What happens if a dependency upgrade introduces a known vulnerability?

When you upgrade a dependency and the new version has a known vulnerability, security tooling will detect it and surface it in the project’s security results. In GitHub Advanced Security, code scanning and dependency review analyze the dependencies and pull in vulnerability data from advisories. If a upgraded package brings a vulnerability, it will show up as a detected issue in the scan or review results, and the pull request can be blocked or flagged until remediation is performed. This ensures you don’t merge code that introduces a security flaw. The other ideas don’t fit because upgrades aren’t automatically accepted when a vulnerability exists, vulnerabilities aren’t limited to licensing concerns, and the system doesn’t magically fix issues without deliberate remediation or a supported automated workflow.