github-dependabot-version-updates %} + {% link_in_list /about-dependabot-version-updates %} {% link_in_list /enabling-and-disabling-version-updates %} {% link_in_list /listing-dependencies-configured-for-version-updates %} {% link_in_list /managing-pull-requests-for-dependency-updates %} {% link_in_list /customizing-dependency-updates %} {% link_in_list /configuration-options-for-dependency-updates %} - {% link_in_list /keeping-your-actions-up-to-date-with-github-dependabot %} + {% link_in_list /keeping-your-actions-up-to-date-with-dependabot %} diff --git a/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot.md b/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md similarity index 70% rename from content/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot.md rename to content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md index 408911429a..e489fec42f 100644 --- a/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot.md +++ b/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md @@ -1,6 +1,8 @@ --- -title: Keeping your actions up to date with GitHub Dependabot +title: Keeping your actions up to date with Dependabot intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the actions you use updated to the latest versions.' +redirect_from: + - /github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot versions: free-pro-team: '*' --- @@ -9,7 +11,7 @@ versions: ### About {% data variables.product.prodname_dependabot_version_updates %} for actions -Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot_short %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot_short %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)." +Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)." ### Enabling {% data variables.product.prodname_dependabot_version_updates %} for actions @@ -23,7 +25,7 @@ You can also enable {% data variables.product.prodname_dependabot_version_update #### Example *dependabot.yml* file for {% data variables.product.prodname_actions %} -The example *dependabot.yml* file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"daily"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot_short %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot_short %} will continue to check for outdated versions of actions once a day. +The example *dependabot.yml* file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"daily"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot %} will continue to check for outdated versions of actions once a day. ```yaml # Set update schedule for GitHub Actions diff --git a/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md b/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md index 00fe9a059c..19a0c93aee 100644 --- a/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md +++ b/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md @@ -9,7 +9,7 @@ versions: ### Viewing dependencies monitored by {% data variables.product.prodname_dependabot %} -After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot_short %}** tab in the dependency graph for the repository. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." +After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot %}** tab in the dependency graph for the repository. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} @@ -22,7 +22,7 @@ If any dependencies are missing, check the log files for errors. If any package ### Viewing {% data variables.product.prodname_dependabot %} log files -1. On the **{% data variables.product.prodname_dependabot_short %}** tab, click **Last checked *TIME* ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates. +1. On the **{% data variables.product.prodname_dependabot %}** tab, click **Last checked *TIME* ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates. ![View log file](/assets/images/help/dependabot/last-checked-link.png) 2. Optionally, to rerun the version check, click **Check for updates**. ![Check for updates](/assets/images/help/dependabot/check-for-updates.png) diff --git a/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md b/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md index 6f93905e1f..ebe089535a 100644 --- a/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md +++ b/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md @@ -11,7 +11,7 @@ versions: {% data reusables.dependabot.pull-request-introduction %} -When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)." diff --git a/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md b/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md index 4a2ad75b8e..52e4315c74 100644 --- a/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md +++ b/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md @@ -13,7 +13,7 @@ versions: You can request a 45-day trial to evaluate {% data variables.product.prodname_ghe_server %}. Your trial will be installed as a virtual appliance, with options for on-premises or cloud deployment. For a list of supported visualization platforms, see "[Setting up a GitHub Enterprise Server instance](/enterprise/admin/installation/setting-up-a-github-enterprise-server-instance)." -{% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}Security{% endif %} alerts and {% data variables.product.prodname_github_connect %} are not currently available in trials of {% data variables.product.prodname_ghe_server %}. For a demonstration of these features, contact {% data variables.contact.contact_enterprise_sales %}. For more information about these features, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." +{% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}Security{% endif %} alerts and {% data variables.product.prodname_github_connect %} are not currently available in trials of {% data variables.product.prodname_ghe_server %}. For a demonstration of these features, contact {% data variables.contact.contact_enterprise_sales %}. For more information about these features, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." Trials are also available for {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Setting up a trial of {% data variables.product.prodname_ghe_cloud %}](/articles/setting-up-a-trial-of-github-enterprise-cloud)." diff --git a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md index 2056d1ac51..c0f46c3657 100644 --- a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md @@ -17,7 +17,7 @@ When your code depends on a package that has a security vulnerability, this vuln ### Detection of vulnerable dependencies - {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_short %} alerts{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when: + {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %}{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when: {% if currentVersion == "free-pro-team@latest" %} - A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)." @@ -49,11 +49,11 @@ You can also enable or disable {% data variables.product.prodname_dependabot_ale {% endif %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} -When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot_short %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)." +When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)." {% endif %} {% if currentVersion == "free-pro-team@latest" %} -For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} @@ -66,12 +66,12 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc {% endwarning %} -### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts +### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} -By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_short %} alerts.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_short %} alerts visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-github-dependabot-alerts)." +By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-dependabot-alerts)." {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} @@ -83,6 +83,6 @@ We send security alerts to people with admin permissions in the affected reposit {% if currentVersion == "free-pro-team@latest" %} ### Further reading -- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)" +- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)" - "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)" - "[Understanding how {% data variables.product.product_name %} uses and protects your data](/categories/understanding-how-github-uses-and-protects-your-data)"{% endif %} diff --git a/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md b/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md new file mode 100644 index 0000000000..1d01216b97 --- /dev/null +++ b/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md @@ -0,0 +1,35 @@ +--- +title: About Dependabot security updates +intro: '{% data variables.product.prodname_dependabot %} can fix vulnerable dependencies for you by raising pull requests with security updates.' +shortTitle: About Dependabot security updates +redirect_from: + - /github/managing-security-vulnerabilities/about-github-dependabot-security-updates +versions: + free-pro-team: '*' +--- + +### About {% data variables.product.prodname_dependabot_security_updates %} + +{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." + +{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)." + +{% note %} + +**Note** + +The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#dependencies-included)." + +{% endnote %} + +### About pull requests for security updates + +Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository. + +When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)." + +{% data reusables.dependabot.automated-tests-note %} + +### About compatibility scores + +{% data variables.product.prodname_dependabot_security_updates %} may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency. diff --git a/content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md b/content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md deleted file mode 100644 index 4b7addb049..0000000000 --- a/content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: About GitHub Dependabot security updates -intro: '{% data variables.product.prodname_dependabot %} can fix vulnerable dependencies for you by raising pull requests with security updates.' -shortTitle: About Dependabot security updates -versions: - free-pro-team: '*' ---- - -### About {% data variables.product.prodname_dependabot_security_updates %} - -{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot_short %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot_short %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." - -{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot_short %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)." - -{% note %} - -**Note** - -The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_short %} alerts. You will see a {% data variables.product.prodname_dependabot_short %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. {% data variables.product.prodname_dependabot_short %} is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#dependencies-included)." - -{% endnote %} - -### About pull requests for security updates - -Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_short %} alerts for the repository. - -When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot_short %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot_short %} pull requests, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)." - -{% data reusables.dependabot.automated-tests-note %} - -### About compatibility scores - -{% data variables.product.prodname_dependabot_security_updates %} may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency. diff --git a/content/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates.md b/content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md similarity index 87% rename from content/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates.md rename to content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md index 2acde31d0a..a834954969 100644 --- a/content/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates.md +++ b/content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md @@ -1,20 +1,21 @@ --- -title: Configuring GitHub Dependabot security updates +title: Configuring Dependabot security updates intro: 'You can use {% data variables.product.prodname_dependabot_security_updates %} or manual pull requests to easily update vulnerable dependencies.' +shortTitle: Configuring Dependabot security updates redirect_from: - /articles/configuring-automated-security-fixes - /github/managing-security-vulnerabilities/configuring-automated-security-fixes - /github/managing-security-vulnerabilities/configuring-automated-security-updates -shortTitle: Configuring Dependabot security updates + - /github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates versions: free-pro-team: '*' --- ### About configuring {% data variables.product.prodname_dependabot_security_updates %} -You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_short %} alerts and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." -You can disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository or for all repositories owned by your user account or organization. For more information, see "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-github-dependabot-security-updates-for-your-repositories)" below. +You can disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository or for all repositories owned by your user account or organization. For more information, see "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories)" below. {% data reusables.dependabot.dependabot-tos %} @@ -24,7 +25,7 @@ You can disable {% data variables.product.prodname_dependabot_security_updates % {% note %} -**Note**: You can manually enable {% data variables.product.prodname_dependabot_security_updates %}, even if the repository doesn't meet some of the prerequisites below. For example, you can enable {% data variables.product.prodname_dependabot_security_updates %} on a fork, or for a package manager that isn't directly supported by following the instructions in "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-github-dependabot-security-updates-for-your-repositories)." +**Note**: You can manually enable {% data variables.product.prodname_dependabot_security_updates %}, even if the repository doesn't meet some of the prerequisites below. For example, you can enable {% data variables.product.prodname_dependabot_security_updates %} on a fork, or for a package manager that isn't directly supported by following the instructions in "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories)." {% endnote %} @@ -34,7 +35,7 @@ You can disable {% data variables.product.prodname_dependabot_security_updates % | Repository is not archived | "[Archiving repositories](/github/creating-cloning-and-archiving-repositories/archiving-repositories)" | | Repository is public, or repository is private and you have enabled read-only analysis by {% data variables.product.prodname_dotcom %}, dependency graph, and vulnerability alerts in the repository's settings | "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)." | | Repository contains dependency manifest file from a package ecosystem that {% data variables.product.prodname_dotcom %} supports | "[Supported package ecosystems](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)" | -| {% data variables.product.prodname_dependabot_security_updates %} are not disabled for the repository | "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repository](#managing-github-dependabot-security-updates-for-your-repositories)" | +| {% data variables.product.prodname_dependabot_security_updates %} are not disabled for the repository | "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repository](#managing-dependabot-security-updates-for-your-repositories)" | | Repository is not already using an integration for dependency management | "[About integrations](/github/customizing-your-github-workflow/about-integrations)" | If security updates are not enabled for your repository and you don't know why, first try enabling them using the instructions given in the procedural sections below. If security updates are still not working, you can [contact support](https://support.github.com/contact). @@ -50,7 +51,7 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-dependabot-alerts %} -1. Above the list of alerts, use the drop-down menu and select or unselect **{% data variables.product.prodname_dependabot_short %} security updates**. +1. Above the list of alerts, use the drop-down menu and select or unselect **{% data variables.product.prodname_dependabot %} security updates**. ![Drop-down menu with the option to enable {% data variables.product.prodname_dependabot_security_updates %}](/assets/images/help/repository/enable-dependabot-security-updates-drop-down.png) ### Further reading diff --git a/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md index 9eb238ba9b..2b32234811 100644 --- a/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md @@ -1,7 +1,7 @@ --- title: Configuring notifications for vulnerable dependencies shortTitle: Configuring notifications -intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts.' +intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts.' versions: free-pro-team: '*' enterprise-server: '>=2.21' @@ -9,10 +9,10 @@ versions: ### About notifications for vulnerable dependencies -{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot_short %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot_short %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability. +{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability. {% endif %} -{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_short %} alerts for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-features-for-new-repositories)." +{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-features-for-new-repositories)." {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion == "enterprise-server@2.21" %} @@ -21,7 +21,7 @@ Your site administrator needs to enable security alerts for vulnerable dependenc {% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.20" %} By default, if your site administrator has configured email for notifications on your enterprise, you will receive {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} by email.{% endif %} -{% if currentVersion ver_gt "enterprise-server@2.21" %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_short %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} +{% if currentVersion ver_gt "enterprise-server@2.21" %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} {% if currentVersion ver_lt "enterprise-server@2.22" %}Site administrators can also enable security alerts without notifications. For more information, see "[Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} @@ -33,14 +33,14 @@ You can configure notification settings for yourself or your organization from t {% data reusables.notifications.vulnerable-dependency-notification-options %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} - ![{% data variables.product.prodname_dependabot_short %} alerts options](/assets/images/help/notifications-v2/dependabot-alerts-options.png) + ![{% data variables.product.prodname_dependabot_alerts %} options](/assets/images/help/notifications-v2/dependabot-alerts-options.png) {% else %} ![Security alerts options](/assets/images/help/notifications-v2/security-alerts-options.png) {% endif %} {% note %} -**Note:** You can filter your {% data variables.product.company_short %} inbox notifications to show {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %} security{% endif %} alerts. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-queries-for-custom-filters)." +**Note:** You can filter your {% data variables.product.company_short %} inbox notifications to show {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-queries-for-custom-filters)." {% endnote %} diff --git a/content/github/managing-security-vulnerabilities/index.md b/content/github/managing-security-vulnerabilities/index.md index 61c09009e1..819e4c4e24 100644 --- a/content/github/managing-security-vulnerabilities/index.md +++ b/content/github/managing-security-vulnerabilities/index.md @@ -30,9 +30,9 @@ versions: {% link_in_list /about-alerts-for-vulnerable-dependencies %} {% link_in_list /configuring-notifications-for-vulnerable-dependencies %} - {% link_in_list /about-github-dependabot-security-updates %} - {% link_in_list /configuring-github-dependabot-security-updates %} + {% link_in_list /about-dependabot-security-updates %} + {% link_in_list /configuring-dependabot-security-updates %} {% link_in_list /viewing-and-updating-vulnerable-dependencies-in-your-repository %} {% link_in_list /troubleshooting-the-detection-of-vulnerable-dependencies %} - {% link_in_list /troubleshooting-github-dependabot-errors %} + {% link_in_list /troubleshooting-dependabot-errors %} diff --git a/content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md b/content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md new file mode 100644 index 0000000000..c33aa46aba --- /dev/null +++ b/content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md @@ -0,0 +1,84 @@ +--- +title: Troubleshooting Dependabot errors +intro: 'Sometimes {% data variables.product.prodname_dependabot %} is unable to raise a pull request to update your dependencies. You can review the error and unblock {% data variables.product.prodname_dependabot %}.' +shortTitle: Troubleshooting errors +redirect_from: + - /github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors +versions: + free-pro-team: '*' +--- + +{% data reusables.dependabot.beta-note %} + +### About {% data variables.product.prodname_dependabot %} errors + +{% data reusables.dependabot.pull-request-introduction %} + +If anything prevents {% data variables.product.prodname_dependabot %} from raising a pull request, this is reported as an error. + +### Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} + +When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request. + +![{% data variables.product.prodname_dependabot_alerts %} view showing a pull request link](/assets/images/help/dependabot/dependabot-alert-pr-link.png) + +There are three reasons why an alert may have no pull request link: + +1. {% data variables.product.prodname_dependabot_security_updates %} are not enabled for the repository. +1. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file. +1. An error blocked {% data variables.product.prodname_dependabot %} from creating a pull request. + +If an error blocked {% data variables.product.prodname_dependabot %} from creating a pull request, you can display details of the error by clicking the alert. + +![{% data variables.product.prodname_dependabot %} alert showing the error that blocked the creation of a pull request](/assets/images/help/dependabot/dependabot-security-update-error.png) + +### Investigating errors with {% data variables.product.prodname_dependabot_version_updates %} + +When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by {% data variables.product.prodname_dependabot %} are listed on the {% data variables.product.prodname_dependabot %} tab. To access this tab, on the **Insights** tab for the repository click **Dependency graph**, and then click the **{% data variables.product.prodname_dependabot %}** tab. + +![{% data variables.product.prodname_dependabot %} view showing an error](/assets/images/help/dependabot/dependabot-tab-view-error-beta.png) + +To see the log file for any manifest file, click the **Last checked TIME ago** link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed. + +![{% data variables.product.prodname_dependabot %} version update error and log ](/assets/images/help/dependabot/dependabot-version-update-error-beta.png) + +### Understanding {% data variables.product.prodname_dependabot %} errors + +Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and {% data variables.product.prodname_dependabot %} configuration files. Consequently, some errors are specific to one type of update. + +#### {% data variables.product.prodname_dependabot %} cannot update DEPENDENCY to a non-vulnerable version + +**Security updates only.** {% data variables.product.prodname_dependabot %} cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository. + +Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem. + +The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." + +#### {% data variables.product.prodname_dependabot %} cannot update to the required version as there is already an open pull request for the latest version + +**Security updates only.** {% data variables.product.prodname_dependabot %} will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version. + +There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)." + +#### {% data variables.product.prodname_dependabot %} timed out during its update + +{% data variables.product.prodname_dependabot %} took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of *package.json* files. Updates to the Composer ecosystem also take longer to assess and may time out. + +This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot %} to review the version update and generate the pull request in the time available. + +If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." + +#### {% data variables.product.prodname_dependabot %} cannot open any more pull requests + +There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests. + +There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#open-pull-requests-limit)." + +The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)." + +### Triggering a {% data variables.product.prodname_dependabot %} pull request manually + +If you unblock {% data variables.product.prodname_dependabot %}, you can manually trigger a fresh attempt to create a pull request. + +- **Security updates**—display the {% data variables.product.prodname_dependabot %} alert that shows the error you have fixed and click **Create {% data variables.product.prodname_dependabot %} security update**. +- **Version updates**—display the log file for the manifest that shows the error that you have fixed and click **Check for updates**. diff --git a/content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md b/content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md deleted file mode 100644 index a376ff1995..0000000000 --- a/content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Troubleshooting GitHub Dependabot errors -intro: 'Sometimes {% data variables.product.prodname_dependabot %} is unable to raise a pull request to update your dependencies. You can review the error and unblock {% data variables.product.prodname_dependabot_short %}.' -shortTitle: Troubleshooting errors -versions: - free-pro-team: '*' ---- - -{% data reusables.dependabot.beta-note %} - -### About {% data variables.product.prodname_dependabot %} errors - -{% data reusables.dependabot.pull-request-introduction %} - -If anything prevents {% data variables.product.prodname_dependabot_short %} from raising a pull request, this is reported as an error. - -### Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} - -When {% data variables.product.prodname_dependabot_short %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot_short %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_short %} alerts view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_short %} alerts** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request. - -![{% data variables.product.prodname_dependabot_short %} alerts view showing a pull request link](/assets/images/help/dependabot/dependabot-alert-pr-link.png) - -There are three reasons why an alert may have no pull request link: - -1. {% data variables.product.prodname_dependabot_security_updates %} are not enabled for the repository. -1. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file. -1. An error blocked {% data variables.product.prodname_dependabot_short %} from creating a pull request. - -If an error blocked {% data variables.product.prodname_dependabot_short %} from creating a pull request, you can display details of the error by clicking the alert. - -![{% data variables.product.prodname_dependabot_short %} alert showing the error that blocked the creation of a pull request](/assets/images/help/dependabot/dependabot-security-update-error.png) - -### Investigating errors with {% data variables.product.prodname_dependabot_version_updates %} - -When {% data variables.product.prodname_dependabot_short %} is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by {% data variables.product.prodname_dependabot_short %} are listed on the {% data variables.product.prodname_dependabot_short %} tab. To access this tab, on the **Insights** tab for the repository click **Dependency graph**, and then click the **{% data variables.product.prodname_dependabot_short %}** tab. - -![{% data variables.product.prodname_dependabot_short %} view showing an error](/assets/images/help/dependabot/dependabot-tab-view-error-beta.png) - -To see the log file for any manifest file, click the **Last checked TIME ago** link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed. - -![{% data variables.product.prodname_dependabot_short %} version update error and log ](/assets/images/help/dependabot/dependabot-version-update-error-beta.png) - -### Understanding {% data variables.product.prodname_dependabot_short %} errors - -Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and {% data variables.product.prodname_dependabot_short %} configuration files. Consequently, some errors are specific to one type of update. - -#### {% data variables.product.prodname_dependabot_short %} cannot update DEPENDENCY to a non-vulnerable version - -**Security updates only.** {% data variables.product.prodname_dependabot_short %} cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository. - -Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem. - -The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." - -#### {% data variables.product.prodname_dependabot_short %} cannot update to the required version as there is already an open pull request for the latest version - -**Security updates only.** {% data variables.product.prodname_dependabot_short %} will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version. - -There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "[Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually](#triggering-a-dependabot-pull-request-manually)." - -#### {% data variables.product.prodname_dependabot_short %} timed out during its update - -{% data variables.product.prodname_dependabot_short %} took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of *package.json* files. Updates to the Composer ecosystem also take longer to assess and may time out. - -This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot_short %} to review the version update and generate the pull request in the time available. - -If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." - -#### {% data variables.product.prodname_dependabot_short %} cannot open any more pull requests - -There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot_short %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests. - -There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#open-pull-requests-limit)." - -The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually](#triggering-a-dependabot-pull-request-manually)." - -### Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually - -If you unblock {% data variables.product.prodname_dependabot_short %}, you can manually trigger a fresh attempt to create a pull request. - -- **Security updates**—display the {% data variables.product.prodname_dependabot_short %} alert that shows the error you have fixed and click **Create {% data variables.product.prodname_dependabot_short %} security update**. -- **Version updates**—display the log file for the manifest that shows the error that you have fixed and click **Check for updates**. diff --git a/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md index 9926d8bcf2..ce6fe1bc8e 100644 --- a/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -14,14 +14,14 @@ The results of dependency detection reported by {% data variables.product.produc * {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies. It's a free, curated database of vulnerability information for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)" and "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)." * The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)." -* {% data variables.product.prodname_dependabot_short %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_short %} alerts are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." -* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot_short %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)." +* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." +* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)." - {% data variables.product.prodname_dependabot_short %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is discovered and added to the advisory database. + {% data variables.product.prodname_dependabot %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is discovered and added to the advisory database. ### Why don't I get vulnerability alerts for some ecosystems? -{% data variables.product.prodname_dotcom %} limits its support for vulnerability alerts to a set of ecosystems where we can provide high-quality, actionable data. Curated vulnerabilities in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% data variables.product.prodname_dependabot_short %} alerts, and {% data variables.product.prodname_dependabot_short %} security updates are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. We'll continue to add support for more ecosystems over time. For an overview of the package ecosystems that we support, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)." +{% data variables.product.prodname_dotcom %} limits its support for vulnerability alerts to a set of ecosystems where we can provide high-quality, actionable data. Curated vulnerabilities in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% data variables.product.prodname_dependabot_alerts %}, and {% data variables.product.prodname_dependabot %} security updates are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. We'll continue to add support for more ecosystems over time. For an overview of the package ecosystems that we support, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)." It's worth noting that [{% data variables.product.prodname_dotcom %} Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories) may exist for other ecosystems. The information in a security advisory is provided by the maintainers of a particular repository. This data is not curated in the same way as information for the supported ecosystems. @@ -31,7 +31,7 @@ It's worth noting that [{% data variables.product.prodname_dotcom %} Security Ad The dependency graph includes information on dependencies that are explicitly declared in your environment. That is, dependencies that are specified in a manifest or a lockfile. The dependency graph generally also includes transitive dependencies, even when they aren't specified in a lockfile, by looking at the dependencies of the dependencies in a manifest file. -{% data variables.product.prodname_dependabot_short %} alerts advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. {% data variables.product.prodname_dependabot_short %} security updates only suggests a change where it can directly "fix" the dependency, that is, when these are: +{% data variables.product.prodname_dependabot_alerts %} advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. {% data variables.product.prodname_dependabot %} security updates only suggests a change where it can directly "fix" the dependency, that is, when these are: * Direct dependencies explicitly declared in a manifest or lockfile * Transitive dependencies declared in a lockfile @@ -51,21 +51,21 @@ Yes, the dependency graph has two categories of limits: 1. **Processing limits** - These affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_short %} alerts being created. + These affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_alerts %} being created. - Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create {% data variables.product.prodname_dependabot_short %} alerts. + Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create {% data variables.product.prodname_dependabot_alerts %}. - By default, {% data variables.product.prodname_dotcom %} will not process more than 20 manifests per repository. {% data variables.product.prodname_dependabot_short %} alerts are not be created for manifests beyond this limit. If you need to increase the limit, contact {% data variables.contact.contact_support %}. + By default, {% data variables.product.prodname_dotcom %} will not process more than 20 manifests per repository. {% data variables.product.prodname_dependabot_alerts %} are not be created for manifests beyond this limit. If you need to increase the limit, contact {% data variables.contact.contact_support %}. 2. **Visualization limits** - These affect what's displayed in the dependency graph within {% data variables.product.prodname_dotcom %}. However, they don't affect the {% data variables.product.prodname_dependabot_short %} alerts that are created. + These affect what's displayed in the dependency graph within {% data variables.product.prodname_dotcom %}. However, they don't affect the {% data variables.product.prodname_dependabot_alerts %} that are created. - The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, {% data variables.product.prodname_dependabot_short %} alerts are still created for any manifests that are not shown within {% data variables.product.prodname_dotcom %}. + The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, {% data variables.product.prodname_dependabot_alerts %} are still created for any manifests that are not shown within {% data variables.product.prodname_dotcom %}. **Check**: Is the missing dependency in a manifest file that's over 0.5 MB, or in a repository with a large number of manifests? -### Does {% data variables.product.prodname_dependabot_short %} generate alerts for vulnerabilities that have been known for many years? +### Does {% data variables.product.prodname_dependabot %} generate alerts for vulnerabilities that have been known for many years? The {% data variables.product.prodname_advisory_database %} was launched in November 2019, and initially back-filled to include vulnerability information for the supported ecosystems, starting from 2017. When adding CVEs to the database, we prioritize curating newer CVEs, and CVEs affecting newer versions of software. @@ -77,19 +77,19 @@ Some information on older vulnerabilities is available, especially where these C Some third-party tools use uncurated CVE data that isn't checked or filtered by a human. This means that CVEs with tagging or severity errors, or other quality issues, will cause more frequent, more noisy, and less useful alerts. -Since {% data variables.product.prodname_dependabot_short %} uses curated data in the {% data variables.product.prodname_advisory_database %}, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant. +Since {% data variables.product.prodname_dependabot %} uses curated data in the {% data variables.product.prodname_advisory_database %}, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant. ### Does each dependency vulnerability generate a separate alert? When a dependency has multiple vulnerabilities, only one aggregated alert is generated for that dependency, instead of one alert per vulnerability. -The {% data variables.product.prodname_dependabot_short %} alerts count in {% data variables.product.prodname_dotcom %} shows a total for the number of alerts, that is, the number of dependencies with vulnerabilities, not the number of vulnerabilities. +The {% data variables.product.prodname_dependabot_alerts %} count in {% data variables.product.prodname_dotcom %} shows a total for the number of alerts, that is, the number of dependencies with vulnerabilities, not the number of vulnerabilities. -![{% data variables.product.prodname_dependabot_short %} alerts view](/assets/images/help/repository/dependabot-alerts-view.png) +![{% data variables.product.prodname_dependabot_alerts %} view](/assets/images/help/repository/dependabot-alerts-view.png) When you click to display the alert details, you can see how many vulnerabilities are included in the alert. -![Multiple vulnerabilities for a {% data variables.product.prodname_dependabot_short %} alert](/assets/images/help/repository/dependabot-vulnerabilities-number.png) +![Multiple vulnerabilities for a {% data variables.product.prodname_dependabot %} alert](/assets/images/help/repository/dependabot-vulnerabilities-number.png) **Check**: If there is a discrepancy in the totals you are seeing, check that you are not comparing alert numbers with vulnerability numbers. @@ -98,4 +98,4 @@ When you click to display the alert details, you can see how many vulnerabilitie - "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" - "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)" - "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" -- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)" +- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)" diff --git a/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md b/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md index 37ed54adfe..0dea3bd05c 100644 --- a/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md +++ b/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md @@ -10,11 +10,11 @@ versions: --- Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." -You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." ### About updates for vulnerable dependencies in your repository -{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect vulnerabilities affecting your repository. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency {% data variables.product.prodname_dependabot_short %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. +{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect vulnerabilities affecting your repository. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. ### Viewing and updating vulnerable dependencies @@ -24,16 +24,16 @@ You can enable automatic security updates for any repository that uses {% data v 1. Click the alert you'd like to view. ![Alert selected in list of alerts](/assets/images/help/graphs/click-alert-in-alerts-list.png) 1. Review the details of the vulnerability and, if available, the pull request containing the automated security update. -1. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click **Create {% data variables.product.prodname_dependabot_short %} security update**. - ![Create {% data variables.product.prodname_dependabot_short %} security update button](/assets/images/help/repository/create-dependabot-security-update-button.png) -1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot_short %} includes information on commands you can use to control {% data variables.product.prodname_dependabot_short %}. For more information, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates#managing-github-dependabot-pull-requests-with-comment-commands)." +1. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click **Create {% data variables.product.prodname_dependabot %} security update**. + ![Create {% data variables.product.prodname_dependabot %} security update button](/assets/images/help/repository/create-dependabot-security-update-button.png) +1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." 1. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert. ![Choosing reason for dismissing the alert via the "Dismiss" drop-down](/assets/images/help/repository/dependabot-alert-dismiss-drop-down.png) ### Further reading - "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" -- "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)" +- "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)" - "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" - "[Troubleshooting the detection of vulnerable dependencies](/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies)" -- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)" +- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)" diff --git a/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md b/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md index af33febe9d..d7d72cd23e 100644 --- a/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md +++ b/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md @@ -121,7 +121,7 @@ Email notifications from {% data variables.product.product_name %} contain the f 3. On the notifications settings page, choose how you receive notifications when: - There are updates in repositories or team discussions you're watching or in a conversation you're participating in. For more information, see "[About participating and watching notifications](#about-participating-and-watching-notifications)." - You gain access to a new repository or you've joined a new team. For more information, see "[Automatic watching](#automatic-watching)."{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} - - There are new {% data variables.product.prodname_dependabot_alerts %} in your repository. For more information, see "[{% data variables.product.prodname_dependabot_alerts %} notification options](#github-dependabot-alerts-notification-options)." {% endif %}{% if currentVersion == "enterprise-server@2.21" %} + - There are new {% data variables.product.prodname_dependabot_alerts %} in your repository. For more information, see "[{% data variables.product.prodname_dependabot_alerts %} notification options](#dependabot-alerts-notification-options)." {% endif %}{% if currentVersion == "enterprise-server@2.21" %} - There are new security alerts in your repository. For more information, see "[Security alert notification options](#security-alert-notification-options)." {% endif %} {% if currentVersion == "free-pro-team@latest" %} - There are workflow runs updates on repositories set up with {% data variables.product.prodname_actions %}. For more information, see "[{% data variables.product.prodname_actions %} notification options](#github-actions-notification-options)."{% endif %} diff --git a/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md b/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md index 0745c85f3e..3a4c1e2632 100644 --- a/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md +++ b/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md @@ -113,7 +113,7 @@ To filter notifications by why you've received an update, you can use the `reaso #### Supported `is:` queries -To filter notifications for specific activity on {% data variables.product.product_name %}, you can use the `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% if currentVersion != "github-ae@latest" %}, and to only see {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %} security{% endif %} alerts, use `is:repository-vulnerability-alert`.{% endif %} +To filter notifications for specific activity on {% data variables.product.product_name %}, you can use the `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% if currentVersion != "github-ae@latest" %}, and to only see {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts, use `is:repository-vulnerability-alert`.{% endif %} - `is:check-suite` - `is:commit` diff --git a/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md b/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md index 88b866b9f2..6b04032d74 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md @@ -64,7 +64,7 @@ Organization members can have *owner*{% if currentVersion == "free-pro-team@late | Purchase, install, manage billing for, and cancel {% data variables.product.prodname_marketplace %} apps | **X** | | | | List apps in {% data variables.product.prodname_marketplace %} | **X** | | |{% if currentVersion != "github-ae@latest" %} | Receive [{% data variables.product.prodname_dependabot_alerts %} about vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) for all of an organization's repositories | **X** | | | -| Manage {% data variables.product.prodname_dependabot_security_updates %} (see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)") | **X** | | |{% endif %} +| Manage {% data variables.product.prodname_dependabot_security_updates %} (see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)") | **X** | | |{% endif %} | [Manage the forking policy](/github/setting-up-and-managing-organizations-and-teams/managing-the-forking-policy-for-your-organization) | **X** | | | | [Limit activity in public repositories in an organization](/articles/limiting-interactions-in-your-organization) | **X** | | | | Pull (read), push (write), and clone (copy) *all repositories* in the organization | **X** | | | diff --git a/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md b/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md index aa1dd9d200..61497be9a9 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md @@ -47,7 +47,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `repo` | Contains all activities related to the repositories owned by your organization.{% if currentVersion == "free-pro-team@latest" %} | `repository_content_analysis` | Contains all activities related to [enabling or disabling data use for a private repository](/articles/about-github-s-use-of-your-data). | `repository_dependency_graph` | Contains all activities related to [enabling or disabling the dependency graph for a private repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-and-dependents-of-a-repository).{% endif %}{% if currentVersion != "github-ae@latest" %} -| `repository_vulnerability_alert` | Contains all activities related to [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies).{% endif %}{% if currentVersion == "free-pro-team@latest" %} +| `repository_vulnerability_alert` | Contains all activities related to [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies).{% endif %}{% if currentVersion == "free-pro-team@latest" %} | `sponsors` | Contains all events related to sponsor buttons (see "[Displaying a sponsor button in your repository](/articles/displaying-a-sponsor-button-in-your-repository)"){% endif %}{% if enterpriseServerVersions contains currentVersion or currentVersion == "github-ae@latest" %} | `team` | Contains all activities related to teams in your organization.{% endif %} | `team_discussions` | Contains activities related to managing team discussions for an organization. @@ -354,10 +354,10 @@ For more information, see "[Restricting publication of {% data variables.product | Action | Description |------------------|------------------- -| `create` | Triggered when {% data variables.product.product_name %} creates a [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alert for a vulnerable dependency](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) in a particular repository. +| `create` | Triggered when {% data variables.product.product_name %} creates a [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alert for a vulnerable dependency](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) in a particular repository. | `resolve` | Triggered when someone with write access to a repository [pushes changes to update and resolve a vulnerability](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) in a project dependency. -| `dismiss` | Triggered when an organization owner or person with admin access to the repository dismisses a {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alert about a vulnerable dependency.{% if currentVersion == "free-pro-team@latest" %} -| `authorized_users_teams` | Triggered when an organization owner or a member with admin permissions to the repository [updates the list of people or teams authorized to receive {% data variables.product.prodname_dependabot_short %} alerts](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-github-dependabot-alerts) for vulnerable dependencies in the repository.{% endif %} +| `dismiss` | Triggered when an organization owner or person with admin access to the repository dismisses a {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alert about a vulnerable dependency.{% if currentVersion == "free-pro-team@latest" %} +| `authorized_users_teams` | Triggered when an organization owner or a member with admin permissions to the repository [updates the list of people or teams authorized to receive {% data variables.product.prodname_dependabot_alerts %}](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-dependabot-alerts) for vulnerable dependencies in the repository.{% endif %} {% endif %} {% if currentVersion == "free-pro-team@latest" %} diff --git a/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md b/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md index fe736eb9c6..dc1c7cecd5 100644 --- a/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md +++ b/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md @@ -10,7 +10,7 @@ versions: ### About data use for your private repository -When you enable data use for your private repository, you'll be able to access the dependency graph, where you can track your repository's dependencies and receive {% data variables.product.prodname_dependabot_short %} alerts when {% data variables.product.product_name %} detects vulnerable dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#github-dependabot-alerts-for-vulnerable-dependencies)." +When you enable data use for your private repository, you'll be able to access the dependency graph, where you can track your repository's dependencies and receive {% data variables.product.prodname_dependabot_alerts %} when {% data variables.product.product_name %} detects vulnerable dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#dependabot-alerts-for-vulnerable-dependencies)." ### Enabling or disabling data use features diff --git a/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md b/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md index e674add356..ee6e10f5bc 100644 --- a/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md +++ b/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md @@ -47,7 +47,7 @@ You can use the dependency graph to: {% if currentVersion == "free-pro-team@latest" %}To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories. For information about enabling or disabling it for private repositories, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)."{% endif %} -{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_short %} alerts. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} +{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} If the dependency graph is not available in your system, your site administrator can enable the dependency graph and security alerts. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)." diff --git a/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md b/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md index 3b3df2d46e..e06ac92e9a 100644 --- a/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md +++ b/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md @@ -36,7 +36,7 @@ If vulnerabilities have been detected in the repository, these are shown at the {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %} -Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_short %} alerts. +Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}. {% note %} diff --git a/content/packages/publishing-and-managing-packages/publishing-a-package.md b/content/packages/publishing-and-managing-packages/publishing-a-package.md index 93fbdbffb4..68d69b2a59 100644 --- a/content/packages/publishing-and-managing-packages/publishing-a-package.md +++ b/content/packages/publishing-and-managing-packages/publishing-a-package.md @@ -21,7 +21,7 @@ You can help people understand and use your package by providing a description a {% data reusables.package_registry.package-immutability %} {% if currentVersion == "free-pro-team@latest" %} -If a new version of a package fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_short %} alerts to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." +If a new version of a package fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." {% endif %} ### Publishing a package diff --git a/data/reusables/dependabot/click-dependabot-tab.md b/data/reusables/dependabot/click-dependabot-tab.md index 787f987069..81f569ccc6 100644 --- a/data/reusables/dependabot/click-dependabot-tab.md +++ b/data/reusables/dependabot/click-dependabot-tab.md @@ -1,2 +1,2 @@ -4. Under "Dependency graph", click **{% data variables.product.prodname_dependabot_short %}**. - ![Dependency graph, {% data variables.product.prodname_dependabot_short %} tab](/assets/images/help/dependabot/dependabot-tab-beta.png) +4. Under "Dependency graph", click **{% data variables.product.prodname_dependabot %}**. + ![Dependency graph, {% data variables.product.prodname_dependabot %} tab](/assets/images/help/dependabot/dependabot-tab-beta.png) diff --git a/data/reusables/dependabot/default-labels.md b/data/reusables/dependabot/default-labels.md index 00fa428e67..9294fb86c1 100644 --- a/data/reusables/dependabot/default-labels.md +++ b/data/reusables/dependabot/default-labels.md @@ -1 +1 @@ -By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. If more than one package manager is defined, {% data variables.product.prodname_dependabot_short %} includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: `java` for Gradle updates and `submodules` for git submodule updates. {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. +By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. If more than one package manager is defined, {% data variables.product.prodname_dependabot %} includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: `java` for Gradle updates and `submodules` for git submodule updates. {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. diff --git a/data/reusables/dependabot/initial-updates.md b/data/reusables/dependabot/initial-updates.md index 869d31ff84..fe4154576b 100644 --- a/data/reusables/dependabot/initial-updates.md +++ b/data/reusables/dependabot/initial-updates.md @@ -1,3 +1,3 @@ When you first enable version updates, you may have many dependencies that are outdated and some may be many versions behind the latest version. {% data variables.product.prodname_dependabot %} checks for outdated dependencies as soon as it's enabled. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates. -To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot_short %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, then further pull requests are opened up to a maximum of five (you can change this limit). +To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, then further pull requests are opened up to a maximum of five (you can change this limit). diff --git a/data/reusables/dependabot/private-dependencies.md b/data/reusables/dependabot/private-dependencies.md index dfcbae9c73..717f1dbb97 100644 --- a/data/reusables/dependabot/private-dependencies.md +++ b/data/reusables/dependabot/private-dependencies.md @@ -1 +1 @@ -Currently, {% data variables.product.prodname_dependabot_version_updates %} doesn't support manifest or lock files that contain any private git dependencies or private git registries. This is because, when running version updates, {% data variables.product.prodname_dependabot_short %} must be able to resolve all dependencies from their source to verify that version updates have been successful. +Currently, {% data variables.product.prodname_dependabot_version_updates %} doesn't support manifest or lock files that contain any private git dependencies or private git registries. This is because, when running version updates, {% data variables.product.prodname_dependabot %} must be able to resolve all dependencies from their source to verify that version updates have been successful. diff --git a/data/reusables/dependabot/pull-request-introduction.md b/data/reusables/dependabot/pull-request-introduction.md index 7494d21059..86b8dd0cf3 100644 --- a/data/reusables/dependabot/pull-request-introduction.md +++ b/data/reusables/dependabot/pull-request-introduction.md @@ -1 +1 @@ -{% data variables.product.prodname_dependabot %} raises pull requests to update dependencies. Depending on how your repository is configured, {% data variables.product.prodname_dependabot_short %} may raise pull requests for version updates and/or for security updates. You manage these pull requests in the same way as any other pull request, but there are also some extra commands available. For information about enabling {% data variables.product.prodname_dependabot %} dependency updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)" and "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." \ No newline at end of file +{% data variables.product.prodname_dependabot %} raises pull requests to update dependencies. Depending on how your repository is configured, {% data variables.product.prodname_dependabot %} may raise pull requests for version updates and/or for security updates. You manage these pull requests in the same way as any other pull request, but there are also some extra commands available. For information about enabling {% data variables.product.prodname_dependabot %} dependency updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)" and "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." \ No newline at end of file diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index c0152e0df7..9c62f5656f 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -18,12 +18,12 @@ Terraform: `terraform` | {% note %} -**Note**: {% data variables.product.prodname_dependabot_short %} also supports the following package managers: +**Note**: {% data variables.product.prodname_dependabot %} also supports the following package managers: -`yarn` (v1 only) (specify `npm`) -`pipenv`, `pip-compile`, and `poetry` (specify `pip`) -For example, if you use `poetry` to manage your Python dependencies and want {% data variables.product.prodname_dependabot_short %} to monitor your dependency manifest file for new versions, use `package-ecosystem: "pip"` in your *dependabot.yml* file. +For example, if you use `poetry` to manage your Python dependencies and want {% data variables.product.prodname_dependabot %} to monitor your dependency manifest file for new versions, use `package-ecosystem: "pip"` in your *dependabot.yml* file. {% endnote %} diff --git a/data/reusables/dependabot/version-updates-for-actions.md b/data/reusables/dependabot/version-updates-for-actions.md index 3b63e3586d..f00b76cfe2 100644 --- a/data/reusables/dependabot/version-updates-for-actions.md +++ b/data/reusables/dependabot/version-updates-for-actions.md @@ -1 +1 @@ -You can also enable {% data variables.product.prodname_dependabot_version_updates %} for the actions that you add to your workflow. For more information, see "[Keeping your actions up to date with {% data variables.product.prodname_dependabot %}](/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)." +You can also enable {% data variables.product.prodname_dependabot_version_updates %} for the actions that you add to your workflow. For more information, see "[Keeping your actions up to date with {% data variables.product.prodname_dependabot %}](/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot)." diff --git a/data/reusables/repositories/enable-security-alerts.md b/data/reusables/repositories/enable-security-alerts.md index e4f329be8d..1f1c4cd5fc 100644 --- a/data/reusables/repositories/enable-security-alerts.md +++ b/data/reusables/repositories/enable-security-alerts.md @@ -1,3 +1,3 @@ {% if enterpriseServerVersions contains currentVersion %} -Your site administrator must enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)." +Your site administrator must enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)." {% endif %} diff --git a/data/reusables/repositories/sidebar-dependabot-alerts.md b/data/reusables/repositories/sidebar-dependabot-alerts.md index b5e860b43e..30ce19c2e0 100644 --- a/data/reusables/repositories/sidebar-dependabot-alerts.md +++ b/data/reusables/repositories/sidebar-dependabot-alerts.md @@ -1,2 +1,2 @@ -1. In the security sidebar, click **{% data variables.product.prodname_dependabot_short %} alerts**. -![{% data variables.product.prodname_dependabot_short %} alerts tab](/assets/images/help/repository/dependabot-alerts-tab.png) +1. In the security sidebar, click **{% data variables.product.prodname_dependabot_alerts %}**. +![{% data variables.product.prodname_dependabot_alerts %} tab](/assets/images/help/repository/dependabot-alerts-tab.png) diff --git a/data/variables/product.yml b/data/variables/product.yml index fa8edd4bac..1f867437ef 100644 --- a/data/variables/product.yml +++ b/data/variables/product.yml @@ -150,11 +150,10 @@ prodname_vss_ghe: 'Visual Studio subscription with GitHub Enterprise' prodname_vss_admin_portal_with_url: 'the [administrator portal for Visual Studio subscriptions](https://visualstudio.microsoft.com/subscriptions-administration/)' # GitHub Dependabot -prodname_dependabot: 'GitHub Dependabot' -prodname_dependabot_short: 'Dependabot' -prodname_dependabot_alerts: 'GitHub Dependabot alerts' -prodname_dependabot_security_updates: 'GitHub Dependabot security updates' -prodname_dependabot_version_updates: 'GitHub Dependabot version updates' +prodname_dependabot: 'Dependabot' +prodname_dependabot_alerts: 'Dependabot alerts' +prodname_dependabot_security_updates: 'Dependabot security updates' +prodname_dependabot_version_updates: 'Dependabot version updates' # GitHub Archive Program prodname_archive: 'GitHub Archive Program'