Developers can now use Dependabot to automatically keep their Helm dependencies up to date. For projects that use Helm as a package manager, Dependabot version updates can now ensure dependencies stay current with the latest releases.
At GitHub, we believe that investing in the security of your codebases should be straightforward, affordable, and scalable. Today, we’re rolling out standalone GitHub Advanced Security products for GitHub Enterprise customers. This aligns with our ongoing mission to help organizations of all sizes secure their code with the flexibility they seek.
Existing GitHub Advanced Security customers with plans subscription-based plans can choose to transition at renewal. Customers with pay-as-you-go, metered-based plans can transition at any time. Please reach out to your GitHub or Microsoft sales account team for details.
Customers on subscription billing can migrate to either a standalone subscription or a standalone metered plan. For pricing details, please contact your account representatives.
Customers transitioning before May 2025 can work with their account teams on right-sizing enablement for their enterprise across both Secret Protection and Code Security. All repositories will have both Secret Protection and Code Security enabled at the time of transition, regardless of your contractual plan.
Customers on contractual plans limited to secret scanning features will be able to optionally choose to transition with only Secret Protection enabled (and Code Security disabled) for their enterprise starting in May 2025.
Standalone SKUs will be available for Enterprise Server customers starting with GHES 3.17. To use metered billing, GitHub Connect is required.
For existing self-serve customers, instructions on how to transition to the new GitHub Advanced Security plans will be announced over the next 30 days. You’ll receive an email notification when the new plans are available to your enterprise. Transitioning to the standalone plans will be self-serve and optional.
Starting today, GitHub Enterprise customers without an existing GitHub Advanced Security plan can self-serve purchase both Secret Protection and Code Security. To get started, admins can navigate to Advanced Security under their enterprise, organization, or repository settings. From this page, you can choose to enable and purchase Secret Protection or Code Security features.
Learn more about enabling GitHub Advanced Security for your enterprise.
You can try the new standalone SKUs before committing. Contact your account team for more details. Alternatively, you can get started with a GitHub Enterprise trial.
In addition, Enterprise customers are welcome to reach out to their existing account team or request a demo from someone at GitHub.
Learn more about Secret Protection and Code Security, or share feedback by joining the discussion in GitHub Community.
At GitHub, we believe that investing in the security of your codebase should be accessible for organizations of all sizes.
Starting today, GitHub Team plan customers can purchase GitHub Secret Protection and GitHub Code Security without upgrading your organization to GitHub Enterprise. This makes it easier to secure your codebase with GitHub Advanced Security products.
GitHub Team organizations can purchase GitHub Secret Protection, which detects and prevents secret leaks (e.g. secret scanning, AI-detected passwords, and push protection for secrets).
Secret Protection will be available for $19 per month per active committer, with features including:
In addition, we’re launching a new scanning feature to help organizations understand their secret leak footprint across their GitHub perimeter. This feature is free for GitHub Team organizations.
GitHub Team organizations will also be able to purchase Code Security, which detects and fixes vulnerabilities in your code before it reaches production.
Code Security will be available for $30 per month per active committer, with features including:
To get started, admins can navigate to Advanced Security under their organization or repository settings. From this page, you can choose to enable and purchase Secret Protection or Code Security features.
For example, from your organization settings, you can navigate to Security / Advanced Security / Configurations in order to create a new configuration with Secret Protection features enabled. Learn more about enabling GitHub Advanced Security.
In addition, admins can enable Secret Protection features in one click from their organization’s Security tab. Once the secret risk assessment has been run for your organization, you’ll be able to enable Secret Protection in one click from the system banner.
Learn more about Secret Protection and Code Security, or share feedback by joining the discussion in GitHub Community.
The cvss field for GitHub security advisories in the REST and GraphQL APIs will be deprecated in favor of the new cvss_severities field. cvss will be removed from the REST API on April 1, 2025, and removed from the GraphQL API on October 1, 2025.
Join the discussion within GitHub Community.
Following the ship of transitive labeling for npm packages, the same capabilities are now available for Maven packages:
relationship:direct filter in the search bar to only show those alerts caused by your direct dependencies.relationships section that uses the SPDX relationshipType: DEPENDS_ON field to express the tree of package dependencies. Similarly, the GraphQL API will now return a relationship field with direct, transitive, or unknown values in the DependencyGraphDependency object.In addition to the Maven-specific additions, the Alert Settings menu on Dependabot alert tables now provides a Refresh Dependabot alerts option which will rescan your repository’s manifest files, rebuild its dependency graph, and refresh its open Dependabot alerts.
To get transitive dependency labeling on your repositories, make sure dependency graph is enabled, and either enable Automatic dependency submission on the same settings page or use a dependency submission action. As a beneficial side-effect of this change, other package ecosystems with actions that create transitive dependency trees – such as go – will also now receive transitive and direct labels.
To see the Dependabot labels, you’ll also need to enable Dependabot alerts.
Join the discussion within GitHub Community.
Developers can now use Dependabot to automatically keep their uv dependencies up to date. For projects that use uv as a package manager, Dependabot version updates can now ensure dependencies stay current with the latest releases.
At GitHub, we believe that investing in the security of your codebases should be straightforward, cost-effective, and accessible for everyone. Today, we’re announcing changes to pricing plans and availability of GitHub Advanced Security (GHAS), aligning with our ongoing mission to help organizations of all sizes secure their code with the flexibility they seek.
Starting April 1, 2025, GitHub Advanced Security will be available as two standalone security products: GitHub Secret Protection and GitHub Code Security. In addition, these products will become available to GitHub Team plan customers for the first time.
New customers can purchase GitHub Secret Protection, which includes features that help detect and prevent secret leaks (e.g. secret scanning, AI-detected passwords, and push protection for secrets). Secret Protection will be available for $19 per month per active committer, with features including:
In addition, we’re launching a new scanning feature to help organizations understand their secret leak footprint across their GitHub perimeter. This feature will be free for GitHub Team and Enterprise organizations.
New customers will also be able to purchase Code Security, which detects and fixes vulnerabilities in your code before it reaches production. Code Security will be available for $30 per month per active committer with features including:
Starting April 1, 2025, customers on the GitHub Team plan can purchase Secret Protection and Code Security. These products will be available through a consumption-based, pay-as-you-go model (i.e., metered billing) to ensure security remains affordable, scalable, and accessible for all customers on GitHub.
Existing customers with plans managed with a GitHub or Microsoft sales account team can transition to the new GitHub Advanced Security plans at start time of renewal for renewal dates after April 1, 2025. Please contact your account team for further details. For existing self-serve customers, instructions on how to transition to the new GitHub Advanced Security plans will be announced over the coming months through GitHub’s roadmap and changelog.
GitHub Team customers can choose to purchase Secret Protection or Code Security from their organization settings pages starting April 1, 2025.
If you have any feedback, join the discussion in GitHub Community.
npm’s massive ecosystem of open source packages is one of its greatest strengths. But as a security-conscious developer, it can be tough to keep up with vulnerability reporting and updates once your project has more than a handful of dependencies, each of which has its own set of dependent packages. Dependabot notifies you of vulnerabilities and their fixes as they come in. Unfortunately, it’s hard to distinguish actionable alerts about direct dependencies you’ve added to your manifests from those transitive dependencies that were pulled in along the way… until now, that is.
GitHub’s dependency graph now tracks direct and transitive dependencies for npm packages. This helps you triage, prioritize, and remediate your Dependabot alerts. This capability shows up in user-facing features across the site:
relationship:direct filter in the search bar.relationships section that uses the SPDX relationshipType: DEPENDS_ON field to express the tree of package dependencies. Tools like guac.sh can help explore and visualize this tree.relationship field with direct, transitive, or unknown values in the DependencyGraphDependency object. See the API documentation for details.We started with npm because it’s the most popular package ecosystem in the known universe, but it’s just the beginning. Over the next few months, package types for other programming languages will also get the transitivity treatment. Up next: Maven packages for Java.
To try this out, you’ll need to make sure the dependency graph is enabled. To see the Dependabot labels, you’ll also need to enable Dependabot alerts. If the “Direct” labels aren’t showing up for you immediately, push a commit that updates one of your manifest files, which will trigger an update of the dependency graph.
Join the discussion within GitHub Community.
Dependabot alerts now feature the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping you better assess vulnerability risks.
EPSS scores predict the likelihood of a vulnerability being exploited, with scores ranging from 0 to 1 (0 to 100%). Higher scores mean higher risk. We also show the EPSS score percentile, indicating how a vulnerability compares to others.
For example, a 90.534% EPSS score at the 95th percentile means:
You can use EPSS scores to help prioritize dependency vulnerabilities based on exploit likelihood. Only ~0.5% of vulnerabilities have an EPSS score above 50%. This makes EPSS a powerful tool for prioritization based on exploitation likelihood, especially when used in conjunction with exploitation severity (CVSS). For more information on using EPSS and/or CVSS for vulnerability prioritization, check out FIRST’s EPSS user guide.
This feature is available on GitHub.com today, and will be available in GitHub Enterprise Server staring with version 3.17.
Learn more in FIRST’s EPSS User Guide.
Join the discussion within GitHub Community.
Read more about viewing, sorting, and filtering Dependabot alerts in GitHub’s Dependabot docs.
Developers can now use Dependabot to keep their bun dependencies up to date automatically. For projects that use bun as a package manager, Dependabot Version Updates can now ensure dependencies stay current with the latest releases.
Support for bun security updates will be added in the future.
As of February 5, 2025, Dependabot no longer supports Python 3.8, which has reached its end-of-life. If you continue to use Python 3.8, Dependabot will not be able to create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Python. As of February 2025, Python 3.13 is the newest supported release.
View Python’s official documentation for more information about supported releases.
Starting today, Dependabot offers full support for pnpm workspace catalogs.
pnpm workspace catalogs are widely used in monorepos, and improper dependency handling can lead to:
Starting today, Dependabot fully supports pnpm workspace catalogs. This means that Dependabot now:
Learn more about Dependabot
Learn more about pnpm catalogs
Join the community discussion to share feedback and tips
As of January 20th, 2025, Dependabot no longer supports npm version 6, which has reached its end-of-life. If you continue to use npm version 6, Dependabot will be unable to create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of npm. As of December 2024, npm 11 is the newest supported release.
View npm’s official documentation for more information about supported releases.
On February 5th, 2025, Dependabot will end support for Python version 3.8, which has reached its end-of-life. If you continue to use Python version 3.8, there’s a risk that Dependabot will not create pull requests to update dependencies. To prevent this from happening, please update to a supported release of Python. As of January 2025, the latest supported release of Python is version 3.13. View Python’s official documentation for more information about supported releases.