You can now receive Dependabot alerts when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories in the GitHub Advisory Database.

How it works

  • Opt-in enablement: Enable malware alerting via a new toggle in your repository, organization, or enterprise security settings alongside your existing Dependabot alerts configuration. You can also enforce malware alerting through security configurations.

  • Separated from traditional alerts: Malware alerts appear as a distinct subcategory within Dependabot alerts, keeping them clearly separated from CVE-based vulnerability alerts so you can triage each category on its own terms.

  • Configurable alert rules: New Dependabot rule options let you fine-tune malware alerting by:

    • Malware type (malicious version vs. entire malicious package)
    • Ecosystem
    • Package scope or name patterns
    • Bulk dismiss and reopen actions via multi-select filters
  • Backfill on enablement: When you turn on malware alerting, Dependabot backfills alerts for any existing malware advisories that match your dependencies, so you get immediate visibility into your current risk.

In 2022, we paused malware alerting due to false-positive noise from public and private packages sharing names. We’ve redesigned the experience with opt-in controls, auto-triage rules that alert only on malware versions by default, and clear separation from CVE-based alerts to give you malware visibility without the noise. You may still see false positives if a private package shares a name with a known malicious public package. We recommend configuring Dependabot rules to reduce false positives if you use private packages.

Ecosystem coverage

Today, malware alerting covers the npm ecosystem, powered by advisories from the GitHub Advisory Database. We’re actively working to expand coverage to additional ecosystems through integration with feeds like the OpenSSF Malware Streams project.

Getting started

  1. Navigate to your repository or organization Settings → Code security → Dependabot.
  2. Enable Malware alerts under the “Dependabot alerts” section.
  3. Optionally, configure Dependabot alert rules to customize which malware alerts you receive. This is especially important if your organization uses private registries.

Learn more about malware alerts for Dependabot.