Introducing .dependabot/config.yml


Dependabot can now be managed using a config file 🎉

You'll be able to set up new repositories and configure existing ones using a config file without needing to leave your GitHub workflow.

To get started, add the following file to the root of your repository (on the default branch): .dependabot/config.yml (see example).

If you haven't done so already, you'll first need to sign up and grant Dependabot access to your repositories.

Example config files

With only required properties

version: 1
update_configs:
  # Keep package.json (& lockfiles) up to date as soon as
  # new versions are published to the npm registry
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "live"
  # Keep Dockerfile up to date, batching pull requests weekly
  - package_manager: "docker"
    directory: "/"
    update_schedule: "weekly"

With default labels, reviewers and automerged updates

version: 1
update_configs:
  # Update your Gemfile (& lockfiles) as soon as
  # new versions are published to the RubyGems registry
  - package_manager: "ruby:bundler"
    directory: "/"
    update_schedule: "live"
    # Apply default reviewer and label to created
    # pull requests
    default_reviewers:
      - "github-username"
    default_labels:
      - "label-name"

    # Automerge all development updates and production
    # security (semver patch) updates (waiting for CI to pass)
    automerged_updates:
      - match:
          dependency_type: "development"
          update_type: "all"
      - match:
          dependency_type: "production"
          update_type: "security:patch"

Available configuration options

The config file must start with version: 1 followed by an array of update_configs.

Property Required Description
package_manager yes What package manager to use
directory yes Where to look for package manifests
update_schedule yes How often to check for updates
target_branch no Branch to create pull requests against
default_reviewers no Reviewers to set on pull requests
default_assignees no Assignees to set on pull requests
default_labels no Labels to set on pull requests
allowed_updates no Limit which updates are allowed
ignored_updates no Ignore certain dependencies or versions
automerged_updates no Updates that should be merged automatically
version_requirement_updates no How to update manifest version requirements

Validation errors

Dependabot will create an issue on your repository if there are any problems parsing the config file.

package_manager (required)

Supported package managers:

  • javascript
  • ruby:bundler
  • php:composer
  • python
  • go:modules
  • go:dep
  • java:maven
  • java:gradle
  • dotnet:nuget
  • rust:cargo
  • elixir:hex
  • docker
  • terraform
  • submodules
  • elm

Example: package manager

version: 1
update_configs:
  # required properties omitted ...
  package_manager: "submodules"

directory (required)

Where to look for package manifests (e.g. your package.json or Gemfile). The directory is relative to the repository's root.

Example: directory

version: 1
update_configs:
  # required properties omitted ...
  directory: "/app"

update_schedule (required)

How often to check for updates and when to create pull requests.

Available schedules

  • live

    • Only supported by the following package managers

      • javascript
      • ruby:bundler
      • python
      • php:composer
      • rust:cargo
      • elixir:hex
  • daily
  • weekly
  • monthly

For daily and weekly schedules you can also specify the run day and time in your dashboard account settings.

Example: update schedule

version: 1
update_configs:
  # required properties omitted ...
  update_schedule: "monthly"

target_branch

Branch to create pull requests against.

By default your repository's default branch is used.

Example: target branch

version: 1
update_configs:
  # required properties omitted ...
  default_branch: "develop"

default_reviewers

Reviewers to set on update pull requests.

Example: default reviewers

version: 1
update_configs:
  # required properties omitted ...
  default_reviewers:
  - "github_username1"
  - "github_username2"

default_assignees

Assignees to set on update pull requests.

Example: default assignees

version: 1
update_configs:
  # required properties omitted ...
  default_assignees:
  - "github_username1"
  - "github_username2"

default_labels

Labels to set on update pull requests.

By default dependencies is used.

Example: default labels

version: 1
update_configs:
  # required properties omitted ...
  default_labels:
  - "dependencies"
  - "dependabot"

allowed_updates

Limit which updates are allowed.

By default all direct/top-level dependencies are kept up to date (indirect/sub-dependencies are only updated if they include security fixes).

Example: only allow security updates

version: 1
update_configs:
  # required properties omitted ...
  allowed_updates:
  - match:
      update_type: "security"

Example: updates matching on dependency name or security updates

version: 1
update_configs:
  # required properties omitted ...
  allowed_updates:
    - match:
        update_type: "security"
    - match:
        # Currently only supports exact matches on name
        dependency_name: "lodash"

Example: all updates including indirect/sub-dependencies

version: 1
update_configs:
  # required properties omitted ...
  allowed_updates:
    - match:
        # Only includes indirect (aka transient/sub-dependencies) for
        # supported package managers: ruby:bundler, python, go:modules,
        #                             php:composer, rust:cargo
        update_type: "all"

ignored_updates

By default no updates are ignored.

Example: ignored updates

version: 1
update_configs:
  # required properties omitted ...
  ignored_updates:
  - match:
      # Currently only supports exact matches on name
      dependency_name: "express"
      # The range format is specific to the package manager
      # (e.g., ^1.0.0 for JS, or ~> 2.0 for Ruby)
      version_requirement: "4.x"

automerged_updates

Specify which update pull requests should be merged automatically.

By default no updates are automerged.

For all of the options below Dependabot will wait until all your status checks pass before merging. You can also set working hours for automerging in your dashboard account settings.

Example: automerge based on dependency type

version: 1
update_configs:
  # required properties omitted ...
  automerged_updates:
  - match:
      dependency_type: "development"
      # Supported dependency types:
      # - "development"
      # - "production"
      update_type: "all"
      # Supported updates to automerge:
      # - "security:patch"
      #   SemVer patch update that fixes a known security vulnerability
      # - "semver:patch"
      #   SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3
      # - "semver:minor"
      #   SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1
      # - "in_range"
      #   matching the version requirement in your package manifest
      # - "all"
  - match:
      dependency_type: "production"
      update_type: "semver:patch"

Example: automerge based on dependency name

version: 1
update_configs:
  # required properties omitted ...
  automerged_updates:
  - match:
      # Only top level dependencies can be automerged
      dependency_name: "rspec"
      update_type: "all"

version_requirement_updates

Specify how Dependabot should update your package manifest (e.g. package.json, Gemfile etc), as opposed to your lockfile.

By default, version requirements are increased if it's an app and the range widened if it's a library.

Available update strategies

  • off (Only lockfile updates, ignoring updates that require package manifest changes)

  • auto: (Increase versions if an app, widen ranges if a library)

    • Only supported by the following package managers

      • javascript
      • ruby:bundler
      • go:dep
      • python
      • php:composer
      • rust:cargo
      • elixir:hex
  • widen_ranges: (Relax the version requirement when possible)

    • Only supported by the following package managers

      • javascript
      • go:dep
  • increase_versions (Always increase the version requirement to match the new version)

    • Only supported by the following package managers

      • javascript
      • ruby:bundler
      • go:dep
  • increase_versions_if_necessary (Increase the version requirement only when required by the new version)

    • Only supported by the following package managers

      • javascript
      • ruby:bundler

Dependabot helps keep your dependencies up-to-date. It's free for personal accounts and open source, and always will be.

Find out moreTake me to the app