Minimal updates for security fixes


We've changed the way Dependabot updates insecure dependencies: we now generate a PR to update you to the minimal fixed version, rather than the latest version.

When a security vulnerability is announced you want to react as fast as possible. Updating to the minimal fixed version makes that easier - there's less to review, and less chance of breaking changes.

If you have Dependabot set up to only create security-fix PRs this change will make a big difference to the PRs you see. If you're using Dependabot to keep your dependencies up-to-date you'll barely notice it: your updates will have been minimal already.

Stay safe out there!

🕵️‍♀️

Dependabot helps keep your dependencies up-to-date. It's free for personal accounts and open source, and always will be.

Find out moreTake me to the app