Note: GitHub Dependabot version updates are currently in beta and subject to change. To use the beta feature, check in a configuration file to tell GitHub Dependabot which dependencies to maintain for you. For details, see "Enabling and disabling version updates."
GitHub Dependabot is a GitHub App that takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.
You enable GitHub Dependabot version updates by checking a configuration file in to your repository. The configuration file specifies the location of the manifest, or other package definition files, stored in your repository. The app uses this information to check for outdated packages and applications. When the app identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "Enabling and disabling version updates."
If you enable security updates, GitHub Dependabot also raises pull requests to update vulnerable dependencies. For more information, see "Configuring GitHub Dependabot security updates."
You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.
When you first enable version updates, you may have many dependencies that are outdated and some may be many versions behind the latest version. GitHub Dependabot checks for outdated dependencies as soon as the app is installed. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates.
To keep pull requests manageable and easy to review, the app raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, then further pull requests are opened up to a maximum of five (you can change this limit).
If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a Dependabot alert for a dependency on your default branch. GitHub Dependabot automatically raises a pull request to update the vulnerable dependency.
You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers.
- git submodule:
- GitHub Actions:
- Go modules:
If your repository already uses an integration for dependency management, you will need to disable this before enabling GitHub Dependabot. For more information, see "About integrations."