我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

About GitHub Dependabot version updates

You can use GitHub Dependabot to keep the packages you use updated to the latest versions.

本文内容

注: GitHub Dependabot 版本更新 目前处于测试阶段,可能会有变动。 要使用测试版功能,请在配置文件中登记,告诉 GitHub Dependabot 为您保留哪些依赖项。 详情请参阅“启用和禁用版本更新。”

About GitHub Dependabot 版本更新

GitHub Dependabot takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.

You enable GitHub Dependabot 版本更新 by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. Dependabot uses this information to check for outdated packages and applications. Dependabot determines if there is a new version of a dependency by looking at the semantic versioning (semver) of the dependency to decide whether it should update to that version. When Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "Enabling and disabling version updates."

If you enable security updates, GitHub Dependabot also raises pull requests to update vulnerable dependencies. For more information, see "Configuring GitHub Dependabot 安全更新."

GitHub Dependabot and all related features are covered by GitHub's Terms of Service.

Frequency of GitHub Dependabot pull requests

You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.

首次启用版本更新时,您可能有很多过时的依赖项,其中一些可能为许多落后于最新版本的版本。 GitHub Dependabot 将在应用程序安装后立即检查过时的依赖项。 根据您配置更新的清单文件的数量,您可能会在添加配置文件后几分钟内看到新的版本更新拉取请求。

为使拉取请求保持可管理和易于审查,应用程序最多将提出五个拉取请求,以便开始将依赖项更新至最新版本。 如果您在下次预定更新之前合并第一批拉取请求中的一些请求,则接下来的拉取请求最多可以打开五个(您可以更改此限制)。

If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a Dependabot alert for a dependency on your default branch. GitHub Dependabot automatically raises a pull request to update the vulnerable dependency.

Supported repositories and ecosystems

Currently, GitHub Dependabot 版本更新 doesn't support manifest or lock files that contain any private git dependencies or private git registries. This is because, when running version updates, Dependabot must be able to resolve all dependencies from their source to verify that version updates have been successful. However, if you want to enable version updates for dependency manifests or lock files that do contain private dependencies, you can still enable Dependabot preview.

You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers.

  • Bundler: bundler
  • Cargo: cargo
  • Composer: composer
  • Docker: docker
  • Elm: elm
  • Git 子模块:gitsubmodule
  • GitHub 操作:github-actions
  • Go 模块:gomod
  • Gradle: gradle
  • Maven: maven
  • Mix: mix
  • npm: npm
  • NuGet: nuget
  • pip: pip
  • Terraform: terraform

If your repository already uses an integration for dependency management, you will need to disable this before enabling GitHub Dependabot. For more information, see "About integrations."

问问别人

找不到要找的内容?

联系我们