> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # Dependabot setup and alerts > This document describes how Dependabot is configured for this repository and how to enable or verify Dependabot alerts (vulnerability notifications) in GitHub. This document describes how Dependabot is configured for this repository and how to enable or verify **Dependabot alerts** (vulnerability notifications) in GitHub. ## Configuration in this repo * **File:** [`.github/dependabot.yml`](../../.github/dependabot.yml) That file configures: * **Version updates** – Weekly (Mondays) checks for newer dependency versions and open PRs. * **Security updates** – When Dependabot detects a vulnerability, it can open a PR to fix it. This behavior works in conjunction with **Dependabot alerts** (see below). ### What is covered | Ecosystem | Directories | Schedule | | -------------- | --------------------------------------------- | --------------- | | npm | `/`, `/vercel-teller-proxy`, `/packages/docs` | Weekly (Monday) | | GitHub Actions | `/` (`.github/workflows/`) | Weekly (Monday) | Root npm updates use a **group** for minor and patch versions so multiple compatible updates can be combined into one PR. ## Dependabot alerts (vulnerability notifications) **Dependabot alerts** are GitHub’s notifications when a known vulnerability is detected in your dependencies. They are **not** controlled by `dependabot.yml`; they are a repository (or organization) setting. ### Enable or verify alerts for this repository 1. On GitHub, open the repository and go to **Settings**. 2. In the left sidebar, under **Security**, click **Code security and analysis** (or **Advanced Security**). 3. Under **Dependabot**: * **Dependabot alerts** – Set to **Enable** so GitHub will create alerts and (when enabled) **Dependabot security updates** can open fix PRs. * **Dependabot security updates** – Optional. If enabled, Dependabot will open pull requests to fix vulnerable dependencies. Recommended. For **public** repositories, Dependabot alerts are often enabled by default; you can still confirm the setting as above. ### Where to see alerts * **Security** tab → **Dependabot** (or **Security** → **Alerts**). * Email/notifications for maintainers (if configured in GitHub notification settings). ## Organization / account defaults * **Organization:** Settings → Security → Advanced Security → configure defaults for Dependabot alerts and security updates. * **Personal account:** Settings → Code security and analysis → enable/disable Dependabot alerts for your repos. ## References * [Configuring Dependabot alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts) * [Configuring Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) * [Configuration options for dependabot.yml](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) * [DEPENDABOT\_VULNERABILITIES\_RESOLUTION\_PLAN.md](./DEPENDABOT_VULNERABILITIES_RESOLUTION_PLAN.md) – Plan for resolving current vulnerabilities