Pull requests for security updates
If you've enabled security updates, pull requests for security updates are triggered by a Dependabot alert for a dependency on your default branch. Dependabot automatically raises a pull request to update the vulnerable dependency.
Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to Dependabot alerts for the repository.
When you merge a pull request that contains a security update, the corresponding Dependabot alert is marked as resolved for your repository. For more information about Dependabot pull requests, see 管理依赖项更新的所有拉取请求.
注意
最好制定自动测试和验收流程,以便在合并拉取请求之前执行检查。 如果建议的升级版本包含额外的功能,或者更改会中断您的项目代码,这种做法尤其重要。 有关持续集成的详细信息,请参阅“持续集成”。
Customizing pull requests for security updates
You can customize how Dependabot raises pull requests for security updates, so that they best fit your project's security priorities and processes. For example:
- Optimize Dependabot pull requests to prioritize meaningful updates by grouping multiple updates into a single pull request.
- Apply custom labels to integrate Dependabot's pull requests into your existing workflows.
Similar to version updates, customization options for security updates are defined in the dependabot.yml file. If you have already customized the dependabot.yml for version updates, then many of the configuration options that you have defined could automatically apply to security updates, too. However, there are a couple of important points to note:
- Dependabot security updates are always triggered by a security advisory, rather than running according to the
scheduleyou have set in thedependabot.ymlfor version updates. - Dependabot raises pull requests for security updates against the default branch only. If your configuration sets a value for
target-branch, then the customization for that package ecosystem will only apply to version updates by default.
For more information, see 自定义 Dependabot 安全更新的拉取请求.
Pull requests for version updates
For version updates, you specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.
首次启用版本更新时,您可能有很多过时的依赖项,其中一些可能为许多落后于最新版本的版本。 Dependabot 将在其启用后立即检查过时的依赖项。 根据您配置更新的清单文件的数量,您可能会在添加配置文件后几分钟内看到新的版本更新拉取请求。 Dependabot 也会在配置文件后续更改时运行更新。
为使拉取请求保持可管理和易于审查,Dependabot 最多提出五个拉取请求,以便开始将依赖项更新至最新版本。 如果您在下次预定的更新之前先合并了这些拉取请求,剩余的拉取请求将在下次更新时打开,最多不超过此限。 可以通过设置open-pull-requests-limit配置选项来更改打开的拉取请求的最大数量。
若要进一步减少可能看到的拉取请求数,可以使用 groups 配置选项将依赖项集组合在一起(每个包生态系统)。 然后,Dependabot 提出单个拉取请求,以将组中尽可能多的依赖项同时更新到最新版本。 For more information, see 优化 Dependabot 版本更新的拉取请求创建.
Commands for Dependabot pull requests
Dependabot responds to simple commands in comments. Each pull request contains details of the commands you can use to process the pull request (for example: to merge, squash, reopen, close, or rebase the pull request) under the "Dependabot commands and options" section. The aim is to make it as easy as possible for you to triage these automatically generated pull requests. For more information, see Dependabot 拉取请求注释命令.