Security updates only mode

You can now set Dependabot to only create PRs in response to security advisories.

Security updates only option

As announced last week, Dependabot now automatically responds to security advisories in Ruby, PHP, Rust and Elixir dependencies (more languages coming soon). When a new vulnerability is disclosed it will immediately create a PR to update you to a patched version.

We want everyone to be able to benefit from the above, regardless of their wider dependency management strategy. To make that possible, Dependabot can now be set up to only create PRs for security updates.

To configure a repo for security updates only, click "show advanced options" when adding it to Dependabot, or click to edit it once it's been added.

Stay safe out there!


Dependabot helps keep your dependencies up-to-date. It's free for personal accounts and open source, and always will be.

Find out moreTake me to the app