It seems to me that you can only see the vulnerable dependencies on the master
branch. I fixed those mentioned in the alert on a separate branch and want to check if in fact the vulnerable dependencies are fixed, so what I really need is to be able to check the alert for the specific branch, can this be done?
On GitHub, navigate to the main page of the repository. Under your repository name, click Security. Click the alert you'd like to view. Review the details of the vulnerability and, if available, the pull request containing the automated security fix.
Dependabot alerts tell you that your code depends on a package that is insecure. If your code depends on a package with a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible.
Fixing vulnerable dependenciesIf you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.
On GitHub.com, navigate to the main page of the repository. Under your repository name, click Settings. In the "Security" section of the sidebar, click Code security and analysis. Under "Code security and analysis", to the right of Dependabot alerts, click Enable to enable alerts or Disable to disable alerts.
The security alerts for vulnerable dependencies reported by GitHub might be valid only for the default branch (usually master
, but you can change it).
If you are not ready to merge your fix to the default branch of your repo, one workaround would be to push that branch to the default (again, usually master
) branch of a new dedicated (and temporary) repository, just to check if any new alerts are detected on that new repo.
Update Oct. 2020, 2+ years later: Michael Greisman points out in the comments to this GitHub Community answer and the documentation "About alerts for vulnerable dependencies".
It confirms that the scan is done against the default branch.
"Once the fix... is merged into the default branch... GitHub will schedule a new scan of your project’s dependencies".
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With