How does GitHub compute vulnerable dependencies and show advisories?

GitHub detects vulnerable dependencies by mapping what your project uses (its dependency graph) and automatically checking those dependencies against a database of public advisories. As dependencies and versions are declared, GitHub builds the graph and continuously cross-references it with known security advisories (including CVEs and fixes) to surface vulnerabilities and recommended remediation. When a match is found, it surfaces alerts and, through Dependabot, can automatically propose upgrades or patches to secure versions. Advisories provide specifics like affected versions, fixed versions, and remediation steps, helping you quickly understand and address the risk. This approach runs automatically and stays up to date as dependencies evolve. The other options don’t fit because vulnerability data comes from public advisories—not just internal notes or license checks—and scans aren’t limited to manual runs; automation handles detection and remediation suggestions.