I've set my maven.yml to update my projects dependency graph when it builds, but it always faisl with this error: Error: Response body: { "message": "Resource not accessible by inte...

How do I run the dependabot against the feature branches? What I'm trying to do, is to find the vulnerabilities of the third-party packages, not yet in the default branch, before deploying them. He...

I have dependabot enabled in my GitHub repo. However there is currently no open PR by it. I in my repo the following message Dependabot updates are paused We noticed you haven't used Dependabot in...

I'm using dependabot to update my NPM dependencies with the following dependabot.yml version: 2 updates: - package-ecosystem: npm directory: "/" schedule: interval: monthly rebase-str...

We use a codeowners file to automatically assign reviews to Pull Requests. We also have Dependabot creating PRs for major versions. We do not want to automatically add reviews to the PRs created by...

After following guides like this one I am able to successfully run dependabot against my Azure DevOps repo and it auto creates PRs. The issue is I have some customizations I need to make such as ig...

How can I GET the list of dependabot alerts available at https://github.com/{user}/{repo}/security/dependabot?page=1&q=is%3Aopen via the GitHub API? I searched through the documentation but co...

I'm using GitHub dependabot.yml, version 2. version: 2 updates: # Nuget Packages - package-ecosystem: "nuget" directory: "/" schedule: interval: "monthly" I am t...

The dependabot docs say that you can indicate which dependency type to check per package manager. However, it is not clear how it tells between development and production packages. The other option...

I need some help with Dependabot. I found out recently about this amazing package, but some of my repositories require dependencies that are private packages, created by me and used in my personal ...

GitHub dependabot security alerts may sometimes become a chore especially when an abandoned project that is no longer in active use receives frequent security advisories. Is there an option to disa...

I'm trying to use Dependabot with AWS CodeArtifact and I keep getting authentication issues. Dependabot can't authenticate to a private package registry The following private package registry was ...

We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure...

Dependabot first reported and then retracted a security problem in a package. The basis of the retraction isn't given, just that the package "is no longer vulnerable." That makes no sense...

Is there a way to test that dependabot is working as expected before merging it to my repo? I work on a pretty large team and I want to make sure I can test the functionality before merging. I have...

This is my dependabot config, is there any way to exclude major version updates and just have minor, patch and security updates? If so what would I need to change? version: 1 update_configs: - pa...

I have a repository with Dependabot in it, that opens PR on version updates, etc which I would like to keep. In the same repository, I have a GitHub Action for Pull Requests for my team to use. My ...

I'm not sure if my use case is one dependabot is suited for, so hoping someone can tell me if it is or is not, and if it is, point me to some documentation on how to do what I'm describing: I want ...

Github dependabot found potential security vulnerabilities in My dependencies. Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). I don't...

I have a directory /experiments in my repo which contains - surprise! - experiments. Those usually come with their own package.json which includes dependencies that were up to date at the time I ma...

I have created Workflow for GitHub Actions as described here: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-wi...

Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format. My .dependabot/config.yaml did look like: version: 1 update_con...

Like the title says, on GitHub is it possible to manually select a branch against which Dependabot should open its Pull Requests? From what I can see, it opens PR against whichever branch is set to...

We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was. On ...

After enabling the Dependabot Security Alerts you need to explicitly grant access to alerts in the Security & Analysis settings (https://github.com/[org]/[repository]/settings/security_analysis...