Blog

How do we stop attackers hijacking dependencies?


Last week a malicious alteration was discovered in event-stream , a widely downloaded npm package. Full details are in the npm team's…

Read more...

Today, we're thankful for all the open-source maintainers


Happy Thanksgiving. Today, we're thankful for all the open-source maintainers. We couldn't have built Dependabot without their work. We're…

Read more...

Securing JavaScript transitive dependencies


Dependabot can now update both Yarn and npm transitive dependencies in response to security advisories for Node packages. This massively…

Read more...

Announcing Go modules support


Good news for Gophers: Dependabot can now keep your go.mod and go.sum files up to date 🎉 Here's how it works: Dependabot looks for a…

Read more...

GitHub Security Alerts integration improvements


GitHub announced the GitHub Security Advisory API today at GitHub Universe. Dependabot now uses it to pull in additional security…

Read more...

Dependabot's Gradle support is now in beta


We've been working hard to improve Dependabot's Gradle support, and are upgrading its status to "beta". We launched Gradle support back in…

Read more...

Dependabot now supports Elm 0.19


Dependabot can now update your elm.json if you're using Elm 0.19, and will continue to update your elm-package.json if you're using Elm…

Read more...

Sonatype OSS Index integration


Dependabot now checks Sonatype's OSS Index when looking for vulnerable dependency versions. As a result, vulnerable Java and .NET…

Read more...

Announcing Terraform support


Using Terraform to manage your infrastructure? Dependabot can now help keep your Terraform modules up-to-date. Here's how it works…

Read more...

Announcing Poetry support


Using Poetry as your package manager for Python? Dependabot can now help keep your pyproject.toml and pyproject.lock up-to-date. 🎉 If…

Read more...

Announcing Elm support


Using Elm? Dependabot can now help you keep your elm-package.json file up-to-date. Here's how it works: Dependabot looks for an elm…

Read more...

Announcing Go support


Using Go? If you're using dep for your dependency management then Dependabot can now help you keep your Gopkg.toml and Gopkg.lock…

Read more...

GitHub Security Alerts integration


We've integrated Dependabot with GitHub's Security Alerts. Now when you receive a security alert from GitHub you can expect a PR from…

Read more...

Lerna support


Working on a JavaScript monorepo that uses Lerna? Dependabot will now update all your package.json files automatically. Previously, if you…

Read more...

Set working hours for automatic PR merging


You can now specify "working hours" for Dependabot's automerge functionality. 🤖 We added the option to automerge Dependabot PRs back in…

Read more...

100,000 pull requests merged! 💯🎉


Early this morning Dependabot's 100,000th pull request was merged. It was to a private repo and updated the Ruby gem selenium-webdriver…

Read more...

Announcing .NET support


Using .NET? Dependabot can now help you keep the dependencies in your project files up-to-date. Here's how it works: Dependabot looks for a…

Read more...

Patch updates for older major versions


We've improved Dependabot's version resolution logic. It can now keep you up-to-date with patch releases to older major versions. Say you're…

Read more...

Dependabot now supports pip-compile


If you use pip-tools to manage your Python dependencies, Dependabot will now keep your requirements.in files up-to-date, too, and ensure…

Read more...

Limiting the number of open Dependabot PRs


By default, Dependabot will now limit the number of open pull requests it has for any project/language combination to 10. Previously, if you…

Read more...

Dependabot's Rust support is out of beta


We released beta support for Rust back in March. Today, we're blessing it with full release status. 🎉 Dependabot is now running on over…

Read more...

Announcing Gradle support


Using Gradle? Dependabot can now help you keep the dependencies in your build.gradle files up-to-date. Here's how it works: Dependabot looks…

Read more...

Custom Maven repositories


Dependabot now checks custom Maven repositories specified in your pom.xml for updates. You'll start seeing updates for dependencies from…

Read more...

Support for multimodule Maven projects


Dependabot can now help you keep multimodule Maven projects up-to-date. We released alpha support for Maven back in January, and have been…

Read more...

Private Elixir packages and organizations


Dependabot now supports private Elixir packages and organizations. Last month, the Hex.pm team announced they were going live with…

Read more...

Automatic security updates for JavaScript


Dependabot now creates pull requests immediately in response to security advisories for Node packages. 🕵️‍♀️ Here's how it works…

Read more...

Security updates only mode


You can now set Dependabot to only create PRs in response to security advisories. As announced last week , Dependabot now automatically…

Read more...

Automatically respond to security advisories


Dependabot now creates pull requests immediately in response to security advisories for Ruby, PHP and Rust (more languages coming soon). It…

Read more...

Announcing Rust support


Using Rust? Dependabot can now help you keep your Cargo.toml and Cargo.lock files up-to-date. Here's how it works: Dependabot looks for a…

Read more...

Live updates


Dependabot can now create pull requests for you the minute new dependency versions are released. ⚡️ We've just released a new dependency…

Read more...

Better pull requests


We've overhauled Dependabot's pull requests to include changelogs, release notes and commit details. Here's an example . We're always…

Read more...

Dependabot's Elixir support is out of beta


We released beta support for Elixir back in January. Today, we're blessing it with full release status. 🎉 Dependabot is now running on…

Read more...

Automatic PR merging now in beta testing


Dependabot can now automatically merge patch-level updates for you. It's a beta feature, and we'd love your feedback on it. We see auto…

Read more...

Dependabot now supports Elixir umbrella applications


When we added beta support for Elixir six weeks ago one of the things that was missing was support for umbrella applications. As of today…

Read more...

Dependabot now signs its commits


Dependabot now signs its commits, so you can be sure they're from us. We're thankful to the good people at GitHub for making this feature…

Read more...

New feature: option for lockfile updates only


We just shipped a new feature: an option to only receive lockfile-only updates. 🎉 Many languages split dependency management into a…

Read more...

Dependabot's Java support is now in beta


We released alpha support for Java (Maven) back in January. Today, we're upgrading support to beta, with a plan for the additional…

Read more...

Postmortem: GitHub commit display bug


On February 6th, 2018, a GitHub user set support@dependabot.com as their GitHub email address, which caused Dependabot's commits to appear…

Read more...

Gemnasium are being acquired by GitLab. Here's what that means for everyone else


Gemnasium has been acquired by GitLab and is shutting down its GitHub service in May. Their blog post is candid about why: GitHub's…

Read more...

Announcing Elixir support


Using Elixir? Dependabot can now help you keep your dependencies up-to-date. 🎉 Here's how it works: Every day, Dependabot pulls down your…

Read more...

Dependabot's PHP support is out of beta


We released beta support for PHP back in June last year. Today, we're blessing it with full release status. 🎉 Dependabot is now running…

Read more...

Announcing Maven support


Using Maven? Dependabot can now help you keep your POM file up-to-date. Here's how it works: Dependabot looks for a "pom.xml" in your repo…

Read more...

Little touches


We love making Dependabot as delightful as possible - we think it makes the difference between a product people use and one they love. For…

Read more...

Dependabot now supports Pipenv (in beta)!


Python devs: Dependabot can now help keep your Pipfile and Pipfile.lock up-to-date. 🎉 We've been excited about Pipenv since Kenneth…

Read more...

Dependabot's Python support is out of beta


We released beta support for Python back in July. Today, we're blessing it with full release status. 🎉 Since our beta for Python began we…

Read more...

Dependabot's JavaScript support just got even better


We've just made Dependabot much easier to use with JavaScript: No lockfile required: You can now use Dependabot on JavaScript projects that…

Read more...

Dependabot's npm support is out of beta


We released beta support for npm a month ago. Today, we're blessing it with full release status. 🎉 We're always improving Dependabot…

Read more...

Handling thorny Ruby dependency updates


Since launching Dependabot for Ruby six months ago, we've had a guilty secret: Dependabot couldn't handle the most difficult updates…

Read more...

The GitHub Marketplace effect on distribution


It's been a month since Dependabot was added to the GitHub Marketplace . Time to crunch some numbers on the effect it's had. GitHub…

Read more...

Get a Dependabot free trial for your company


Want to try Dependabot but need to see it in action first? You can now sign up for a free trial of Dependabot's paid plans. 🎉 We've always…

Read more...

Announcing beta support for npm


Using npm for your JavaScript dependencies? Dependabot can now help you keep your package-lock.json up-to-date. (Using Yarn instead? No…

Read more...

Docker support is out of beta


We released beta support for Dockerfiles two weeks ago. Today, we're blessing it with full release status. 🎉 We're always improving…

Read more...

Announcing Docker support


Using Docker? Dependabot can now help you keep your base image up-to-date. Here's how it works: Dependabot looks for a "Dockerfile" in your…

Read more...

Updating Ruby dependencies with a git source


It's a really common problem: you contribute a fix or feature to a library but want to pull in your changes before the maintainer has cut a…

Read more...

Ignoring a major / minor version


We just shipped a handy new feature: you can now ask Dependabot to ignore a major or minor version of a dependency. Say you're using React…

Read more...

Dependabot now supports Git submodules


Using Git submodules in your project? Dependabot can now keep them up-to-date for you. To get started, just click the "Add project" button…

Read more...

Helping test Bundler 1.16.0


Dependabot is currently helping test the latest pre-release candidate of Bundler 1.16.0. If you see anything odd in any of the pull requests…

Read more...

Dependabot now supports Ruby libraries


Dependabot can now help you keep the sub-dependencies of your Ruby gems up-to-date. Ever day, Dependabot will check whether any of your gem…

Read more...

Fixing Bundler's dependency resolution algorithm and making it 2x faster


A month ago we had a report of some strange behaviour from Dependabot: on some projects, we were creating a "Dependabot can't resolve your…

Read more...

Dependabot's core logic is now open-source


We've open-sourced Dependabot Core , the core logic behind Dependabot. Full details are in the project's readme. What does it do…

Read more...

Dependabot now supports Python


Using Python? Dependabot now works with pip to automate keeping your dependencies up-to-date. To get started, just click the "Add project…

Read more...

Expanding our vision: automated refactors for major version updates


A month ago we wrote about our vision for dependency management . At the time, we wanted to Dependabot to achieve the following: Automate…

Read more...

Introducing Dependabot compatibility scores


From today, Dependabot pull requests will include details the percentage of test suites that pass for the relevant update, in the form a…

Read more...

Dependabot now supports PHP


Using PHP? Dependabot now works with Composer to automate keeping your packages up-to-date. To get started, just click the "Add project…

Read more...

Weekly bumping


We just shipped a handy little new feature: the ability to reduce the frequency of dependency updating from daily to weekly. Daily updates…

Read more...

A bigger vision for dependency management


Last week we launched Dependabot, a dependable robot who’ll keep your dependencies up-to-date for you. We've got big plans for it. The small…

Read more...

Why bother keeping dependencies up-to-date?


Dependabot has pretty strong views on dependency management. If you use it, you’re signing up to keep your dependencies up-to-date all the…

Read more...

Ten years of Rubysec data analysed to find the most secure dependency strategy


Want to keep your application as secure as possible? According to the last 10 years of Rubysec data, the most secure, actionable strategy is…

Read more...

Introducing Dependabot!


Today, we’re launching Dependabot — a dependable robot who’ll keep your dependencies up-to-date for you. Here’s how it works. Dependa-what…

Read more...