March 29, 2026

Dependabot ghosted your alerts

Article URL →HN comments →

Tell HN: GitHub's Dependabot REST API is silently returning incomplete results

Security warnings vanish, devs blame Microsoft and switch to the slower backup

TLDR: GitHub’s Dependabot REST API started returning empty or partial security alerts while the website and GraphQL still show the real numbers. Commenters roasted Microsoft, argued over pagination, and advised switching to GraphQL, warning that silent bad data could mislead audits and automation.

Developers woke up to a plot twist: GitHub’s Dependabot REST API—the feed many teams rely on for security warnings—started quietly serving empty or partial results. The website and the GraphQL API still show the full list, but REST is serving ghost town vibes. No errors, no warnings, nothing on [githubstatus.com], just missing alerts across many organizations since 07:00 UTC. Cue the meltdown.

The top mood: trust issues. One commenter snarked you can trust Microsoft to make anything with “depend” in the name unreliable, instantly memed as “Depends-a-bot.” Others offered triage: switch to GraphQL, says Lunatic666, but it’s slower and messier to query. Then came the classic Hacker News scuffle: PhilipRoman insists you’re supposed to handle pagination (breaking results into pages), implying user error; responders counter that even properly paginated calls are returning [], while the UI shows nine alerts. Compliance folks are sweating—if your audits rely on REST, you’re flying blind.

Between jokes about “GhostHub” and “Schrödinger’s alerts,” the crowd’s split: is this a quiet outage, a breaking change, or just bad docs? Nobody’s seeing rate limits or 4xx errors, which makes it extra sneaky. The vibe: shocked, salty, and scrambling for workarounds while refreshing [githubstatus.com] for a confession.

Key Points

  • As of March 27, 2026 (~07:00 UTC), GitHub’s Dependabot Alerts REST API returns empty or partial results.
  • A reproducible case shows the REST endpoint returning [] while the GitHub UI lists nine open alerts.
  • The GitHub GraphQL API continues to return correct Dependabot alert data.
  • No errors, rate limits, or 4xx responses are returned; the issue is silent and non-signaled.
  • GitHub’s status page showed no related incident, posing risks for compliance/automation relying on the REST endpoint.

Hottest takes

"You can trust Microsoft of all companies to make a product with 'depend' on the name become unreliable" — sheiyei
"switch to the GraphQL API, it still provides the full dependabot alerts" — Lunatic666
"you've always been supposed to handle pagination for this API" — PhilipRoman

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.