Tell HN: GitHub's Dependabot REST API is silently returning incomplete results

As of this morning (March 27, 2026), the GitHub Dependabot Alerts REST API endpoint (GET /repos/{owner}/{repo}/dependabot/alerts) is silently returning empty or partial results.

Our app hits this endpoint across hundreds of GitHub orgs. Starting around 07:00 UTC today, we noticed massive drops in alert counts. Digging in, we confirmed the API simply isn't returning alerts that are clearly visible in the GitHub UI.

Reproducible example on our own org:

    $ gh api repos/{org}/{repo}/dependabot/alerts
    []
Meanwhile https://github.com/{org}/{repo}/security/dependabot shows 9 open alerts.

Key details: - The REST API returns [] or a fraction of the real count - The GraphQL API still returns correct results - The GitHub UI shows the right number - No error, no rate limit, no 4xx, just silently incomplete data - We're seeing this across many orgs, not just one

This is particularly nasty because there's no signal that anything is wrong. If you're relying on this endpoint for compliance or any automation, you're getting stale data right now and you won't know unless you cross-check.

Nothing on https://www.githubstatus.com as of writing.

Anyone else seeing this?

7 points | by zetaben 1 day ago

3 comments

  • sheiyei 1 hour ago
    You can trust Microsoft of all companies to make a product with "depend" on the name become unreliable
    [-]
    • Bombthecat 1 hour ago
      I think they need to replace more developers with AI.

      The developers clearly make to many errors!

  • PhilipRoman 1 hour ago
    I believe you've always been supposed to handle pagination for this API: https://docs.github.com/en/rest/using-the-rest-api/using-pag...

    Paginated-by-default APIs are an annoying pattern, like GitLab CI suddenly breaking after 20 builds, etc. I wish they would start making the pagination parameters required.

  • Lunatic666 1 hour ago
    I have the same problem, but you can switch to the GraphQL API, it still provides the full dependabot alerts. For me it’s a lot slower though, because I need more nested queries to get the same data.