Optimizing the creation of pull requests for Dependabot version updates

Learn how to streamline and efficiently manage your Dependabot pull requests.

Wer kann dieses Feature verwenden?

Users with write access

In diesem Artikel

By default, Dependabot opens a new pull request to update each dependency. When you enable security updates, new pull requests are opened when a vulnerable dependency is found. When you configure version updates for one or more ecosystems, new pull requests are opened when new versions of dependencies are available, with the frequency defined in the dependabot.yml file.

If your project has many dependencies, you might find that you have a very large number of Dependabot pull requests to review and merge, which can quickly become difficult to manage.

There are a couple of customization options you can implement to optimize Dependabot update pull requests to align with your processes, such as:

  • Controlling the frequency with which Dependabot checks for newer versions of your dependencies with schedule.
  • Prioritize meaningful updates with groups.

Controlling the frequency and timings of dependency updates

Dependabot runs its checks for version updates at a frequency set by you in the configuration file (where the required field, schedule.interval, must be set to daily, weekly, or monthly).

By default, Dependabot balances its workload by assigning a random time to check and raise pull requests for dependency updates.

However, to reduce distraction, or to better organize time and resources for reviewing and addressing version updates, you might find it useful to modify the frequency and timings. For example, you may prefer Dependabot to run weekly rather than daily checks for updates, and at a time that ensures pull requests are raised before for your team's triage session.

You can use schedule with a combination of options to modify the frequency and timings of when Dependabot checks for version updates

The example dependabot.yml file below changes the npm configuration to specify that Dependabot should check for version updates to npm dependencies every day at 02:00 Japanese Standard Time (UTC +09:00).

YAML
# `dependabot.yml` file with
# customized schedule for version updates

version: 2
updates:
  # Keep npm dependencies up to date
  - package-ecosystem: "npm"
    directory: "/"
    # Check the npm registry every week on Tuesday at 02:00 Japan Standard Time (UTC +09:00)
    schedule:
      interval: "weekly"
      day: "tuesday"
      time: "02:00"
      timezone: "Asia/Tokyo"

See also schedule.

Prioritizing meaningful updates

You can use groups to consolidate updates for multiple dependencies into a single pull request. This helps you focus your review time on higher risk updates, and minimize the time spent reviewing minor version updates. For example, you can combine updates for minor or patch updates for development dependencies into a single pull request, and have a dedicated group for security or version updates that impact a key area of your codebase.

You must configure groups per individual package ecosystem, then you can create multiple groups per package ecosystem using a combination of criteria:

  • Dependabot update type: applies-to
  • Type of dependency: dependency-type.
  • Dependency name: patterns and exclude-patterns
  • Semantic versioning levels: update-types

To see all supported values for each criterion, see groups.

The below examples present several different methods to create groups of dependencies using the criteria.

Beispiel 1

Die dependabot.yml-Dateikonfiguration verwendet die Optionen patterns und dependency-type, um bestimmte Abhängigkeiten in die Gruppe einzuschließen und exclude-patterns, um eine Abhängigkeit (oder mehrere Abhängigkeiten) aus der Gruppe auszuschließen. Die Gruppierungsregel wird standardmäßig nur auf Versionsupdates angewendet, da der applies-to-Schlüssel nicht vorhanden ist.

# `dependabot.yml` file using the `dependency-type` option to group updates
# in conjunction with `patterns` and `exclude-patterns`.
# Grouping rules default to applying to version updates only, since
# the `applies-to` key is absent.

groups:
  production-dependencies:
    dependency-type: "production"
  development-dependencies:
    dependency-type: "development"
    exclude-patterns:
    - "rubocop*"
  rubocop:
    patterns:
    - "rubocop*"

Beispiel 2

Eine dependabot.yml-Datei mit einer angepassten Bundler-Konfiguration, die geändert wurde, um eine Gruppe von Abhängigkeiten zu erstellen. Die Konfiguration gibt patterns (Zeichenfolgen von Zeichen) an, die mit dem Namen einer Abhängigkeit (oder mehrerer Abhängigkeiten) übereinstimmen, um die Abhängigkeiten in die Gruppe einzuschließen. Die Gruppierungsregel gilt nur für Versionsupdates, da applies-to: version-updates verwendet wird.

# `dependabot.yml` file with customized Bundler configuration
# In this example, the name of the group is `dev-dependencies`, and
# only the `patterns` and `exclude-patterns` options are used.
# Grouping rules apply to version updates only.

version: 2
updates:
  # Keep bundler dependencies up to date
  - package-ecosystem: "bundler"
    directories:
      - "/frontend"
      - "/backend"
      - "/admin"
    schedule:
      interval: "weekly"
    # Create a group of dependencies to be updated together in one pull request
    groups:
       # Specify a name for the group, which will be used in pull request titles
       # and branch names
       dev-dependencies:
          # Define patterns to include dependencies in the group (based on
          # dependency name)
          applies-to: version-updates # Applies the group rule to version updates
          patterns:
            - "rubocop" # A single dependency name
            - "rspec*"  # A wildcard string that matches multiple dependency names
            - "*"       # A wildcard that matches all dependencies in the package
                        # ecosystem. Note: using "*" may open a large pull request
          # Define patterns to exclude dependencies from the group (based on
          # dependency name)
          exclude-patterns:
            - "gc_ruboconfig"
            - "gocardless-*"

Beispiel 3

Die Datei dependabot.yml ist so konfiguriert, dass alle Pakete gruppiert werden, die dem Muster @angular* entsprechen, dessen höchste auflösbare Version minor oder patch ist. Dependabot erstellt einen separaten Pull Request für jedes Paket, das nicht mit dem Muster übereinstimmt oder das nicht auf eine minor- oder patch-Version aktualisiert wird. Die Gruppierungsregel gilt nur für Versionsupdates, da applies-to: version-updates verwendet wird.

# `dependabot.yml` file using the `update-types` option to group updates.
# Any packages matching the pattern @angular* where the highest resolvable
# version is minor or patch will be grouped together.
# Grouping rules apply to version updates only.

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      angular:
        applies-to: version-updates
        patterns:
        - "@angular*"
        update-types:
        - "minor"
        - "patch"

Beispiel 4

Die dependabot.yml-Datei verwendet eine ignore-Bedingung, um Updates für major-Versionen von @angular*-Paketen auszuschließen. Zwei Gruppierungsregeln werden angegeben, eine für Versionsupdates und eine für Sicherheitsupdates.

# `dependabot.yml` file using the `update-types` option to group updates
# in conjunction with an `ignore` condition. If you do not want updates
# to `major` versions of `@angular*` packages, you can specify an `ignore` condition.
# Grouping rules for both version updates and security updates are specified.

groups:
  angular:
    applies-to: version-updates
    patterns:
    - "@angular*"
    update-types:
    - "minor"
    - "patch"
  minor-and-patch:
    applies-to: security-updates
    patterns:
    - "@angular*"
    update-types:
    - "patch"
    - "minor"
ignore:
  - dependency-name: "@angular*"
    update-types: ["version-update:semver-major"]