About Dependabot version updates

You can use Dependabot to keep the packages you use updated to the latest versions.

In this article

Note: Dependabot version updates are currently in beta and subject to change. To use the beta feature, check in a configuration file to tell Dependabot which dependencies to maintain for you. For details, see "Enabling and disabling version updates."

About Dependabot version updates

Dependabot takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.

You enable Dependabot version updates by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. Dependabot uses this information to check for outdated packages and applications. Dependabot determines if there is a new version of a dependency by looking at the semantic versioning (semver) of the dependency to decide whether it should update to that version. For certain package managers, Dependabot version updates also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository, rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. Dependabot version updates can be configured to check vendored dependencies for new versions and update them if necessary.

When Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, Dependabot raises a pull request to directly replace the outdated dependency with the new version. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "Enabling and disabling version updates."

If you enable security updates, Dependabot also raises pull requests to update vulnerable dependencies. For more information, see "About Dependabot security updates."

Dependabot and all related features are covered by GitHub's Terms of Service.

Frequency of Dependabot pull requests

You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.

When you first enable version updates, you may have many dependencies that are outdated and some may be many versions behind the latest version. Dependabot checks for outdated dependencies as soon as it's enabled. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates.

To keep pull requests manageable and easy to review, Dependabot raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, then further pull requests are opened up to a maximum of five (you can change this limit).

If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a Dependabot alert for a dependency on your default branch. Dependabot automatically raises a pull request to update the vulnerable dependency.

Supported repositories and ecosystems

You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "Configuration options for dependency updates."

When running version updates, Dependabot must be able to resolve all dependencies from their source to verify that version updates have been successful. If your manifest or lock files contain any dependencies hosted in private GitHub repositories within your organization, Dependabot must be able to access those repositories. Organization owners can configure this. For more information, see "Managing security and analysis settings for your organization."

Currently, Dependabot version updates doesn't support manifest or lock files that contain any dependencies hosted in private registries, or in private GitHub repositories that belong to a different organization than the dependent project. Additionally, Dependabot doesn't support private GitHub dependencies for all package managers. See the details in the table below.

The following table shows, for each package manager, whether Dependabot supports: dependencies in private GitHub repositories, and vendored dependencies.

Package managerPrivate GitHub repositoriesVendoring
Bundler: bundler
Cargo: cargo
Composer: composer
Docker: docker
Elixir: hex
Elm: elm
git submodule: gitsubmodule
GitHub Actions: github-actions
Go modules: gomod
Gradle: gradle
Maven: maven
Mix: mix
npm: npm
NuGet: nuget
pip: pip
Terraform: terraform

Note: Dependabot also supports the following package managers:

-yarn (v1 only) (specify npm)

-pipenv, pip-compile, and poetry (specify pip)

For example, if you use poetry to manage your Python dependencies and want Dependabot to monitor your dependency manifest file for new versions, use package-ecosystem: "pip" in your dependabot.yml file.

If your repository already uses an integration for dependency management, you will need to disable this before enabling Dependabot. For more information, see "About integrations."

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.