Disabling dependabot alerts for a repository on GitHub

Asked 12/2, 2022 at 14:24 Answered 19/1, 2023 at 9:3

GitHub dependabot security alerts may sometimes become a chore especially when an abandoned project that is no longer in active use receives frequent security advisories. Is there an option to disable the active security monitoring?

Bantamweight answered 12/2, 2022 at 14:24 Comment(0)

Open you repo and go to Settings. Click on Code security and analysis in the Security subsection. There you will find dependabot settings with a Disable button for turning off the automated advisories.

The page is also available through direct link https://github.com/<USERNAME>/<REPO>/settings/security_analysis by replacing placeholders <USERNAME> and <REPO> with the corresponding identifiers.

Note that disabling the advisories will negatively impact the security of your software and should be avoided for any software with production deployments.

Bantamweight answered 12/2, 2022 at 14:24 Comment(2)

"Dependabot alerts" button is "enable", but I still get alert emails. Why? – Wershba 17/10, 2022 at 1:16

@MarvinXu see my answer. I think that's the reason. – Caucasoid 17/10, 2022 at 19:8

This is the top result on google.

I'm sick of getting alerts from dependabot. I have dependabot alerts disabled on all my repositories.

However, I think what we are not getting dependabot alerts but pull request alerts.

Even if we disable dependabot alerts, it continues to create pull requests. Since we do want to receive pull request alerts, we get them.

In the official dependabot repository there are people commenting on how to disable it but all the links are outdated. Now most of them lead to the documentation or to parts of the options not related to dependabot.

At the moment I have found two possible solutions:

disable security updates: https://github.com/settings/security_analysis

Delete/truncate the dependabot configuration file: https://github.com/USERNAME/REPOSITORY/blob/master/.github/dependabot.yml (change USERNAME and REPOSITORY as appropriate)

I have not yet been able to verify that it works but I think that I will not receive any more PR from dependabot and, therefore, I will not receive the emails either.

Caucasoid answered 17/10, 2022 at 19:7 Comment(2)

> Dependabot version updates automatically keep your application up-to-date by periodically updating dependencies to their latest versions. Dependabot security updates can also help keep dependencies updated. – Wershba 21/10, 2022 at 8:50

Thanks! I figured it out! "Dependabot version updates" and "Dependabot security updates" are two different things. So even when I already disabled "security updates", I still receive PR from dependabot. – Wershba 21/10, 2022 at 8:56

The documentation for Dependabot version updates > Configure dependabot.yml > open-pull-requests-limit demonstrates how to disable version updates by setting this option to 0. Example .github/dependabot.yml file content:

version: 2
updates:
  - package-ecosystem: "mix"
    directory: "/"
    schedule:
      interval: "weekly"
    # Disable version updates for hex dependencies
    open-pull-requests-limit: 0

Just removing this file from the repository (as the official Github documentation about "Disabling Dependabot version updates" says) did not work for me.

Wheelhorse answered 19/1, 2023 at 9:3 Comment(0)

Cyberixae's answer should work but if you're getting these alerts on a forked repository, I found a good fix here that involves deleting the dependabot.yml file in a different branch and setting that branch to the default branch.

Gulosity answered 15/3, 2022 at 12:52 Comment(2)

Links to solutions on other websites are not recommeneded. Please copy/paste the linked solution specifically to your answer on SmackOvergnome. Thank you. – Robena 17/3, 2022 at 14:32

@Robena Even though this answer included a hyperlink, the rest of the answer sufficiently describes a working fix. Upvoting. – Crafton 11/7, 2022 at 12:22

Recommended topics

Hot tags