Dependabot now detects malware in npm dependencies

You can now receive Dependabot alerts when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm ...

Early report Major update Updated Mar 17, 2026, 9:51 PM UTC

Track this event Edit in app More event pages

What changed

GitHub Changelog: Dependabot now detects malware in npm dependencies.

First seen Mar 17, 2026, 9:51 PM UTC Latest source Mar 17, 2026, 9:51 PM UTC

Update 1 2d ago

Dependabot now detects malware in npm dependencies

GitHub Changelog •published Mar 17, 2026, 9:51 PM UTC •fetched Mar 19, 2026, 10:42 PM UTC