Automatic security updates for JavaScript

Dependabot now creates pull requests immediately in response to security advisories for Node packages. 🕵️‍♀️

Here's how it works:

  • Dependabot polls The Node Security Working Group's database, looking for new advisories
  • If it finds any, Dependabot kicks off update runs to update that specific dependency immediately for any users who have it
  • Dependabot prefixes the titles of the created PRs with [Security] and includes details of the vulnerabilities fixed in the PR message

If you want to automatically merge security updates, there's an option for that:

Automerge options

And if you only want to receive pull requests from Dependabot that are security related, there's an option for that, too:

Security updates only option

We're hugely grateful to the Node Security Working Group team for creating the database, and have already proposed some small contributions to it. We're looking forward to doing more, and to supporting their work however we can.

Stay safe out there!


PS: Using another language? We announced the same functionality for Ruby, PHP, Elixir and Rust last week.

Dependabot helps keep your dependencies up-to-date. It's free for personal accounts and open source, and always will be.

Find out moreTake me to the app