From f0f6f88d5a3914bc4aa11d523c6a9fa07953108f Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 3 Nov 2020 15:45:49 +0000 Subject: [PATCH 1/5] 2776 - Update Dependabot feature names in docs to reflect brand guide (#16291) * update Dependabot variables * update variables in docs * update file names, titles and linked text * fixing more anchors/links * add redirects * remove duplicate redirect from --- ...ependencies-on-github-enterprise-server.md | 20 +++-- ...md => about-dependabot-version-updates.md} | 14 ++-- .../about-releases.md | 2 +- .../about-securing-your-repository.md | 10 +-- ...guration-options-for-dependency-updates.md | 12 +-- .../customizing-dependency-updates.md | 2 +- .../enabling-and-disabling-version-updates.md | 4 +- .../administering-a-repository/index.md | 4 +- ...our-actions-up-to-date-with-dependabot.md} | 8 +- ...ndencies-configured-for-version-updates.md | 4 +- ...ng-pull-requests-for-dependency-updates.md | 2 +- ...-up-a-trial-of-github-enterprise-server.md | 2 +- ...bout-alerts-for-vulnerable-dependencies.md | 12 +-- .../about-dependabot-security-updates.md | 35 ++++++++ ...bout-github-dependabot-security-updates.md | 33 -------- ...onfiguring-dependabot-security-updates.md} | 15 ++-- ...tifications-for-vulnerable-dependencies.md | 12 +-- .../index.md | 6 +- .../troubleshooting-dependabot-errors.md | 84 +++++++++++++++++++ ...roubleshooting-github-dependabot-errors.md | 82 ------------------ ...he-detection-of-vulnerable-dependencies.md | 32 +++---- ...nerable-dependencies-in-your-repository.md | 14 ++-- .../configuring-notifications.md | 2 +- .../managing-notifications-from-your-inbox.md | 2 +- .../permission-levels-for-an-organization.md | 2 +- ...ing-the-audit-log-for-your-organization.md | 8 +- ...se-settings-for-your-private-repository.md | 2 +- .../about-the-dependency-graph.md | 2 +- ...loring-the-dependencies-of-a-repository.md | 2 +- .../publishing-a-package.md | 2 +- .../dependabot/click-dependabot-tab.md | 4 +- data/reusables/dependabot/default-labels.md | 2 +- data/reusables/dependabot/initial-updates.md | 2 +- .../dependabot/private-dependencies.md | 2 +- .../dependabot/pull-request-introduction.md | 2 +- .../dependabot/supported-package-managers.md | 4 +- .../dependabot/version-updates-for-actions.md | 2 +- .../repositories/enable-security-alerts.md | 2 +- .../repositories/sidebar-dependabot-alerts.md | 4 +- data/variables/product.yml | 9 +- 40 files changed, 237 insertions(+), 227 deletions(-) rename content/github/administering-a-repository/{about-github-dependabot-version-updates.md => about-dependabot-version-updates.md} (54%) rename content/github/administering-a-repository/{keeping-your-actions-up-to-date-with-github-dependabot.md => keeping-your-actions-up-to-date-with-dependabot.md} (70%) create mode 100644 content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md delete mode 100644 content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md rename content/github/managing-security-vulnerabilities/{configuring-github-dependabot-security-updates.md => configuring-dependabot-security-updates.md} (87%) create mode 100644 content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md delete mode 100644 content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md diff --git a/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md b/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md index 843cf0bcc0fe..8d25c497ef94 100644 --- a/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md +++ b/content/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server.md @@ -1,11 +1,11 @@ --- title: Enabling alerts for vulnerable dependencies on GitHub Enterprise Server -intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies in repositories in your instance.' +intro: 'You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_ghe_cloud %} and enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies in repositories in your instance.' redirect_from: - /enterprise/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server - /enterprise/admin/configuration/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server - /enterprise/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server -permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}.' +permissions: 'Site administrators for {% data variables.product.prodname_ghe_server %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}.' versions: enterprise-server: '*' --- @@ -14,11 +14,11 @@ versions: {% data reusables.repositories.tracks-vulnerabilities %} For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." -You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, then sync vulnerability data to your instance and generate {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts in repositories with a vulnerable dependency. +You can connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}, then sync vulnerability data to your instance and generate {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts in repositories with a vulnerable dependency. -After connecting {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} and enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}. +After connecting {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %} and enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies, vulnerability data is synced from {% data variables.product.prodname_dotcom_the_website %} to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from {% data variables.product.product_location %} is uploaded to {% data variables.product.prodname_dotcom_the_website %}. -{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate {% data variables.product.prodname_dependabot_short %} alerts. You can customize how you receive {% data variables.product.prodname_dependabot_short %} alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-github-dependabot-alerts)." +{% if currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate {% data variables.product.prodname_dependabot_alerts %}. You can customize how you receive {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-dependabot-alerts)." {% endif %} {% if currentVersion == "enterprise-server@2.21" %}When {% data variables.product.product_location %} receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate security alerts. You can customize how you receive security alerts. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies/#configuring-notifications-for-security-alerts)." @@ -28,23 +28,25 @@ After connecting {% data variables.product.product_location %} to {% data variab {% endif %} {% if currentVersion ver_gt "enterprise-server@2.21" %} -### Enabling {% data variables.product.prodname_dependabot_short %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %} +### Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %} {% else %} ### Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %} {% endif %} -Before enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}, you must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." +Before enabling {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}, you must connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_ghe_cloud %}](/enterprise/{{ currentVersion }}/admin/guides/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." {% if currentVersion ver_gt "enterprise-server@2.20" %} -{% if currentVersion ver_gt "enterprise-server@2.21" %}We recommend configuring {% data variables.product.prodname_dependabot_short %} alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_short %} alerts as usual.{% endif %} +{% if currentVersion ver_gt "enterprise-server@2.21" %}We recommend configuring {% data variables.product.prodname_dependabot_alerts %} without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive {% data variables.product.prodname_dependabot_alerts %} as usual.{% endif %} {% if currentVersion == "enterprise-server@2.21" %}We recommend configuring security alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive security alerts as usual.{% endif %} {% endif %} {% data reusables.enterprise_site_admin_settings.sign-in %} -1. In the administrative shell, enable the {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}: + +1. In the administrative shell, enable the {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies on {% data variables.product.product_location %}: + ``` shell $ ghe-dep-graph-enable ``` diff --git a/content/github/administering-a-repository/about-github-dependabot-version-updates.md b/content/github/administering-a-repository/about-dependabot-version-updates.md similarity index 54% rename from content/github/administering-a-repository/about-github-dependabot-version-updates.md rename to content/github/administering-a-repository/about-dependabot-version-updates.md index d765f55cfb0b..faa1362b55e0 100644 --- a/content/github/administering-a-repository/about-github-dependabot-version-updates.md +++ b/content/github/administering-a-repository/about-dependabot-version-updates.md @@ -1,8 +1,10 @@ --- -title: About GitHub Dependabot version updates +title: About Dependabot version updates intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the packages you use updated to the latest versions.' redirect_from: - - /github/administering-a-repository/about-github-dependabot + - /github/administering-a-repository/about-dependabot + - /github/administering-a-repository/about-github-dependabot-version-updates + versions: free-pro-team: '*' --- @@ -13,11 +15,11 @@ versions: {% data variables.product.prodname_dependabot %} takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. -You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. {% data variables.product.prodname_dependabot_short %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot_short %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository, rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. +You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. {% data variables.product.prodname_dependabot %} uses this information to check for outdated packages and applications. {% data variables.product.prodname_dependabot %} determines if there is a new version of a dependency by looking at the semantic versioning ([semver](https://semver.org/)) of the dependency to decide whether it should update to that version. For certain package managers, {% data variables.product.prodname_dependabot_version_updates %} also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository, rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. {% data variables.product.prodname_dependabot_version_updates %} can be configured to check vendored dependencies for new versions and update them if necessary. -When {% data variables.product.prodname_dependabot_short %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot_short %} raises a pull request to directly replace the outdated dependency with the new version. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." +When {% data variables.product.prodname_dependabot %} identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, {% data variables.product.prodname_dependabot %} raises a pull request to directly replace the outdated dependency with the new version. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." -If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." {% data reusables.dependabot.dependabot-tos %} @@ -27,7 +29,7 @@ You specify how often to check each ecosystem for new versions in the configurat {% data reusables.dependabot.initial-updates %} -If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot_short %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency. +If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency. ### Supported repositories and ecosystems diff --git a/content/github/administering-a-repository/about-releases.md b/content/github/administering-a-repository/about-releases.md index c28637462ba8..96354c437af3 100644 --- a/content/github/administering-a-repository/about-releases.md +++ b/content/github/administering-a-repository/about-releases.md @@ -30,7 +30,7 @@ People with admin permissions to a repository can choose whether {% data variabl {% endif %} {% if currentVersion == "free-pro-team@latest" %} -If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_short %} alerts to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." +If a release fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." You can view the **Dependents** tab of the dependency graph to see which repositories and packages depend on code in your repository, and may therefore be affected by a new release. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)." {% endif %} diff --git a/content/github/administering-a-repository/about-securing-your-repository.md b/content/github/administering-a-repository/about-securing-your-repository.md index 63214df2328e..9965531c8eee 100644 --- a/content/github/administering-a-repository/about-securing-your-repository.md +++ b/content/github/administering-a-repository/about-securing-your-repository.md @@ -21,14 +21,14 @@ The first step to securing a repository is to set up who can see and modify your Privately discuss and fix security vulnerabilities in your repository's code. You can then publish a security advisory to alert your community to the vulnerability and encourage them to upgrade. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)." -- **{% data variables.product.prodname_dependabot_short %} alerts and security updates** +- **{% data variables.product.prodname_dependabot_alerts %} and security updates** View alerts about dependencies that are known to contain security vulnerabilities, and choose whether to have pull requests generated automatically to update these dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" - and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." + and "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." -- **{% data variables.product.prodname_dependabot_short %} version updates** +- **{% data variables.product.prodname_dependabot %} version updates** - Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot-version-updates)." + Use {% data variables.product.prodname_dependabot %} to automatically raise pull requests to keep your dependencies up-to-date. This helps reduce your exposure to older versions of dependencies. Using newer versions makes it easier to apply patches if security vulnerabilities are discovered, and also makes it easier for {% data variables.product.prodname_dependabot_security_updates %} to successfully raise pull requests to upgrade vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)." - **{% data variables.product.prodname_code_scanning_capc %} alerts** @@ -44,6 +44,6 @@ The first step to securing a repository is to set up who can see and modify your * Ecosystems and packages that your repository depends on * Repositories and packages that depend on your repository -You must enable the dependency graph before {% data variables.product.prodname_dotcom %} can generate {% data variables.product.prodname_dependabot_short %} alerts for dependencies with security vulnerabilities. +You must enable the dependency graph before {% data variables.product.prodname_dotcom %} can generate {% data variables.product.prodname_dependabot_alerts %} for dependencies with security vulnerabilities. You can find the dependency graph on the **Insights** tab for your repository. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)." diff --git a/content/github/administering-a-repository/configuration-options-for-dependency-updates.md b/content/github/administering-a-repository/configuration-options-for-dependency-updates.md index da6eb3422b40..717819bb6a6e 100644 --- a/content/github/administering-a-repository/configuration-options-for-dependency-updates.md +++ b/content/github/administering-a-repository/configuration-options-for-dependency-updates.md @@ -12,7 +12,7 @@ versions: The {% data variables.product.prodname_dependabot %} configuration file, *dependabot.yml*, uses YAML syntax. If you're new to YAML and want to learn more, see "[Learn YAML in five minutes](https://www.codeproject.com/Articles/1214409/Learn-YAML-in-five-minutes)." -You must store this file in the `.github` directory of your repository. When you add or update the *dependabot.yml* file, this triggers an immediate check for version updates. Any options that also affect security updates are used the next time a security alert triggers a pull request with for security update. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." +You must store this file in the `.github` directory of your repository. When you add or update the *dependabot.yml* file, this triggers an immediate check for version updates. Any options that also affect security updates are used the next time a security alert triggers a pull request with for security update. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." ### Configuration options for *dependabot.yml* @@ -56,13 +56,13 @@ In addition, the [`open-pull-requests-limit`](#open-pull-requests-limit) option Security updates are raised for vulnerable package manifests only on the default branch. When configuration options are set for the same branch (true unless you use `target-branch`), and specify a `package-ecosystem` and `directory` for the vulnerable manifest, then pull requests for security updates use relevant options. -In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." +In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. For more information about security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." {% endnote %} ### `package-ecosystem` -**Required** You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot_short %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below. +**Required** You add one `package-ecosystem` element for each package manager that you want {% data variables.product.prodname_dependabot %} to monitor for new versions. The repository must also contain a dependency manifest or lock file for each of these package managers. If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. For more information, see [`vendor`](#vendor) below. {% data reusables.dependabot.supported-package-managers %} @@ -308,7 +308,7 @@ updates: {% note %} -**Note**: {% data variables.product.prodname_dependabot_version_updates %} can't run version updates for any dependencies in manifests containing private git dependencies or private git registries, even if you add the private dependencies to the `ignore` option of your configuration file. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot#supported-repositories-and-ecosystems)." +**Note**: {% data variables.product.prodname_dependabot_version_updates %} can't run version updates for any dependencies in manifests containing private git dependencies or private git registries, even if you add the private dependencies to the `ignore` option of your configuration file. For more information, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot#supported-repositories-and-ecosystems)." {% endnote %} @@ -544,7 +544,7 @@ updates: ### `vendor` -Use the `vendor` option to tell {% data variables.product.prodname_dependabot_short %} to vendor dependencies when updating them. +Use the `vendor` option to tell {% data variables.product.prodname_dependabot %} to vendor dependencies when updating them. ```yaml # Configure version updates for both dependencies defined in manifests and vendored dependencies @@ -559,7 +559,7 @@ updates: interval: "weekly" ``` -{% data variables.product.prodname_dependabot_short %} only updates the vendored dependencies located in specific directories in a repository. +{% data variables.product.prodname_dependabot %} only updates the vendored dependencies located in specific directories in a repository. | Package manager | Required file path for vendored dependencies | More information | |------------------|-------------------------------|--------| diff --git a/content/github/administering-a-repository/customizing-dependency-updates.md b/content/github/administering-a-repository/customizing-dependency-updates.md index 26f64bba2178..95340f31d2d8 100644 --- a/content/github/administering-a-repository/customizing-dependency-updates.md +++ b/content/github/administering-a-repository/customizing-dependency-updates.md @@ -20,7 +20,7 @@ After you've enabled version updates, you can customize how {% data variables.pr For more information about the configuration options, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates)." -When you update the *dependabot.yml* file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot_short %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see "[Listing dependencies configured for version updates](/github/administering-a-repository/listing-dependencies-configured-for-version-updates)." +When you update the *dependabot.yml* file in your repository, {% data variables.product.prodname_dependabot %} runs an immediate check with the new configuration. Within minutes you will see an updated list of dependencies on the **{% data variables.product.prodname_dependabot %}** tab, this may take longer if the repository has many dependencies. You may also see new pull requests for version updates. For more information, see "[Listing dependencies configured for version updates](/github/administering-a-repository/listing-dependencies-configured-for-version-updates)." ### Impact of configuration changes on security updates diff --git a/content/github/administering-a-repository/enabling-and-disabling-version-updates.md b/content/github/administering-a-repository/enabling-and-disabling-version-updates.md index c3e997f0dc74..51734816e398 100644 --- a/content/github/administering-a-repository/enabling-and-disabling-version-updates.md +++ b/content/github/administering-a-repository/enabling-and-disabling-version-updates.md @@ -10,7 +10,7 @@ versions: ### About version updates for dependencies -You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a *dependabot.yml* configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot_short %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." +You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a *dependabot.yml* configuration file in to your repository's `.github` directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." {% data reusables.dependabot.initial-updates %} For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)." @@ -72,7 +72,7 @@ On a fork, you also need to explicitly enable {% data variables.product.prodname ### Checking the status of version updates -After you enable version updates, you'll see a new **Dependabot** tab in the dependency graph for the repository. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot_short %} last checked for new versions. +After you enable version updates, you'll see a new **Dependabot** tab in the dependency graph for the repository. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot %} last checked for new versions. ![Repository Insights tab, Dependency graph, Dependabot tab](/assets/images/help/dependabot/dependabot-tab-view-beta.png) diff --git a/content/github/administering-a-repository/index.md b/content/github/administering-a-repository/index.md index 553b78e911b5..ecae8ec4f0f0 100644 --- a/content/github/administering-a-repository/index.md +++ b/content/github/administering-a-repository/index.md @@ -91,11 +91,11 @@ versions: {% topic_link_in_list /keeping-your-dependencies-updated-automatically %} - {% link_in_list /about-github-dependabot-version-updates %} + {% link_in_list /about-dependabot-version-updates %} {% link_in_list /enabling-and-disabling-version-updates %} {% link_in_list /listing-dependencies-configured-for-version-updates %} {% link_in_list /managing-pull-requests-for-dependency-updates %} {% link_in_list /customizing-dependency-updates %} {% link_in_list /configuration-options-for-dependency-updates %} - {% link_in_list /keeping-your-actions-up-to-date-with-github-dependabot %} + {% link_in_list /keeping-your-actions-up-to-date-with-dependabot %} diff --git a/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot.md b/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md similarity index 70% rename from content/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot.md rename to content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md index 408911429a75..e489fec42f88 100644 --- a/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot.md +++ b/content/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot.md @@ -1,6 +1,8 @@ --- -title: Keeping your actions up to date with GitHub Dependabot +title: Keeping your actions up to date with Dependabot intro: 'You can use {% data variables.product.prodname_dependabot %} to keep the actions you use updated to the latest versions.' +redirect_from: + - /github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot versions: free-pro-team: '*' --- @@ -9,7 +11,7 @@ versions: ### About {% data variables.product.prodname_dependabot_version_updates %} for actions -Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot_short %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot_short %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-github-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)." +Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable {% data variables.product.prodname_dependabot_version_updates %} for {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dependabot %} will help ensure that references to actions in a repository's *workflow.yml* file are kept up to date. For each action in the file, {% data variables.product.prodname_dependabot %} checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, {% data variables.product.prodname_dependabot %} will send you a pull request that updates the reference in the workflow file to the latest version. For more information about {% data variables.product.prodname_dependabot_version_updates %}, see "[About {% data variables.product.prodname_dependabot_version_updates %}](/github/administering-a-repository/about-dependabot-version-updates)." For more information about configuring workflows for {% data variables.product.prodname_actions %}, see "[Learn {% data variables.product.prodname_actions %}](/actions/learn-github-actions)." ### Enabling {% data variables.product.prodname_dependabot_version_updates %} for actions @@ -23,7 +25,7 @@ You can also enable {% data variables.product.prodname_dependabot_version_update #### Example *dependabot.yml* file for {% data variables.product.prodname_actions %} -The example *dependabot.yml* file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"daily"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot_short %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot_short %} will continue to check for outdated versions of actions once a day. +The example *dependabot.yml* file below configures version updates for {% data variables.product.prodname_actions %}. The `directory` must be set to `"/"` to check for workflow files in `.github/workflows`. The `schedule.interval` is set to `"daily"`. After this file has been checked in or updated, {% data variables.product.prodname_dependabot %} checks for new versions of your actions. {% data variables.product.prodname_dependabot %} will raise pull requests for version updates for any outdated actions that it finds. After the initial version updates, {% data variables.product.prodname_dependabot %} will continue to check for outdated versions of actions once a day. ```yaml # Set update schedule for GitHub Actions diff --git a/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md b/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md index 00fe9a059c1e..19a0c93aee15 100644 --- a/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md +++ b/content/github/administering-a-repository/listing-dependencies-configured-for-version-updates.md @@ -9,7 +9,7 @@ versions: ### Viewing dependencies monitored by {% data variables.product.prodname_dependabot %} -After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot_short %}** tab in the dependency graph for the repository. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." +After you've enabled version updates, you can confirm that your configuration is correct using the **{% data variables.product.prodname_dependabot %}** tab in the dependency graph for the repository. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} @@ -22,7 +22,7 @@ If any dependencies are missing, check the log files for errors. If any package ### Viewing {% data variables.product.prodname_dependabot %} log files -1. On the **{% data variables.product.prodname_dependabot_short %}** tab, click **Last checked *TIME* ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates. +1. On the **{% data variables.product.prodname_dependabot %}** tab, click **Last checked *TIME* ago** to see the log file that {% data variables.product.prodname_dependabot %} generated during the last check for version updates. ![View log file](/assets/images/help/dependabot/last-checked-link.png) 2. Optionally, to rerun the version check, click **Check for updates**. ![Check for updates](/assets/images/help/dependabot/check-for-updates.png) diff --git a/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md b/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md index 6f93905e1f99..ebe089535a7f 100644 --- a/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md +++ b/content/github/administering-a-repository/managing-pull-requests-for-dependency-updates.md @@ -11,7 +11,7 @@ versions: {% data reusables.dependabot.pull-request-introduction %} -When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. For more information, see "[Customizing dependency updates](/github/administering-a-repository/customizing-dependency-updates)." diff --git a/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md b/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md index 4a2ad75b8e3c..52e4315c74ac 100644 --- a/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md +++ b/content/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server.md @@ -13,7 +13,7 @@ versions: You can request a 45-day trial to evaluate {% data variables.product.prodname_ghe_server %}. Your trial will be installed as a virtual appliance, with options for on-premises or cloud deployment. For a list of supported visualization platforms, see "[Setting up a GitHub Enterprise Server instance](/enterprise/admin/installation/setting-up-a-github-enterprise-server-instance)." -{% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}Security{% endif %} alerts and {% data variables.product.prodname_github_connect %} are not currently available in trials of {% data variables.product.prodname_ghe_server %}. For a demonstration of these features, contact {% data variables.contact.contact_enterprise_sales %}. For more information about these features, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." +{% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}Security{% endif %} alerts and {% data variables.product.prodname_github_connect %} are not currently available in trials of {% data variables.product.prodname_ghe_server %}. For a demonstration of these features, contact {% data variables.contact.contact_enterprise_sales %}. For more information about these features, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Connecting {% data variables.product.prodname_ghe_server %} to {% data variables.product.prodname_dotcom_the_website %}](/enterprise/admin/installation/connecting-github-enterprise-server-to-github-enterprise-cloud)." Trials are also available for {% data variables.product.prodname_ghe_cloud %}. For more information, see "[Setting up a trial of {% data variables.product.prodname_ghe_cloud %}](/articles/setting-up-a-trial-of-github-enterprise-cloud)." diff --git a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md index 2056d1ac514c..c0f46c36576b 100644 --- a/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies.md @@ -17,7 +17,7 @@ When your code depends on a package that has a security vulnerability, this vuln ### Detection of vulnerable dependencies - {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_short %} alerts{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when: + {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %} detects vulnerable dependencies and sends {% data variables.product.prodname_dependabot_alerts %}{% else %}{% data variables.product.product_name %} detects vulnerable dependencies and sends security alerts{% endif %} when: {% if currentVersion == "free-pro-team@latest" %} - A new vulnerability is added to the {% data variables.product.prodname_advisory_database %}. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)." @@ -49,11 +49,11 @@ You can also enable or disable {% data variables.product.prodname_dependabot_ale {% endif %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} -When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot_short %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)." +When {% data variables.product.product_name %} identifies a vulnerable dependency, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. The alert includes a link to the affected file in the project, and information about a fixed version. {% data variables.product.product_name %} also notifies the maintainers of affected repositories about the new alert according to their notification preferences. For more information, see "[Configuring notifications for vulnerable dependencies](/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies)." {% endif %} {% if currentVersion == "free-pro-team@latest" %} -For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, the alert may also contain a link to a pull request to update the manifest or lock file to the minimum version that resolves the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} @@ -66,12 +66,12 @@ When {% data variables.product.product_name %} identifies a vulnerable dependenc {% endwarning %} -### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts +### Access to {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts You can see all of the alerts that affect a particular project{% if currentVersion == "free-pro-team@latest" %} on the repository's Security tab or{% endif %} in the repository's dependency graph.{% if currentVersion == "free-pro-team@latest" %} For more information, see "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)."{% endif %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} -By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_short %} alerts.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_short %} alerts visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-github-dependabot-alerts)." +By default, we notify people with admin permissions in the affected repositories about new {% data variables.product.prodname_dependabot_alerts %}.{% endif %} {% if currentVersion == "free-pro-team@latest" %}{% data variables.product.product_name %} never publicly discloses identified vulnerabilities for any repository. You can also make {% data variables.product.prodname_dependabot_alerts %} visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-dependabot-alerts)." {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} @@ -83,6 +83,6 @@ We send security alerts to people with admin permissions in the affected reposit {% if currentVersion == "free-pro-team@latest" %} ### Further reading -- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)" +- "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)" - "[Viewing and updating vulnerable dependencies in your repository](/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository)" - "[Understanding how {% data variables.product.product_name %} uses and protects your data](/categories/understanding-how-github-uses-and-protects-your-data)"{% endif %} diff --git a/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md b/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md new file mode 100644 index 000000000000..1d01216b97ff --- /dev/null +++ b/content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md @@ -0,0 +1,35 @@ +--- +title: About Dependabot security updates +intro: '{% data variables.product.prodname_dependabot %} can fix vulnerable dependencies for you by raising pull requests with security updates.' +shortTitle: About Dependabot security updates +redirect_from: + - /github/managing-security-vulnerabilities/about-github-dependabot-security-updates +versions: + free-pro-team: '*' +--- + +### About {% data variables.product.prodname_dependabot_security_updates %} + +{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)." + +{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)." + +{% note %} + +**Note** + +The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. You will see a {% data variables.product.prodname_dependabot %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. {% data variables.product.prodname_dependabot %} is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#dependencies-included)." + +{% endnote %} + +### About pull requests for security updates + +Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository. + +When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)." + +{% data reusables.dependabot.automated-tests-note %} + +### About compatibility scores + +{% data variables.product.prodname_dependabot_security_updates %} may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency. diff --git a/content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md b/content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md deleted file mode 100644 index 4b7addb0493c..000000000000 --- a/content/github/managing-security-vulnerabilities/about-github-dependabot-security-updates.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: About GitHub Dependabot security updates -intro: '{% data variables.product.prodname_dependabot %} can fix vulnerable dependencies for you by raising pull requests with security updates.' -shortTitle: About Dependabot security updates -versions: - free-pro-team: '*' ---- - -### About {% data variables.product.prodname_dependabot_security_updates %} - -{% data variables.product.prodname_dependabot_security_updates %} make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a {% data variables.product.prodname_dependabot_short %} alert is raised for a vulnerable dependency in the dependency graph of your repository, {% data variables.product.prodname_dependabot_short %} automatically tries to fix it. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" and "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)." - -{% data variables.product.prodname_dependabot %} checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then {% data variables.product.prodname_dependabot_short %} raises a pull request to update the dependency to the minimum version that includes the patch and links the pull request to the {% data variables.product.prodname_dependabot %} alert, or reports an error on the alert. For more information, see "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)." - -{% note %} - -**Note** - -The {% data variables.product.prodname_dependabot_security_updates %} feature is available for repositories where you have enabled the dependency graph and {% data variables.product.prodname_dependabot_short %} alerts. You will see a {% data variables.product.prodname_dependabot_short %} alert for every vulnerable dependency identified in your full dependency graph. However, security updates are triggered only for dependencies that are specified in a manifest or lock file. {% data variables.product.prodname_dependabot_short %} is unable to update an indirect or transitive dependency that is not explicitly defined. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#dependencies-included)." - -{% endnote %} - -### About pull requests for security updates - -Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_short %} alerts for the repository. - -When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot_short %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot_short %} pull requests, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates)." - -{% data reusables.dependabot.automated-tests-note %} - -### About compatibility scores - -{% data variables.product.prodname_dependabot_security_updates %} may include compatibility scores to let you know whether updating a vulnerability could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency. diff --git a/content/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates.md b/content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md similarity index 87% rename from content/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates.md rename to content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md index 2acde31d0aa3..a834954969c5 100644 --- a/content/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates.md +++ b/content/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.md @@ -1,20 +1,21 @@ --- -title: Configuring GitHub Dependabot security updates +title: Configuring Dependabot security updates intro: 'You can use {% data variables.product.prodname_dependabot_security_updates %} or manual pull requests to easily update vulnerable dependencies.' +shortTitle: Configuring Dependabot security updates redirect_from: - /articles/configuring-automated-security-fixes - /github/managing-security-vulnerabilities/configuring-automated-security-fixes - /github/managing-security-vulnerabilities/configuring-automated-security-updates -shortTitle: Configuring Dependabot security updates + - /github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates versions: free-pro-team: '*' --- ### About configuring {% data variables.product.prodname_dependabot_security_updates %} -You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_short %} alerts and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +You can enable {% data variables.product.prodname_dependabot_security_updates %} for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." -You can disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository or for all repositories owned by your user account or organization. For more information, see "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-github-dependabot-security-updates-for-your-repositories)" below. +You can disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository or for all repositories owned by your user account or organization. For more information, see "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories)" below. {% data reusables.dependabot.dependabot-tos %} @@ -24,7 +25,7 @@ You can disable {% data variables.product.prodname_dependabot_security_updates % {% note %} -**Note**: You can manually enable {% data variables.product.prodname_dependabot_security_updates %}, even if the repository doesn't meet some of the prerequisites below. For example, you can enable {% data variables.product.prodname_dependabot_security_updates %} on a fork, or for a package manager that isn't directly supported by following the instructions in "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-github-dependabot-security-updates-for-your-repositories)." +**Note**: You can manually enable {% data variables.product.prodname_dependabot_security_updates %}, even if the repository doesn't meet some of the prerequisites below. For example, you can enable {% data variables.product.prodname_dependabot_security_updates %} on a fork, or for a package manager that isn't directly supported by following the instructions in "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories](#managing-dependabot-security-updates-for-your-repositories)." {% endnote %} @@ -34,7 +35,7 @@ You can disable {% data variables.product.prodname_dependabot_security_updates % | Repository is not archived | "[Archiving repositories](/github/creating-cloning-and-archiving-repositories/archiving-repositories)" | | Repository is public, or repository is private and you have enabled read-only analysis by {% data variables.product.prodname_dotcom %}, dependency graph, and vulnerability alerts in the repository's settings | "[Managing data use settings for your private repository](/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository)." | | Repository contains dependency manifest file from a package ecosystem that {% data variables.product.prodname_dotcom %} supports | "[Supported package ecosystems](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)" | -| {% data variables.product.prodname_dependabot_security_updates %} are not disabled for the repository | "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repository](#managing-github-dependabot-security-updates-for-your-repositories)" | +| {% data variables.product.prodname_dependabot_security_updates %} are not disabled for the repository | "[Managing {% data variables.product.prodname_dependabot_security_updates %} for your repository](#managing-dependabot-security-updates-for-your-repositories)" | | Repository is not already using an integration for dependency management | "[About integrations](/github/customizing-your-github-workflow/about-integrations)" | If security updates are not enabled for your repository and you don't know why, first try enabling them using the instructions given in the procedural sections below. If security updates are still not working, you can [contact support](https://support.github.com/contact). @@ -50,7 +51,7 @@ You can also enable or disable {% data variables.product.prodname_dependabot_sec {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-dependabot-alerts %} -1. Above the list of alerts, use the drop-down menu and select or unselect **{% data variables.product.prodname_dependabot_short %} security updates**. +1. Above the list of alerts, use the drop-down menu and select or unselect **{% data variables.product.prodname_dependabot %} security updates**. ![Drop-down menu with the option to enable {% data variables.product.prodname_dependabot_security_updates %}](/assets/images/help/repository/enable-dependabot-security-updates-drop-down.png) ### Further reading diff --git a/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md index 9eb238ba9b09..2b322348118f 100644 --- a/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/configuring-notifications-for-vulnerable-dependencies.md @@ -1,7 +1,7 @@ --- title: Configuring notifications for vulnerable dependencies shortTitle: Configuring notifications -intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts.' +intro: 'Optimize how you receive notifications about {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts.' versions: free-pro-team: '*' enterprise-server: '>=2.21' @@ -9,10 +9,10 @@ versions: ### About notifications for vulnerable dependencies -{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot_short %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot_short %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability. +{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}When {% data variables.product.prodname_dependabot %} detects vulnerable dependencies in your repositories, we generate a {% data variables.product.prodname_dependabot %} alert and display it on the Security tab for the repository. {% data variables.product.product_name %} notifies the maintainers of affected repositories about the new alert according to their notification preferences.{% else %}When {% data variables.product.product_name %} detects vulnerable dependencies in your repositories, it sends security alerts.{% endif %}{% if currentVersion == "free-pro-team@latest" %} {% data variables.product.prodname_dependabot %} is enabled by default on all public repositories. For {% data variables.product.prodname_dependabot_alerts %}, by default, you will receive {% data variables.product.prodname_dependabot_alerts %} by email, grouped by the specific vulnerability. {% endif %} -{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_short %} alerts for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-features-for-new-repositories)." +{% if currentVersion == "free-pro-team@latest" %}If you're an organization owner, you can enable or disable {% data variables.product.prodname_dependabot_alerts %} for all repositories in your organization with one click. You can also set whether the detection of vulnerable dependencies will be enabled or disabled for newly-created repositories. For more information, see "[Managing security and analysis settings for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-features-for-new-repositories)." {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion == "enterprise-server@2.21" %} @@ -21,7 +21,7 @@ Your site administrator needs to enable security alerts for vulnerable dependenc {% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.20" %} By default, if your site administrator has configured email for notifications on your enterprise, you will receive {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_alerts %}{% else %}security alerts{% endif %} by email.{% endif %} -{% if currentVersion ver_gt "enterprise-server@2.21" %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_short %} alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} +{% if currentVersion ver_gt "enterprise-server@2.21" %}Site administrators can also enable {% data variables.product.prodname_dependabot_alerts %} without notifications. For more information, see "[Enabling {% data variables.product.prodname_dependabot_alerts %} for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} {% if currentVersion ver_lt "enterprise-server@2.22" %}Site administrators can also enable security alerts without notifications. For more information, see "[Enabling security alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} @@ -33,14 +33,14 @@ You can configure notification settings for yourself or your organization from t {% data reusables.notifications.vulnerable-dependency-notification-options %} {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} - ![{% data variables.product.prodname_dependabot_short %} alerts options](/assets/images/help/notifications-v2/dependabot-alerts-options.png) + ![{% data variables.product.prodname_dependabot_alerts %} options](/assets/images/help/notifications-v2/dependabot-alerts-options.png) {% else %} ![Security alerts options](/assets/images/help/notifications-v2/security-alerts-options.png) {% endif %} {% note %} -**Note:** You can filter your {% data variables.product.company_short %} inbox notifications to show {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %} security{% endif %} alerts. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-queries-for-custom-filters)." +**Note:** You can filter your {% data variables.product.company_short %} inbox notifications to show {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts. For more information, see "[Managing notifications from your inbox](/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-queries-for-custom-filters)." {% endnote %} diff --git a/content/github/managing-security-vulnerabilities/index.md b/content/github/managing-security-vulnerabilities/index.md index 61c09009e14e..819e4c4e2494 100644 --- a/content/github/managing-security-vulnerabilities/index.md +++ b/content/github/managing-security-vulnerabilities/index.md @@ -30,9 +30,9 @@ versions: {% link_in_list /about-alerts-for-vulnerable-dependencies %} {% link_in_list /configuring-notifications-for-vulnerable-dependencies %} - {% link_in_list /about-github-dependabot-security-updates %} - {% link_in_list /configuring-github-dependabot-security-updates %} + {% link_in_list /about-dependabot-security-updates %} + {% link_in_list /configuring-dependabot-security-updates %} {% link_in_list /viewing-and-updating-vulnerable-dependencies-in-your-repository %} {% link_in_list /troubleshooting-the-detection-of-vulnerable-dependencies %} - {% link_in_list /troubleshooting-github-dependabot-errors %} + {% link_in_list /troubleshooting-dependabot-errors %} diff --git a/content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md b/content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md new file mode 100644 index 000000000000..c33aa46aba6a --- /dev/null +++ b/content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md @@ -0,0 +1,84 @@ +--- +title: Troubleshooting Dependabot errors +intro: 'Sometimes {% data variables.product.prodname_dependabot %} is unable to raise a pull request to update your dependencies. You can review the error and unblock {% data variables.product.prodname_dependabot %}.' +shortTitle: Troubleshooting errors +redirect_from: + - /github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors +versions: + free-pro-team: '*' +--- + +{% data reusables.dependabot.beta-note %} + +### About {% data variables.product.prodname_dependabot %} errors + +{% data reusables.dependabot.pull-request-introduction %} + +If anything prevents {% data variables.product.prodname_dependabot %} from raising a pull request, this is reported as an error. + +### Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} + +When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_alerts %} view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_alerts %}** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request. + +![{% data variables.product.prodname_dependabot_alerts %} view showing a pull request link](/assets/images/help/dependabot/dependabot-alert-pr-link.png) + +There are three reasons why an alert may have no pull request link: + +1. {% data variables.product.prodname_dependabot_security_updates %} are not enabled for the repository. +1. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file. +1. An error blocked {% data variables.product.prodname_dependabot %} from creating a pull request. + +If an error blocked {% data variables.product.prodname_dependabot %} from creating a pull request, you can display details of the error by clicking the alert. + +![{% data variables.product.prodname_dependabot %} alert showing the error that blocked the creation of a pull request](/assets/images/help/dependabot/dependabot-security-update-error.png) + +### Investigating errors with {% data variables.product.prodname_dependabot_version_updates %} + +When {% data variables.product.prodname_dependabot %} is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by {% data variables.product.prodname_dependabot %} are listed on the {% data variables.product.prodname_dependabot %} tab. To access this tab, on the **Insights** tab for the repository click **Dependency graph**, and then click the **{% data variables.product.prodname_dependabot %}** tab. + +![{% data variables.product.prodname_dependabot %} view showing an error](/assets/images/help/dependabot/dependabot-tab-view-error-beta.png) + +To see the log file for any manifest file, click the **Last checked TIME ago** link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed. + +![{% data variables.product.prodname_dependabot %} version update error and log ](/assets/images/help/dependabot/dependabot-version-update-error-beta.png) + +### Understanding {% data variables.product.prodname_dependabot %} errors + +Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and {% data variables.product.prodname_dependabot %} configuration files. Consequently, some errors are specific to one type of update. + +#### {% data variables.product.prodname_dependabot %} cannot update DEPENDENCY to a non-vulnerable version + +**Security updates only.** {% data variables.product.prodname_dependabot %} cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository. + +Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem. + +The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." + +#### {% data variables.product.prodname_dependabot %} cannot update to the required version as there is already an open pull request for the latest version + +**Security updates only.** {% data variables.product.prodname_dependabot %} will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version. + +There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)." + +#### {% data variables.product.prodname_dependabot %} timed out during its update + +{% data variables.product.prodname_dependabot %} took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of *package.json* files. Updates to the Composer ecosystem also take longer to assess and may time out. + +This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot %} to review the version update and generate the pull request in the time available. + +If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." + +#### {% data variables.product.prodname_dependabot %} cannot open any more pull requests + +There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests. + +There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#open-pull-requests-limit)." + +The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot %} pull request manually](#triggering-a-dependabot-pull-request-manually)." + +### Triggering a {% data variables.product.prodname_dependabot %} pull request manually + +If you unblock {% data variables.product.prodname_dependabot %}, you can manually trigger a fresh attempt to create a pull request. + +- **Security updates**—display the {% data variables.product.prodname_dependabot %} alert that shows the error you have fixed and click **Create {% data variables.product.prodname_dependabot %} security update**. +- **Version updates**—display the log file for the manifest that shows the error that you have fixed and click **Check for updates**. diff --git a/content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md b/content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md deleted file mode 100644 index a376ff1995b2..000000000000 --- a/content/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Troubleshooting GitHub Dependabot errors -intro: 'Sometimes {% data variables.product.prodname_dependabot %} is unable to raise a pull request to update your dependencies. You can review the error and unblock {% data variables.product.prodname_dependabot_short %}.' -shortTitle: Troubleshooting errors -versions: - free-pro-team: '*' ---- - -{% data reusables.dependabot.beta-note %} - -### About {% data variables.product.prodname_dependabot %} errors - -{% data reusables.dependabot.pull-request-introduction %} - -If anything prevents {% data variables.product.prodname_dependabot_short %} from raising a pull request, this is reported as an error. - -### Investigating errors with {% data variables.product.prodname_dependabot_security_updates %} - -When {% data variables.product.prodname_dependabot_short %} is blocked from creating a pull request to fix a {% data variables.product.prodname_dependabot_short %} alert, it posts the error message on the alert. The {% data variables.product.prodname_dependabot_short %} alerts view shows a list of any alerts that have not been resolved yet. To access the alerts view, click **{% data variables.product.prodname_dependabot_short %} alerts** on the **Security** tab for the repository. Where a pull request that will fix the vulnerable dependency has been generated, the alert includes a link to that pull request. - -![{% data variables.product.prodname_dependabot_short %} alerts view showing a pull request link](/assets/images/help/dependabot/dependabot-alert-pr-link.png) - -There are three reasons why an alert may have no pull request link: - -1. {% data variables.product.prodname_dependabot_security_updates %} are not enabled for the repository. -1. The alert is for an indirect or transitive dependency that is not explicitly defined in a lock file. -1. An error blocked {% data variables.product.prodname_dependabot_short %} from creating a pull request. - -If an error blocked {% data variables.product.prodname_dependabot_short %} from creating a pull request, you can display details of the error by clicking the alert. - -![{% data variables.product.prodname_dependabot_short %} alert showing the error that blocked the creation of a pull request](/assets/images/help/dependabot/dependabot-security-update-error.png) - -### Investigating errors with {% data variables.product.prodname_dependabot_version_updates %} - -When {% data variables.product.prodname_dependabot_short %} is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by {% data variables.product.prodname_dependabot_short %} are listed on the {% data variables.product.prodname_dependabot_short %} tab. To access this tab, on the **Insights** tab for the repository click **Dependency graph**, and then click the **{% data variables.product.prodname_dependabot_short %}** tab. - -![{% data variables.product.prodname_dependabot_short %} view showing an error](/assets/images/help/dependabot/dependabot-tab-view-error-beta.png) - -To see the log file for any manifest file, click the **Last checked TIME ago** link. When you display the log file for a manifest that's shown with an error symbol (for example, Maven in the screenshot above), any errors are also displayed. - -![{% data variables.product.prodname_dependabot_short %} version update error and log ](/assets/images/help/dependabot/dependabot-version-update-error-beta.png) - -### Understanding {% data variables.product.prodname_dependabot_short %} errors - -Pull requests for security updates act to upgrade a vulnerable dependency to the minimum version that includes a fix for the vulnerability. In contrast, pull requests for version updates act to upgrade a dependency to the latest version allowed by the package manifest and {% data variables.product.prodname_dependabot_short %} configuration files. Consequently, some errors are specific to one type of update. - -#### {% data variables.product.prodname_dependabot_short %} cannot update DEPENDENCY to a non-vulnerable version - -**Security updates only.** {% data variables.product.prodname_dependabot_short %} cannot create a pull request to update the vulnerable dependency to a secure version without breaking other dependencies in the dependency graph for this repository. - -Every application that has dependencies has a dependency graph, that is, a directed acyclic graph of every package version that the application directly or indirectly depends on. Every time a dependency is updated, this graph must resolve otherwise the application won't build. When an ecosystem has a deep and complex dependency graph, for example, npm and RubyGems, it is often impossible to upgrade a single dependency without upgrading the whole ecosystem. - -The best way to avoid this problem is to stay up to date with the most recently released versions, for example, by enabling version updates. This increases the likelihood that a vulnerability in one dependency can be resolved by a simple upgrade that doesn't break the dependency graph. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." - -#### {% data variables.product.prodname_dependabot_short %} cannot update to the required version as there is already an open pull request for the latest version - -**Security updates only.** {% data variables.product.prodname_dependabot_short %} will not create a pull request to update the vulnerable dependency to a secure version because there is already an open pull request to update this dependency. You will see this error when a vulnerability is detected in a single dependency and there's already an open pull request to update the dependency to the latest version. - -There are two options: you can review the open pull request and merge it as soon as you are confident that the change is safe, or close that pull request and trigger a new security update pull request. For more information, see "[Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually](#triggering-a-dependabot-pull-request-manually)." - -#### {% data variables.product.prodname_dependabot_short %} timed out during its update - -{% data variables.product.prodname_dependabot_short %} took longer than the maximum time allowed to assess the update required and prepare a pull request. This error is usually seen only for large repositories with many manifest files, for example, npm or yarn monorepo projects with hundreds of *package.json* files. Updates to the Composer ecosystem also take longer to assess and may time out. - -This error is difficult to address. If a version update times out, you could specify the most important dependencies to update using the `allow` parameter or, alternatively, use the `ignore` parameter to exclude some dependencies from updates. Updating your configuration might allow {% data variables.product.prodname_dependabot_short %} to review the version update and generate the pull request in the time available. - -If a security update times out, you can reduce the chances of this happening by keeping the dependencies updated, for example, by enabling version updates. For more information, see "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." - -#### {% data variables.product.prodname_dependabot_short %} cannot open any more pull requests - -There's a limit on the number of open pull requests {% data variables.product.prodname_dependabot_short %} will generate. When this limit is reached, no new pull requests are opened and this error is reported. The best way to resolve this error is to review and merge some of the open pull requests. - -There are separate limits for security and version update pull requests, so that open version update pull requests cannot block the creation of a security update pull request. The limit for security update pull requests is 10. By default, the limit for version updates is 5 but you can change this using the `open-pull-requests-limit` parameter in the configuration file. For more information, see "[Configuration options for dependency updates](/github/administering-a-repository/configuration-options-for-dependency-updates#open-pull-requests-limit)." - -The best way to resolve this error is to merge or close some of the existing pull requests and trigger a new pull request manually. For more information, see "[Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually](#triggering-a-dependabot-pull-request-manually)." - -### Triggering a {% data variables.product.prodname_dependabot_short %} pull request manually - -If you unblock {% data variables.product.prodname_dependabot_short %}, you can manually trigger a fresh attempt to create a pull request. - -- **Security updates**—display the {% data variables.product.prodname_dependabot_short %} alert that shows the error you have fixed and click **Create {% data variables.product.prodname_dependabot_short %} security update**. -- **Version updates**—display the log file for the manifest that shows the error that you have fixed and click **Check for updates**. diff --git a/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md b/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md index 9926d8bcf2cf..ce6fe1bc8eba 100644 --- a/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md +++ b/content/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies.md @@ -14,14 +14,14 @@ The results of dependency detection reported by {% data variables.product.produc * {% data variables.product.prodname_advisory_database %} is one of the data sources that {% data variables.product.prodname_dotcom %} uses to identify vulnerable dependencies. It's a free, curated database of vulnerability information for common package ecosystems on {% data variables.product.prodname_dotcom %}. It includes both data reported directly to {% data variables.product.prodname_dotcom %} from {% data variables.product.prodname_security_advisories %}, as well as official feeds and community sources. This data is reviewed and curated by {% data variables.product.prodname_dotcom %} to ensure that false or unactionable information is not shared with the development community. For more information, see "[Browsing security vulnerabilities in the {% data variables.product.prodname_advisory_database %}](/github/managing-security-vulnerabilities/browsing-security-vulnerabilities-in-the-github-advisory-database)" and "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)." * The dependency graph parses all known package manifest files in a user’s repository. For example, for npm it will parse the _package-lock.json_ file. It constructs a graph of all of the repository’s dependencies and public dependents. This happens when you enable the dependency graph and when anyone pushes to the default branch, and it includes commits that makes changes to a supported manifest format. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)." -* {% data variables.product.prodname_dependabot_short %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_short %} alerts are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." -* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot_short %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)." +* {% data variables.product.prodname_dependabot %} scans any push, to the default branch, that contains a manifest file. When a new vulnerability record is added, it scans all existing repositories and generates an alert for each vulnerable repository. {% data variables.product.prodname_dependabot_alerts %} are aggregated at the repository level, rather than creating one alert per vulnerability. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." +* {% data variables.product.prodname_dependabot_security_updates %} are triggered when you receive an alert about a vulnerable dependency in your repository. Where possible, {% data variables.product.prodname_dependabot %} creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)" and "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)." - {% data variables.product.prodname_dependabot_short %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is discovered and added to the advisory database. + {% data variables.product.prodname_dependabot %} doesn't scan repositories for vulnerable dependencies on a schedule, but rather when something changes. For example, a scan is triggered when a new dependency is added ({% data variables.product.prodname_dotcom %} checks for this on every push), or when a new vulnerability is discovered and added to the advisory database. ### Why don't I get vulnerability alerts for some ecosystems? -{% data variables.product.prodname_dotcom %} limits its support for vulnerability alerts to a set of ecosystems where we can provide high-quality, actionable data. Curated vulnerabilities in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% data variables.product.prodname_dependabot_short %} alerts, and {% data variables.product.prodname_dependabot_short %} security updates are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. We'll continue to add support for more ecosystems over time. For an overview of the package ecosystems that we support, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)." +{% data variables.product.prodname_dotcom %} limits its support for vulnerability alerts to a set of ecosystems where we can provide high-quality, actionable data. Curated vulnerabilities in the {% data variables.product.prodname_advisory_database %}, the dependency graph, {% data variables.product.prodname_dependabot_alerts %}, and {% data variables.product.prodname_dependabot %} security updates are provided for several ecosystems, including Java’s Maven, JavaScript’s npm and Yarn, .NET’s NuGet, Python’s pip, Ruby's RubyGems, and PHP’s Composer. We'll continue to add support for more ecosystems over time. For an overview of the package ecosystems that we support, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)." It's worth noting that [{% data variables.product.prodname_dotcom %} Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories) may exist for other ecosystems. The information in a security advisory is provided by the maintainers of a particular repository. This data is not curated in the same way as information for the supported ecosystems. @@ -31,7 +31,7 @@ It's worth noting that [{% data variables.product.prodname_dotcom %} Security Ad The dependency graph includes information on dependencies that are explicitly declared in your environment. That is, dependencies that are specified in a manifest or a lockfile. The dependency graph generally also includes transitive dependencies, even when they aren't specified in a lockfile, by looking at the dependencies of the dependencies in a manifest file. -{% data variables.product.prodname_dependabot_short %} alerts advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. {% data variables.product.prodname_dependabot_short %} security updates only suggests a change where it can directly "fix" the dependency, that is, when these are: +{% data variables.product.prodname_dependabot_alerts %} advise you about dependencies you should update, including transitive dependencies, where the version can be determined from a manifest or a lockfile. {% data variables.product.prodname_dependabot %} security updates only suggests a change where it can directly "fix" the dependency, that is, when these are: * Direct dependencies explicitly declared in a manifest or lockfile * Transitive dependencies declared in a lockfile @@ -51,21 +51,21 @@ Yes, the dependency graph has two categories of limits: 1. **Processing limits** - These affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_short %} alerts being created. + These affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_alerts %} being created. - Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create {% data variables.product.prodname_dependabot_short %} alerts. + Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create {% data variables.product.prodname_dependabot_alerts %}. - By default, {% data variables.product.prodname_dotcom %} will not process more than 20 manifests per repository. {% data variables.product.prodname_dependabot_short %} alerts are not be created for manifests beyond this limit. If you need to increase the limit, contact {% data variables.contact.contact_support %}. + By default, {% data variables.product.prodname_dotcom %} will not process more than 20 manifests per repository. {% data variables.product.prodname_dependabot_alerts %} are not be created for manifests beyond this limit. If you need to increase the limit, contact {% data variables.contact.contact_support %}. 2. **Visualization limits** - These affect what's displayed in the dependency graph within {% data variables.product.prodname_dotcom %}. However, they don't affect the {% data variables.product.prodname_dependabot_short %} alerts that are created. + These affect what's displayed in the dependency graph within {% data variables.product.prodname_dotcom %}. However, they don't affect the {% data variables.product.prodname_dependabot_alerts %} that are created. - The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, {% data variables.product.prodname_dependabot_short %} alerts are still created for any manifests that are not shown within {% data variables.product.prodname_dotcom %}. + The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, {% data variables.product.prodname_dependabot_alerts %} are still created for any manifests that are not shown within {% data variables.product.prodname_dotcom %}. **Check**: Is the missing dependency in a manifest file that's over 0.5 MB, or in a repository with a large number of manifests? -### Does {% data variables.product.prodname_dependabot_short %} generate alerts for vulnerabilities that have been known for many years? +### Does {% data variables.product.prodname_dependabot %} generate alerts for vulnerabilities that have been known for many years? The {% data variables.product.prodname_advisory_database %} was launched in November 2019, and initially back-filled to include vulnerability information for the supported ecosystems, starting from 2017. When adding CVEs to the database, we prioritize curating newer CVEs, and CVEs affecting newer versions of software. @@ -77,19 +77,19 @@ Some information on older vulnerabilities is available, especially where these C Some third-party tools use uncurated CVE data that isn't checked or filtered by a human. This means that CVEs with tagging or severity errors, or other quality issues, will cause more frequent, more noisy, and less useful alerts. -Since {% data variables.product.prodname_dependabot_short %} uses curated data in the {% data variables.product.prodname_advisory_database %}, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant. +Since {% data variables.product.prodname_dependabot %} uses curated data in the {% data variables.product.prodname_advisory_database %}, the volume of alerts may be lower, but the alerts you do receive will be accurate and relevant. ### Does each dependency vulnerability generate a separate alert? When a dependency has multiple vulnerabilities, only one aggregated alert is generated for that dependency, instead of one alert per vulnerability. -The {% data variables.product.prodname_dependabot_short %} alerts count in {% data variables.product.prodname_dotcom %} shows a total for the number of alerts, that is, the number of dependencies with vulnerabilities, not the number of vulnerabilities. +The {% data variables.product.prodname_dependabot_alerts %} count in {% data variables.product.prodname_dotcom %} shows a total for the number of alerts, that is, the number of dependencies with vulnerabilities, not the number of vulnerabilities. -![{% data variables.product.prodname_dependabot_short %} alerts view](/assets/images/help/repository/dependabot-alerts-view.png) +![{% data variables.product.prodname_dependabot_alerts %} view](/assets/images/help/repository/dependabot-alerts-view.png) When you click to display the alert details, you can see how many vulnerabilities are included in the alert. -![Multiple vulnerabilities for a {% data variables.product.prodname_dependabot_short %} alert](/assets/images/help/repository/dependabot-vulnerabilities-number.png) +![Multiple vulnerabilities for a {% data variables.product.prodname_dependabot %} alert](/assets/images/help/repository/dependabot-vulnerabilities-number.png) **Check**: If there is a discrepancy in the totals you are seeing, check that you are not comparing alert numbers with vulnerability numbers. @@ -98,4 +98,4 @@ When you click to display the alert details, you can see how many vulnerabilitie - "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" - "[Viewing and updating vulnerable dependencies in your repository](/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository)" - "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" -- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)" +- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)" diff --git a/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md b/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md index 37ed54adfee3..0dea3bd05c25 100644 --- a/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md +++ b/content/github/managing-security-vulnerabilities/viewing-and-updating-vulnerable-dependencies-in-your-repository.md @@ -10,11 +10,11 @@ versions: --- Your repository's {% data variables.product.prodname_dependabot %} alerts tab lists all open and closed {% data variables.product.prodname_dependabot_alerts %} and corresponding {% data variables.product.prodname_dependabot_security_updates %}. You can sort the list of alerts using the drop-down menu, and you can click into specific alerts for more details. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." -You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)." +You can enable automatic security updates for any repository that uses {% data variables.product.prodname_dependabot_alerts %} and the dependency graph. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)." ### About updates for vulnerable dependencies in your repository -{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect vulnerabilities affecting your repository. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency {% data variables.product.prodname_dependabot_short %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. +{% data variables.product.product_name %} generates {% data variables.product.prodname_dependabot_alerts %} when we detect vulnerabilities affecting your repository. For repositories where {% data variables.product.prodname_dependabot_security_updates %} are enabled, when {% data variables.product.product_name %} detects a vulnerable dependency {% data variables.product.prodname_dependabot %} creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability. ### Viewing and updating vulnerable dependencies @@ -24,16 +24,16 @@ You can enable automatic security updates for any repository that uses {% data v 1. Click the alert you'd like to view. ![Alert selected in list of alerts](/assets/images/help/graphs/click-alert-in-alerts-list.png) 1. Review the details of the vulnerability and, if available, the pull request containing the automated security update. -1. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click **Create {% data variables.product.prodname_dependabot_short %} security update**. - ![Create {% data variables.product.prodname_dependabot_short %} security update button](/assets/images/help/repository/create-dependabot-security-update-button.png) -1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot_short %} includes information on commands you can use to control {% data variables.product.prodname_dependabot_short %}. For more information, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates#managing-github-dependabot-pull-requests-with-comment-commands)." +1. Optionally, if there isn't already a {% data variables.product.prodname_dependabot_security_updates %} update for the alert, to create a pull request to resolve the vulnerability, click **Create {% data variables.product.prodname_dependabot %} security update**. + ![Create {% data variables.product.prodname_dependabot %} security update button](/assets/images/help/repository/create-dependabot-security-update-button.png) +1. When you're ready to update your dependency and resolve the vulnerability, merge the pull request. Each pull request raised by {% data variables.product.prodname_dependabot %} includes information on commands you can use to control {% data variables.product.prodname_dependabot %}. For more information, see "[Managing pull requests for dependency updates](/github/administering-a-repository/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands)." 1. Optionally, if the alert is being fixed, if it's incorrect, or located in unused code, use the "Dismiss" drop-down, and click a reason for dismissing the alert. ![Choosing reason for dismissing the alert via the "Dismiss" drop-down](/assets/images/help/repository/dependabot-alert-dismiss-drop-down.png) ### Further reading - "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)" -- "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)" +- "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)" - "[Managing security and analysis settings for your repository](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" - "[Troubleshooting the detection of vulnerable dependencies](/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies)" -- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-github-dependabot-errors)" +- "[Troubleshooting {% data variables.product.prodname_dependabot %} errors](/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)" diff --git a/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md b/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md index af33febe9d07..d7d72cd23eab 100644 --- a/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md +++ b/content/github/managing-subscriptions-and-notifications-on-github/configuring-notifications.md @@ -121,7 +121,7 @@ Email notifications from {% data variables.product.product_name %} contain the f 3. On the notifications settings page, choose how you receive notifications when: - There are updates in repositories or team discussions you're watching or in a conversation you're participating in. For more information, see "[About participating and watching notifications](#about-participating-and-watching-notifications)." - You gain access to a new repository or you've joined a new team. For more information, see "[Automatic watching](#automatic-watching)."{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %} - - There are new {% data variables.product.prodname_dependabot_alerts %} in your repository. For more information, see "[{% data variables.product.prodname_dependabot_alerts %} notification options](#github-dependabot-alerts-notification-options)." {% endif %}{% if currentVersion == "enterprise-server@2.21" %} + - There are new {% data variables.product.prodname_dependabot_alerts %} in your repository. For more information, see "[{% data variables.product.prodname_dependabot_alerts %} notification options](#dependabot-alerts-notification-options)." {% endif %}{% if currentVersion == "enterprise-server@2.21" %} - There are new security alerts in your repository. For more information, see "[Security alert notification options](#security-alert-notification-options)." {% endif %} {% if currentVersion == "free-pro-team@latest" %} - There are workflow runs updates on repositories set up with {% data variables.product.prodname_actions %}. For more information, see "[{% data variables.product.prodname_actions %} notification options](#github-actions-notification-options)."{% endif %} diff --git a/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md b/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md index 0745c85f3e6e..3a4c1e2632f0 100644 --- a/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md +++ b/content/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox.md @@ -113,7 +113,7 @@ To filter notifications by why you've received an update, you can use the `reaso #### Supported `is:` queries -To filter notifications for specific activity on {% data variables.product.product_name %}, you can use the `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% if currentVersion != "github-ae@latest" %}, and to only see {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %} security{% endif %} alerts, use `is:repository-vulnerability-alert`.{% endif %} +To filter notifications for specific activity on {% data variables.product.product_name %}, you can use the `is` query. For example, to only see repository invitation updates, use `is:repository-invitation`{% if currentVersion != "github-ae@latest" %}, and to only see {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %} security{% endif %} alerts, use `is:repository-vulnerability-alert`.{% endif %} - `is:check-suite` - `is:commit` diff --git a/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md b/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md index 88b866b9f237..6b04032d743a 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization.md @@ -64,7 +64,7 @@ Organization members can have *owner*{% if currentVersion == "free-pro-team@late | Purchase, install, manage billing for, and cancel {% data variables.product.prodname_marketplace %} apps | **X** | | | | List apps in {% data variables.product.prodname_marketplace %} | **X** | | |{% if currentVersion != "github-ae@latest" %} | Receive [{% data variables.product.prodname_dependabot_alerts %} about vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) for all of an organization's repositories | **X** | | | -| Manage {% data variables.product.prodname_dependabot_security_updates %} (see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-github-dependabot-security-updates)") | **X** | | |{% endif %} +| Manage {% data variables.product.prodname_dependabot_security_updates %} (see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)") | **X** | | |{% endif %} | [Manage the forking policy](/github/setting-up-and-managing-organizations-and-teams/managing-the-forking-policy-for-your-organization) | **X** | | | | [Limit activity in public repositories in an organization](/articles/limiting-interactions-in-your-organization) | **X** | | | | Pull (read), push (write), and clone (copy) *all repositories* in the organization | **X** | | | diff --git a/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md b/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md index aa1dd9d20058..61497be9a9dd 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization.md @@ -47,7 +47,7 @@ To search for specific events, use the `action` qualifier in your query. Actions | `repo` | Contains all activities related to the repositories owned by your organization.{% if currentVersion == "free-pro-team@latest" %} | `repository_content_analysis` | Contains all activities related to [enabling or disabling data use for a private repository](/articles/about-github-s-use-of-your-data). | `repository_dependency_graph` | Contains all activities related to [enabling or disabling the dependency graph for a private repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-and-dependents-of-a-repository).{% endif %}{% if currentVersion != "github-ae@latest" %} -| `repository_vulnerability_alert` | Contains all activities related to [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies).{% endif %}{% if currentVersion == "free-pro-team@latest" %} +| `repository_vulnerability_alert` | Contains all activities related to [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies).{% endif %}{% if currentVersion == "free-pro-team@latest" %} | `sponsors` | Contains all events related to sponsor buttons (see "[Displaying a sponsor button in your repository](/articles/displaying-a-sponsor-button-in-your-repository)"){% endif %}{% if enterpriseServerVersions contains currentVersion or currentVersion == "github-ae@latest" %} | `team` | Contains all activities related to teams in your organization.{% endif %} | `team_discussions` | Contains activities related to managing team discussions for an organization. @@ -354,10 +354,10 @@ For more information, see "[Restricting publication of {% data variables.product | Action | Description |------------------|------------------- -| `create` | Triggered when {% data variables.product.product_name %} creates a [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alert for a vulnerable dependency](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) in a particular repository. +| `create` | Triggered when {% data variables.product.product_name %} creates a [{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alert for a vulnerable dependency](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) in a particular repository. | `resolve` | Triggered when someone with write access to a repository [pushes changes to update and resolve a vulnerability](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies) in a project dependency. -| `dismiss` | Triggered when an organization owner or person with admin access to the repository dismisses a {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alert about a vulnerable dependency.{% if currentVersion == "free-pro-team@latest" %} -| `authorized_users_teams` | Triggered when an organization owner or a member with admin permissions to the repository [updates the list of people or teams authorized to receive {% data variables.product.prodname_dependabot_short %} alerts](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-github-dependabot-alerts) for vulnerable dependencies in the repository.{% endif %} +| `dismiss` | Triggered when an organization owner or person with admin access to the repository dismisses a {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alert about a vulnerable dependency.{% if currentVersion == "free-pro-team@latest" %} +| `authorized_users_teams` | Triggered when an organization owner or a member with admin permissions to the repository [updates the list of people or teams authorized to receive {% data variables.product.prodname_dependabot_alerts %}](/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-dependabot-alerts) for vulnerable dependencies in the repository.{% endif %} {% endif %} {% if currentVersion == "free-pro-team@latest" %} diff --git a/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md b/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md index fe736eb9c6dd..dc1c7cecd526 100644 --- a/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md +++ b/content/github/understanding-how-github-uses-and-protects-your-data/managing-data-use-settings-for-your-private-repository.md @@ -10,7 +10,7 @@ versions: ### About data use for your private repository -When you enable data use for your private repository, you'll be able to access the dependency graph, where you can track your repository's dependencies and receive {% data variables.product.prodname_dependabot_short %} alerts when {% data variables.product.product_name %} detects vulnerable dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#github-dependabot-alerts-for-vulnerable-dependencies)." +When you enable data use for your private repository, you'll be able to access the dependency graph, where you can track your repository's dependencies and receive {% data variables.product.prodname_dependabot_alerts %} when {% data variables.product.product_name %} detects vulnerable dependencies. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#dependabot-alerts-for-vulnerable-dependencies)." ### Enabling or disabling data use features diff --git a/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md b/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md index e674add35621..ee6e10f5bcb4 100644 --- a/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md +++ b/content/github/visualizing-repository-data-with-graphs/about-the-dependency-graph.md @@ -47,7 +47,7 @@ You can use the dependency graph to: {% if currentVersion == "free-pro-team@latest" %}To generate a dependency graph, {% data variables.product.product_name %} needs read-only access to the dependency manifest and lock files for a repository. The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories. For information about enabling or disabling it for private repositories, see "[Exploring the dependencies of a repository](/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository)."{% endif %} -{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_short %} alerts. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} +{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}If the dependency graph is not available in your system, your site administrator can enable the dependency graph and {% data variables.product.prodname_dependabot_alerts %}. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)."{% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_lt "enterprise-server@2.22" %} If the dependency graph is not available in your system, your site administrator can enable the dependency graph and security alerts. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)." diff --git a/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md b/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md index 3b3df2d46e4f..e06ac92e9a19 100644 --- a/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md +++ b/content/github/visualizing-repository-data-with-graphs/exploring-the-dependencies-of-a-repository.md @@ -36,7 +36,7 @@ If vulnerabilities have been detected in the repository, these are shown at the {% endif %} {% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %} -Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_short %} alerts. +Any direct and indirect dependencies that are specified in the repository's manifest or lock files are listed, grouped by ecosystem. If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to {% data variables.product.prodname_dependabot_alerts %}. {% note %} diff --git a/content/packages/publishing-and-managing-packages/publishing-a-package.md b/content/packages/publishing-and-managing-packages/publishing-a-package.md index 93fbdbffb4b7..68d69b2a592f 100644 --- a/content/packages/publishing-and-managing-packages/publishing-a-package.md +++ b/content/packages/publishing-and-managing-packages/publishing-a-package.md @@ -21,7 +21,7 @@ You can help people understand and use your package by providing a description a {% data reusables.package_registry.package-immutability %} {% if currentVersion == "free-pro-team@latest" %} -If a new version of a package fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_short %} alerts to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." +If a new version of a package fixes a security vulnerability, you should publish a security advisory in your repository. {% data variables.product.prodname_dotcom %} reviews each published security advisory and may use it to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. For more information, see "[About GitHub Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." {% endif %} ### Publishing a package diff --git a/data/reusables/dependabot/click-dependabot-tab.md b/data/reusables/dependabot/click-dependabot-tab.md index 787f9870693f..81f569ccc647 100644 --- a/data/reusables/dependabot/click-dependabot-tab.md +++ b/data/reusables/dependabot/click-dependabot-tab.md @@ -1,2 +1,2 @@ -4. Under "Dependency graph", click **{% data variables.product.prodname_dependabot_short %}**. - ![Dependency graph, {% data variables.product.prodname_dependabot_short %} tab](/assets/images/help/dependabot/dependabot-tab-beta.png) +4. Under "Dependency graph", click **{% data variables.product.prodname_dependabot %}**. + ![Dependency graph, {% data variables.product.prodname_dependabot %} tab](/assets/images/help/dependabot/dependabot-tab-beta.png) diff --git a/data/reusables/dependabot/default-labels.md b/data/reusables/dependabot/default-labels.md index 00fa428e678f..9294fb86c13e 100644 --- a/data/reusables/dependabot/default-labels.md +++ b/data/reusables/dependabot/default-labels.md @@ -1 +1 @@ -By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. If more than one package manager is defined, {% data variables.product.prodname_dependabot_short %} includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: `java` for Gradle updates and `submodules` for git submodule updates. {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. +By default, {% data variables.product.prodname_dependabot %} raises all pull requests with the `dependencies` label. If more than one package manager is defined, {% data variables.product.prodname_dependabot %} includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: `java` for Gradle updates and `submodules` for git submodule updates. {% data variables.product.prodname_dependabot %} creates these default labels automatically, as necessary in your repository. diff --git a/data/reusables/dependabot/initial-updates.md b/data/reusables/dependabot/initial-updates.md index 869d31ff848e..fe4154576b85 100644 --- a/data/reusables/dependabot/initial-updates.md +++ b/data/reusables/dependabot/initial-updates.md @@ -1,3 +1,3 @@ When you first enable version updates, you may have many dependencies that are outdated and some may be many versions behind the latest version. {% data variables.product.prodname_dependabot %} checks for outdated dependencies as soon as it's enabled. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates. -To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot_short %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, then further pull requests are opened up to a maximum of five (you can change this limit). +To keep pull requests manageable and easy to review, {% data variables.product.prodname_dependabot %} raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, then further pull requests are opened up to a maximum of five (you can change this limit). diff --git a/data/reusables/dependabot/private-dependencies.md b/data/reusables/dependabot/private-dependencies.md index dfcbae9c7300..717f1dbb9746 100644 --- a/data/reusables/dependabot/private-dependencies.md +++ b/data/reusables/dependabot/private-dependencies.md @@ -1 +1 @@ -Currently, {% data variables.product.prodname_dependabot_version_updates %} doesn't support manifest or lock files that contain any private git dependencies or private git registries. This is because, when running version updates, {% data variables.product.prodname_dependabot_short %} must be able to resolve all dependencies from their source to verify that version updates have been successful. +Currently, {% data variables.product.prodname_dependabot_version_updates %} doesn't support manifest or lock files that contain any private git dependencies or private git registries. This is because, when running version updates, {% data variables.product.prodname_dependabot %} must be able to resolve all dependencies from their source to verify that version updates have been successful. diff --git a/data/reusables/dependabot/pull-request-introduction.md b/data/reusables/dependabot/pull-request-introduction.md index 7494d2105995..86b8dd0cf363 100644 --- a/data/reusables/dependabot/pull-request-introduction.md +++ b/data/reusables/dependabot/pull-request-introduction.md @@ -1 +1 @@ -{% data variables.product.prodname_dependabot %} raises pull requests to update dependencies. Depending on how your repository is configured, {% data variables.product.prodname_dependabot_short %} may raise pull requests for version updates and/or for security updates. You manage these pull requests in the same way as any other pull request, but there are also some extra commands available. For information about enabling {% data variables.product.prodname_dependabot %} dependency updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates)" and "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." \ No newline at end of file +{% data variables.product.prodname_dependabot %} raises pull requests to update dependencies. Depending on how your repository is configured, {% data variables.product.prodname_dependabot %} may raise pull requests for version updates and/or for security updates. You manage these pull requests in the same way as any other pull request, but there are also some extra commands available. For information about enabling {% data variables.product.prodname_dependabot %} dependency updates, see "[Configuring {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/configuring-dependabot-security-updates)" and "[Enabling and disabling version updates](/github/administering-a-repository/enabling-and-disabling-version-updates)." \ No newline at end of file diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index c0152e0df729..9c62f5656fd0 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -18,12 +18,12 @@ Terraform: `terraform` | {% note %} -**Note**: {% data variables.product.prodname_dependabot_short %} also supports the following package managers: +**Note**: {% data variables.product.prodname_dependabot %} also supports the following package managers: -`yarn` (v1 only) (specify `npm`) -`pipenv`, `pip-compile`, and `poetry` (specify `pip`) -For example, if you use `poetry` to manage your Python dependencies and want {% data variables.product.prodname_dependabot_short %} to monitor your dependency manifest file for new versions, use `package-ecosystem: "pip"` in your *dependabot.yml* file. +For example, if you use `poetry` to manage your Python dependencies and want {% data variables.product.prodname_dependabot %} to monitor your dependency manifest file for new versions, use `package-ecosystem: "pip"` in your *dependabot.yml* file. {% endnote %} diff --git a/data/reusables/dependabot/version-updates-for-actions.md b/data/reusables/dependabot/version-updates-for-actions.md index 3b63e3586d5f..f00b76cfe20d 100644 --- a/data/reusables/dependabot/version-updates-for-actions.md +++ b/data/reusables/dependabot/version-updates-for-actions.md @@ -1 +1 @@ -You can also enable {% data variables.product.prodname_dependabot_version_updates %} for the actions that you add to your workflow. For more information, see "[Keeping your actions up to date with {% data variables.product.prodname_dependabot %}](/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)." +You can also enable {% data variables.product.prodname_dependabot_version_updates %} for the actions that you add to your workflow. For more information, see "[Keeping your actions up to date with {% data variables.product.prodname_dependabot %}](/github/administering-a-repository/keeping-your-actions-up-to-date-with-dependabot)." diff --git a/data/reusables/repositories/enable-security-alerts.md b/data/reusables/repositories/enable-security-alerts.md index e4f329be8ded..1f1c4cd5fce0 100644 --- a/data/reusables/repositories/enable-security-alerts.md +++ b/data/reusables/repositories/enable-security-alerts.md @@ -1,3 +1,3 @@ {% if enterpriseServerVersions contains currentVersion %} -Your site administrator must enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot_short %}{% else %}security{% endif %} alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)." +Your site administrator must enable {% if currentVersion ver_gt "enterprise-server@2.21" %}{% data variables.product.prodname_dependabot %}{% else %}security{% endif %} alerts for vulnerable dependencies for {% data variables.product.product_location %} before you can use this feature. For more information, see "[Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}](/enterprise/{{ currentVersion }}/admin/configuration/enabling-alerts-for-vulnerable-dependencies-on-github-enterprise-server)." {% endif %} diff --git a/data/reusables/repositories/sidebar-dependabot-alerts.md b/data/reusables/repositories/sidebar-dependabot-alerts.md index b5e860b43ea2..30ce19c2e00a 100644 --- a/data/reusables/repositories/sidebar-dependabot-alerts.md +++ b/data/reusables/repositories/sidebar-dependabot-alerts.md @@ -1,2 +1,2 @@ -1. In the security sidebar, click **{% data variables.product.prodname_dependabot_short %} alerts**. -![{% data variables.product.prodname_dependabot_short %} alerts tab](/assets/images/help/repository/dependabot-alerts-tab.png) +1. In the security sidebar, click **{% data variables.product.prodname_dependabot_alerts %}**. +![{% data variables.product.prodname_dependabot_alerts %} tab](/assets/images/help/repository/dependabot-alerts-tab.png) diff --git a/data/variables/product.yml b/data/variables/product.yml index fa8edd4bac33..1f867437ef65 100644 --- a/data/variables/product.yml +++ b/data/variables/product.yml @@ -150,11 +150,10 @@ prodname_vss_ghe: 'Visual Studio subscription with GitHub Enterprise' prodname_vss_admin_portal_with_url: 'the [administrator portal for Visual Studio subscriptions](https://visualstudio.microsoft.com/subscriptions-administration/)' # GitHub Dependabot -prodname_dependabot: 'GitHub Dependabot' -prodname_dependabot_short: 'Dependabot' -prodname_dependabot_alerts: 'GitHub Dependabot alerts' -prodname_dependabot_security_updates: 'GitHub Dependabot security updates' -prodname_dependabot_version_updates: 'GitHub Dependabot version updates' +prodname_dependabot: 'Dependabot' +prodname_dependabot_alerts: 'Dependabot alerts' +prodname_dependabot_security_updates: 'Dependabot security updates' +prodname_dependabot_version_updates: 'Dependabot version updates' # GitHub Archive Program prodname_archive: 'GitHub Archive Program' From 66efc8f280e7f082b99bdd55f7060a32a55d568b Mon Sep 17 00:00:00 2001 From: Laura Coursen Date: Tue, 3 Nov 2020 10:01:35 -0600 Subject: [PATCH 2/5] Remove conflict markers (#16308) --- .../creating-your-first-repository-using-github-desktop.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/content/desktop/installing-and-configuring-github-desktop/creating-your-first-repository-using-github-desktop.md b/content/desktop/installing-and-configuring-github-desktop/creating-your-first-repository-using-github-desktop.md index 758428325edf..fc00f154bd32 100644 --- a/content/desktop/installing-and-configuring-github-desktop/creating-your-first-repository-using-github-desktop.md +++ b/content/desktop/installing-and-configuring-github-desktop/creating-your-first-repository-using-github-desktop.md @@ -92,13 +92,8 @@ Now that you've created and published your repository, you're ready to make chan 4. At the bottom of the **Changes** list, enter a commit message. To the right of your profile picture, type a short description of the commit. Since we're changing the _README.md_ file, "Add information about purpose of project" would be a good commit summary. Below the summary, you'll see a "Description" text field where you can type a longer description of the changes in the commit, which is helpful when looking back at the history of a project and understanding why changes were made. Since you're making a basic update of a _README.md_ file, you can skip the description. ![Commit message](/assets/images/help/desktop/getting-started-guide/commit-message.png) -<<<<<<< HEAD 5. Click **Commit to BRANCH NAME**. The commit button shows your current branch so you can be sure to commit to the branch you want. ![Commit to branch](/assets/images/help/desktop/getting-started-guide/click-commit-to-master.png) -======= -5. Click **Commit to master**. The commit button shows your current branch, which in this case is `master`, so that you know which branch you are making a commit to. - ![Commit to master](/assets/images/help/desktop/getting-started-guide/click-commit-to-master.png) ->>>>>>> master 6. To push your changes to the remote repository on {% data variables.product.product_name %}, click **Push origin**. ![Push origin](/assets/images/help/desktop/getting-started-guide/push-to-origin.png) - The **Push origin** button is the same one that you clicked to publish your repository to {% data variables.product.product_name %}. This button changes contextually based on where you are at in the Git workflow. It should now say `Push origin` with a `1` next to it, indicating that there is one commit that has not been pushed up to {% data variables.product.product_name %}. From 5d09adb106ccac73b0b1e06000ca55921526e486 Mon Sep 17 00:00:00 2001 From: Jason Etcovitch Date: Tue, 3 Nov 2020 13:12:25 -0500 Subject: [PATCH 3/5] Add/use small-footer for Actions landing page (#16265) * Add/use small-footer * Fix borked HTML * Extract scripts to new include * Add spacing * Fix some padding * Fix a test that uses /actions * Fix old links Co-authored-by: Sarah Schneider * Update /developers in general footer * Don't hard code free-pro-team * Use the small-footer everywhere * Tweak border Co-authored-by: Sarah Schneider --- content/actions/index.md | 2 +- includes/footer.html | 4 ++-- includes/scripts.html | 1 + includes/small-footer.html | 23 +++++++++++++++++++++++ layouts/default.html | 2 +- layouts/error-404.html | 2 +- layouts/error-500.html | 2 +- layouts/product-landing.html | 6 +++--- tests/rendering/footer.js | 3 ++- 9 files changed, 35 insertions(+), 10 deletions(-) create mode 100644 includes/scripts.html create mode 100644 includes/small-footer.html diff --git a/content/actions/index.md b/content/actions/index.md index 7cbfa4232164..69f214772fa7 100644 --- a/content/actions/index.md +++ b/content/actions/index.md @@ -73,7 +73,7 @@ versions: -
+

More guides

diff --git a/includes/footer.html b/includes/footer.html index 062c88a8c22a..7b46713fbd22 100644 --- a/includes/footer.html +++ b/includes/footer.html @@ -20,7 +20,7 @@

{% data ui.footer.product

{% data ui.footer.platform.heading %}

- +{% include scripts %} diff --git a/includes/scripts.html b/includes/scripts.html new file mode 100644 index 000000000000..7c489813d52f --- /dev/null +++ b/includes/scripts.html @@ -0,0 +1 @@ + diff --git a/includes/small-footer.html b/includes/small-footer.html new file mode 100644 index 000000000000..e12574749bbb --- /dev/null +++ b/includes/small-footer.html @@ -0,0 +1,23 @@ + + +{% include scripts %} diff --git a/layouts/default.html b/layouts/default.html index cbb745a516a2..59179cf80296 100644 --- a/layouts/default.html +++ b/layouts/default.html @@ -14,7 +14,7 @@ {% include article %} {% endif %} {% include support %} - {% include footer %} + {% include small-footer %} diff --git a/layouts/error-404.html b/layouts/error-404.html index c314364ad73d..0c8569020910 100644 --- a/layouts/error-404.html +++ b/layouts/error-404.html @@ -32,7 +32,7 @@

{% data ui.search.need_help %}

{% include support %} - {% include footer %} + {% include small-footer %} diff --git a/layouts/error-500.html b/layouts/error-500.html index 4e138c0e71f8..2e6703b55813 100644 --- a/layouts/error-500.html +++ b/layouts/error-500.html @@ -22,6 +22,6 @@

{% data ui.errors.oops %}

{% include support %} - {% include footer %} + {% include small-footer %} diff --git a/layouts/product-landing.html b/layouts/product-landing.html index 1393070555f2..3ddfb186c57a 100644 --- a/layouts/product-landing.html +++ b/layouts/product-landing.html @@ -28,9 +28,9 @@

{{ page.shortTitle }}

{{ renderedPage }}
- - {% include support %} - {% include footer %} +
+ {% include small-footer %} +
diff --git a/tests/rendering/footer.js b/tests/rendering/footer.js index fd5f31451515..d2c0f26d3600 100644 --- a/tests/rendering/footer.js +++ b/tests/rendering/footer.js @@ -1,12 +1,13 @@ const { getDOM } = require('../helpers') const enterpriseServerReleases = require('../../lib/enterprise-server-releases') +const nonEnterpriseDefaultVersion = require('../../lib/non-enterprise-default-version') describe('footer', () => { jest.setTimeout(10 * 60 * 1000) describe('"contact us" link', () => { test('leads to dotcom support on dotcom pages', async () => { - const $ = await getDOM('/en/actions') + const $ = await getDOM(`/en/${nonEnterpriseDefaultVersion}/github`) expect($('a#contact-us').attr('href')).toBe('https://support.github.com/contact') }) From 7d55775285df9a2ba26e208817acb9cf391e6395 Mon Sep 17 00:00:00 2001 From: Jason Etcovitch Date: Tue, 3 Nov 2020 13:23:50 -0500 Subject: [PATCH 4/5] Actions landing page top bits (#16266) * Add changelog frontmatter * Reorganize some properties * Move sections to product-landing * Add more items * Changing heading design * Redesign hero * Remove "GitHub Actions:" * Popular ~articles~ * Use proper date formatting * Quick start => Quickstart * Add a comment * Add to content/README --- content/README.md | 6 ++++ content/actions/index.md | 57 +++++++++++------------------------- data/ui.yml | 6 +++- layouts/product-landing.html | 53 ++++++++++++++++++++++++++++++--- lib/frontmatter.js | 14 ++++++++- 5 files changed, 90 insertions(+), 46 deletions(-) diff --git a/content/README.md b/content/README.md index d2c0789cca18..901427d4be71 100644 --- a/content/README.md +++ b/content/README.md @@ -166,6 +166,12 @@ featuredLinks: - Type: `Boolean`. Default is `false`. - Optional. +### `changelog` + +- Purpose: Render a list of changelog items with timestamps on product pages (ex: `layouts/product-landing.html`) +- Type: `Array`, items are objects `{ href: string, title: string, date: 'YYYY-MM-DD' }` +- Optional. + ### Escaping single quotes If you see two single quotes in a row (`''`) in YML frontmatter where you might expect to see one (`'`), this is the YML-preferred way to escape a single quote. From [the YAML spec](https://yaml.org/spec/history/2001-12-10.html): diff --git a/content/actions/index.md b/content/actions/index.md index 69f214772fa7..49ed125257d6 100644 --- a/content/actions/index.md +++ b/content/actions/index.md @@ -4,17 +4,30 @@ shortTitle: GitHub Actions intro: 'Automate, customize, and execute your software development workflows right in your repository with {% data variables.product.prodname_actions %}. You can discover, create, and share actions to perform any job you''d like, including CI/CD, and combine actions in a completely customized workflow.' introLinks: quickstart: /actions/quickstart - learn: /actions/learn-github-actions + reference: /actions/reference featuredLinks: + guides: + - /actions/guides/setting-up-continuous-integration-using-workflow-templates + - /actions/guides/about-packaging-with-github-actions gettingStarted: - /actions/managing-workflow-runs - /actions/hosting-your-own-runners - guide: - - /actions/guides/setting-up-continuous-integration-using-workflow-templates - - /actions/guides/about-packaging-with-github-actions popular: - /actions/reference/workflow-syntax-for-github-actions - /actions/reference/events-that-trigger-workflows +changelog: + - title: Self-Hosted Runner Group Access Changes + date: '2020-10-16' + href: https://github.blog/changelog/2020-10-16-github-actions-self-hosted-runner-group-access-changes/ + - title: Ability to change retention days for artifacts and logs + date: '2020-10-08' + href: https://github.blog/changelog/2020-10-08-github-actions-ability-to-change-retention-days-for-artifacts-and-logs + - title: Deprecating set-env and add-path commands + date: '2020-10-01' + href: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands + - title: Fine-tune access to external actions + date: '2020-10-01' + href: https://github.blog/changelog/2020-10-01-github-actions-fine-tune-access-to-external-actions redirect_from: - /articles/automating-your-workflow-with-github-actions/ - /articles/customizing-your-project-with-github-actions/ @@ -36,42 +49,6 @@ versions: - -
-
-
-

{% data ui.toc.guides %}

-
-
    - {% for link in featuredLinks.guide %} -
  • {% include featured-link %}
    • - {% endfor %} -
-
- -
-
-

{% data ui.toc.popular_articles %}

-
-
    - {% for link in featuredLinks.popular %} -
  • {% include featured-link %}
    • - {% endfor %} -
-
- -
-
-

Manage workflows

-
-
    - {% for link in featuredLinks.gettingStarted %} -
  • {% include featured-link %}
    • - {% endfor %} -
-
-
-

More guides

diff --git a/data/ui.yml b/data/ui.yml index 79317d9ea4d3..0fc2ca6e1eb7 100644 --- a/data/ui.yml +++ b/data/ui.yml @@ -26,8 +26,9 @@ homepage: version_picker: Version toc: getting_started: Getting started - popular_articles: Popular articles + popular_articles: Popular guides: Guides + whats_new: What's new pages: article_version: "Article version:" miniToc: In this article @@ -129,3 +130,6 @@ footer: careers: Careers press: Press shop: Shop +product_landing: + quick_start: Quickstart + reference_guides: Reference guides \ No newline at end of file diff --git a/layouts/product-landing.html b/layouts/product-landing.html index 3ddfb186c57a..32a8af6fe56a 100644 --- a/layouts/product-landing.html +++ b/layouts/product-landing.html @@ -15,16 +15,61 @@

{{ page.shortTitle }}

{{ page.intro }}
- - Quickstart + + {% data ui.product_landing.quick_start %} - - Learn {% data variables.product.prodname_actions %} + + {% data ui.product_landing.reference_guides %}
+ +
+
+
+

{% data ui.toc.guides %}

+
+
    + {% for link in featuredLinks.guides %} +
  • + {% include featured-link %} +
    • + {% endfor %} +
+
+ +
+
+

{% data ui.toc.popular_articles %}

+
+
    + {% for link in featuredLinks.popular %} +
  • + {% include featured-link %} +
    • + {% endfor %} +
+
+ +
+
+

{% data ui.toc.whats_new %}

+
+ +
+
+ {{ renderedPage }}
diff --git a/lib/frontmatter.js b/lib/frontmatter.js index 888cda357f8c..d6aafc0127db 100644 --- a/lib/frontmatter.js +++ b/lib/frontmatter.js @@ -59,7 +59,7 @@ const schema = { type: 'object', properties: { quickstart: { type: 'string' }, - learn: { type: 'string' } + reference: { type: 'string' } } }, featuredLinks: { @@ -71,6 +71,18 @@ const schema = { items: { type: 'string' } } } + }, + // Shown in `product-landing.html` "What's new" section + changelog: { + type: 'array', + items: { + type: 'object', + properties: { + title: { type: 'string' }, + date: { type: 'string', format: 'date' }, + href: { type: 'string' } + } + } } } } From 0b8d67464a42320a97da950a784fc35ef5b92cfb Mon Sep 17 00:00:00 2001 From: Jason Etcovitch Date: Tue, 3 Nov 2020 13:50:02 -0500 Subject: [PATCH 5/5] Remove the thing (#16294) Co-authored-by: Chiedo John <2156688+chiedo@users.noreply.github.com> --- includes/rest_operation.html | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/includes/rest_operation.html b/includes/rest_operation.html index afe3e801ba53..dc30f725ca89 100644 --- a/includes/rest_operation.html +++ b/includes/rest_operation.html @@ -122,9 +122,7 @@

Notes

  • Works with GitHub Apps
    • {% endif %} {% for note in operation.notes %} - {% unless note == 'Works with GitHub Apps' %} -
  • {{ note }}
    • - {% endunless %} +
  • {{ note }}
    • {% endfor %} {% endif %}