Skip to main content

About Dependabot version updates

You can use Dependabot to keep the packages you use updated to the latest versions.

About Dependabot version updates

Dependabot takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.

You enable Dependabot version updates by checking a dependabot.yml configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. Dependabot uses this information to check for outdated packages and applications. Dependabot determines if there is a new version of a dependency by looking at the semantic versioning (semver) of the dependency to decide whether it should update to that version. For certain package managers, Dependabot version updates also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. Dependabot version updates can be configured to check vendored dependencies for new versions and update them if necessary.

When Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, Dependabot raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "Configuring Dependabot version updates."

If you enable security updates, Dependabot also raises pull requests to update vulnerable dependencies. For more information, see "About Dependabot security updates."

当 Dependabot 提出拉取请求时,这些拉取请求可以是安全更新或版本更新:

  • Dependabot security updates 是自动拉取请求,可帮助你更新已知漏洞的信赖项。
  • Dependabot version updates 是自动拉取请求,即使它们没有任何漏洞,也会保持更新依赖项。 要检查版本更新的状态,请依次导航到仓库的 Insights(见解)选项卡、Dependency Graph(依赖关系图)、Dependabot。

GitHub Actions 为 ,而不是 ,Dependabot version updates 和 Dependabot security updates 在 GitHub 上运行。但是,Dependabot 打开的拉取请求可以触发运行操作的工作流。 有关详细信息,请参阅“使用 GitHub Actions 自动执行 Dependabot”。

Dependabot 和所有相关功能受 GitHub 服务条款约束。

Frequency of Dependabot pull requests

You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.

首次启用版本更新时,您可能有很多过时的依赖项,其中一些可能为许多落后于最新版本的版本。 Dependabot 将在其启用后立即检查过时的依赖项。 根据您配置更新的清单文件的数量,您可能会在添加配置文件后几分钟内看到新的版本更新拉取请求。 Dependabot 也会在配置文件后续更改时运行更新。

Dependabot 也可在更新失败后更改清单文件时创建拉取请求。 这是因为对清单的更改,例如删除导致更新失败的依赖项,可能会导致新触发的更新成功。

为使拉取请求保持可管理和易于审查,Dependabot 最多提出五个拉取请求,以便开始将依赖项更新至最新版本。 如果您在下次预定的更新之前先合并了这些拉取请求,剩余的拉取请求将在下次更新时打开,最多不超过此限。 可以通过设置open-pull-requests-limit配置选项来更改打开的拉取请求的最大数量。

If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a Dependabot alert for a dependency on your default branch. Dependabot automatically raises a pull request to update the vulnerable dependency.

Supported repositories and ecosystems

You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "Configuration options for the dependabot.yml file."

在运行安全性或版本更新时,有些生态系统必须能够解决来自其来源的所有依赖项,以验证版本更新是否成功。 如果清单或锁定文件包含任何私有依赖项,Dependabot 必须能够访问这些依赖项所在的位置。 组织所有者可以授予 Dependabot 访问包含同一个组织内项目依赖项的私有仓库. 有关详细信息,请参阅“管理组织的安全和分析设置”。 你可以在存储库的 dependabot.yml 配置文件中配置对专用注册表的访问。 有关详细信息,请参阅“dependabot.yml 文件的配置选项”。

Dependabot doesn't support private GitHub dependencies for all package managers. See the details in the table below.

The following table shows, for each package manager:

  • The YAML value to use in the dependabot.yml file
  • The supported versions of the package manager
  • Whether dependencies in private GitHub repositories or registries are supported
  • Whether vendored dependencies are supported
Package managerYAML valueSupported versionsPrivate repositoriesPrivate registriesVendoring
Bundlerbundlerv1, v2
Cargocargov1
Composercomposerv1, v2
Docker [1]dockerv1
Hexmixv1
elm-packageelmv0.19
git submodulegitsubmoduleN/A (no version)
GitHub Actionsgithub-actionsN/A (no version)
Go modulesgomodv1
GradlegradleN/A (no version)[2]
MavenmavenN/A (no version)[3]
npmnpmv6, v7, v8
NuGetnuget<= 4.8[4]
pip[5]pipv21.1.2
pipenvpip<= 2021-05-29
pip-compile[5]pip6.1.0
poetrypipv1
pubpubv2 [6]
Terraformterraform>= 0.13, <= 1.2.x
yarnnpmv1, v2, v3[7]

Tip: For package managers such as pipenv and poetry, you need to use the pip YAML value. For example, if you use poetry to manage your Python dependencies and want Dependabot to monitor your dependency manifest file for new versions, use package-ecosystem: "pip" in your dependabot.yml file.

[1] Dependabot can update Docker image tags in Kubernetes manifests. Add an entry to the Docker package-ecosystem element of your dependabot.yml file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your dependabot.yml file for docker, see "package-ecosystem" in "Configuration options for the dependabot.yml file."

Dependabot supports both public and private Docker registries. For a list of the supported registries, see "docker-registry" in "Configuration options for the dependabot.yml file."

[2] Dependabot doesn't run Gradle but supports updates to the following files: build.gradle, build.gradle.kts (for Kotlin projects), and files included via the apply declaration that have dependencies in the filename. Note that apply does not support apply to, recursion, or advanced syntaxes (for example, Kotlin's apply with mapOf, filenames defined by property).

[3] Dependabot doesn't run Maven but supports updates to pom.xml files.

[4] Dependabot doesn't run the NuGet CLI but does support most features up until version 4.8.

[5] In addition to supporting updates to requirements.txt files, Dependabot supports updates to pyproject.toml files if they follow the PEP 621 standard.

[6] Dependabot won't perform an update for pub when the version that it tries to update to is ignored, even if an earlier version is available.

[7] Dependabot supports vendored dependencies for v2 onwards.

If your repository already uses an integration for dependency management, you will need to disable this before enabling Dependabot. For more information, see "About integrations."

About notifications for Dependabot version updates

You can filter your notifications on GitHub to show notifications for pull requests created by Dependabot. For more information, see "Managing notifications from your inbox."