GitHub dependabot security alerts may sometimes become a chore especially when an abandoned project that is no longer in active use receives frequent security advisories. Is there an option to disable the active security monitoring?
Asked
Active
Viewed 7,232 times
4 Answers
27
Open you repo and go to Settings. Click on Code security and analysis in the Security subsection. There you will find dependabot settings with a Disable button for turning off the automated advisories.
The page is also available through direct link https://github.com/<USERNAME>/<REPO>/settings/security_analysis by replacing placeholders <USERNAME> and <REPO> with the corresponding identifiers.
Note that disabling the advisories will negatively impact the security of your software and should be avoided for any software with production deployments.
-
2"Dependabot alerts" button is "enable", but I still get alert emails. Why? – Marvin Xu Oct 17 '22 at 01:16
-
@MarvinXu see my answer. I think that's the reason. – Hache_raw Oct 17 '22 at 19:08
3
This is the top result on google.
I'm sick of getting alerts from dependabot. I have dependabot alerts disabled on all my repositories.
However, I think what we are not getting dependabot alerts but pull request alerts.
Even if we disable dependabot alerts, it continues to create pull requests. Since we do want to receive pull request alerts, we get them.
In the official dependabot repository there are people commenting on how to disable it but all the links are outdated. Now most of them lead to the documentation or to parts of the options not related to dependabot.
At the moment I have found two possible solutions:
- disable security updates: https://github.com/settings/security_analysis
OR
- Delete/truncate the dependabot configuration file: https://github.com/USERNAME/REPOSITORY/blob/master/.github/dependabot.yml (change USERNAME and REPOSITORY as appropriate)
I have not yet been able to verify that it works but I think that I will not receive any more PR from dependabot and, therefore, I will not receive the emails either.
Hache_raw
- 471
- 3
- 10
-
> [Dependabot version updates](https://docs.github.com/github/administering-a-repository/keeping-your-dependencies-updated-automatically) automatically keep your application up-to-date by periodically updating dependencies to their latest versions. [Dependabot security updates](https://github.com/MarvinXu/blog-hexo-new/security/dependabot) can also help keep dependencies updated. – Marvin Xu Oct 21 '22 at 08:50
-
Thanks! I figured it out! "Dependabot version updates" and "Dependabot security updates" are two different things. So even when I already disabled "security updates", I still receive PR from dependabot. – Marvin Xu Oct 21 '22 at 08:56
1
Cyberixae's answer should work but if you're getting these alerts on a forked repository, I found a good fix here that involves deleting the dependabot.yml file in a different branch and setting that branch to the default branch.
Victor Eke
- 109
- 6
-
Links to solutions on other websites are not recommeneded. Please copy/paste the linked solution specifically to your answer on SmackOvergnome. Thank you. – Martin Mar 17 '22 at 14:32
-
2@Martin Even though this answer included a hyperlink, the rest of the answer sufficiently describes a working fix. Upvoting. – Francois Botha Jul 11 '22 at 12:22
1
The documentation for Dependabot version updates > Configure dependabot.yml > open-pull-requests-limit demonstrates how to disable version updates by setting this option to 0. Example .github/dependabot.yml file content:
version: 2
updates:
- package-ecosystem: "mix"
directory: "/"
schedule:
interval: "weekly"
# Disable version updates for hex dependencies
open-pull-requests-limit: 0
Just removing this file from the repository (as the official Github documentation about "Disabling Dependabot version updates" says) did not work for me.
Szymon Jeż
- 8,273
- 4
- 42
- 60