Dependabot

Automated dependency updates

Dependabot creates pull requests to keep your dependencies secure and up-to-date.

170,000 pull requests merged, and counting!

How it works

Dependabot checks for updates

Dependabot pulls down your dependency files and looks for any outdated or insecure requirements.

Dependabot opens pull requests

If any of your dependencies are out-of-date, Dependabot opens individual pull requests to update each one.

You review and merge

You check that your tests pass, scan the included changelog and release notes, then hit merge with confidence.

Features

Simple, drip-feed getting started flow

We'll update five of your dependencies each day, until you're on the cutting edge. Request more PRs if you want, or close them to ignore a dependency until the next release.

Security advisories handled automatically

Dependabot monitors security advisories for Ruby, Python, JavaScript, Java, .NET, PHP, Elixir and Rust. We create PRs immediately in response to new advisories.

Great pull requests that stay up-to-date

Dependabot PRs include release notes, changelogs, commit links and vulnerability details whenever they're available. They'll also automatically keep themselves conflict-free.

Compatibility scores for each update

Dependabot aggregates everyone's test results into a compatibility score, so you can be certain a dependency update is backwards compatible and bug-free.

Automatic merge options

Dependabot can be configured to automatically merge PRs if your tests pass on them, based on the size of the change (security/patch/minor/major) and the dependency type.