Automatically respond to security advisories

Dependabot now creates pull requests immediately in response to security advisories for Ruby, PHP and Rust (more languages coming soon). It can also automatically merge those PRs for you.

Security PR

Here's how it works:

  • Dependabot polls The Ruby Advisory Database, The RustSec Advisory Database, and The PHP Security Advisory Database looking for new advisories
  • If it finds any, Dependabot kicks off update runs to update that specific dependency immediately for any users who have it
  • Dependabot prefixes the titles of the created PRs with [Security] and includes details of the vulnerabilities fixed in the PR message

If you want to automatically merge security updates, there's an option for that:

Automerge options

Over the coming weeks we'll be adding more security advisory sources, and where a public source doesn't exist for a language we'll consider creating one ourselves. We'll also be adding an option to only receive security updates (for legacy projects).

Stay safe out there!


Update: We've added Elixir to the list of languages we monitor security advisories for, and are hosting the advisory database here.

Another update: We've added JavaScript to the list of languages we monitor security advisories for, sourcing data from the Node Security Working Group.

Yet another update: We now also pull security advisory data from GitHub's vulnerability alerts database, which includes advisories for Python.

Dependabot helps keep your dependencies up-to-date. It's free for personal accounts and open source, and always will be.

Find out moreTake me to the app