Assuming there is no custom Dependabot behavior configured, where possible, what does Dependabot do after sending an alert about a vulnerable dependency in a repository?
A.
Creates a pull request to upgrade the vulnerable dependency to the minimum possible secure version
B.
Scans repositories for vulnerable dependencies on a schedule and adds those files to a manifest
C.
Constructs a graph of all the repository's dependencies and public dependents for the default branch
D.
Scans any push to all branches and generates an alert for each vulnerable repository
After generating an alert for a vulnerable dependency, Dependabot automatically attempts to create a pull request to upgrade that dependency to theminimum required secure version—if a fix is available and compatible with your project.
This automated PR helps teams fix vulnerabilities quickly with minimal manual intervention. You can also configure update behaviors using dependabot.yml, but in the default state, PR creation is automatic.
[: GitHub Docs – About Dependabot alerts; About Dependabot security updates, ==========]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit