Disabling dependabot alerts for a repository on GitHub

Question

GitHub dependabot security alerts may sometimes become a chore especially when an abandoned project that is no longer in active use receives frequent security advisories. Is there an option to disable the active security monitoring?

Answer 1

Open you repo and go to Settings. Click on Code security and analysis in the Security subsection. There you will find dependabot settings with a Disable button for turning off the automated advisories.

The page is also available through direct link https://github.com/<USERNAME>/<REPO>/settings/security_analysis by replacing placeholders <USERNAME> and <REPO> with the corresponding identifiers.

Note that disabling the advisories will negatively impact the security of your software and should be avoided for any software with production deployments.

Answer 2

This is the top result on google.

I'm sick of getting alerts from dependabot. I have dependabot alerts disabled on all my repositories.

However, I think what we are not getting dependabot alerts but pull request alerts.

Even if we disable dependabot alerts, it continues to create pull requests. Since we do want to receive pull request alerts, we get them.

In the official dependabot repository there are people commenting on how to disable it but all the links are outdated. Now most of them lead to the documentation or to parts of the options not related to dependabot.

At the moment I have found two possible solutions:

1. disable security updates: https://github.com/settings/security_analysis

OR

2. Delete/truncate the dependabot configuration file: https://github.com/USERNAME/REPOSITORY/blob/master/.github/dependabot.yml (change USERNAME and REPOSITORY as appropriate)

I have not yet been able to verify that it works but I think that I will not receive any more PR from dependabot and, therefore, I will not receive the emails either.