Based on the public vulnerabilities in Ruby gems and NPM, the alerts are sent out. These vulnerabilities include the package manager for Node.js, on MITRE's Common Vulnerabilities, and Exposures (CVE) List. Once Python is added, that too will be part of the alert list. GitHub has promised users that Python will make it to the list next year.
The alerts are only sent to the project owner or the developer and a few others with admin access to repositories. GitHub has also said that it would never disclose the vulnerability of a specific repository. The alerts will be sent through emails, web notifications, or through the GitHub interface. The developer can pick his choice to receive the alerts.