GitHub Community
Dependabot should warn on PRs that introduce a number of insecure dependencies #29475
-
|
Currently, if a new PR adds a number of insecure/out-of-date dependencies, Dependabot doesn't warn on this. But, after the PR lands, Dependabot will start warning how depedencies are out of date and even try to create a PR. This isn't a great UX: ideally, Dependabot would comment on the pull request! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi! Thanks for being here. The dependency review action will check your PRs and will fail if they introduce a dependency that has a known vulnerability. |
Beta Was this translation helpful? Give feedback.
-
|
Hi! thank you! Didn't know about this. Unfortunate that it requires advanced security for private repos but I understand. Thanks! |
Beta Was this translation helpful? Give feedback.
Hi! Thanks for being here. The dependency review action will check your PRs and will fail if they introduce a dependency that has a known vulnerability.