Enabling and disabling version updates

You can configure your repository so that GitHub Dependabot automatically updates the packages you use.

People with write permissions to a repository can enable or disable GitHub Dependabot version updates for the repository.

In this article

Did this doc help you?

Note: GitHub Dependabot version updates are currently in beta and subject to change. To use the beta feature, follow the instructions in this article.

About version updates for dependencies

You enable GitHub Dependabot version updates by checking a dependabot.yml configuration file in to your repository's .github directory. Dependabot then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "Configuring GitHub Dependabot security updates."

When you first enable version updates, you may have many dependencies that are outdated and some may be many versions behind the latest version. GitHub Dependabot checks for outdated dependencies as soon as it's enabled. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates.

To keep pull requests manageable and easy to review, Dependabot raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, then further pull requests are opened up to a maximum of five (you can change this limit). For more information, see "Customizing dependency updates."

Enabling GitHub Dependabot version updates

Currently, GitHub Dependabot version updates doesn't support manifest or lock files that contain any private git dependencies or private git registries. This is because, when running version updates, Dependabot must be able to resolve all dependencies from their source to verify that version updates have been successful.

  1. Create a dependabot.yml configuration file.
  2. Use package-ecosystem to specify the package managers to monitor.
  3. For each package manager, use:
    • directory to specify the location of the manifest or other definition files.
    • schedule.interval to specify how often to check for new versions.
  4. Check the dependabot.yml configuration file in to the .github directory of the repository.

Example dependabot.yml file

The example dependabot.yml file below configures version updates for two package mangers: npm and Docker. When this file is checked in, GitHub Dependabot checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies.

# Basic dependabot.yml file with
# minimum configuration for two package managers

version: 2
updates:
  # Enable version updates for npm
  - package-ecosystem: "npm"
    # Look for `package.json` and `lock` files in the `root` directory
    directory: "/"
    # Check the npm registry for updates every day (weekdays)
    schedule:
      interval: "daily"

  # Enable version updates for Docker
  - package-ecosystem: "docker"
    # Look for a `Dockerfile` in the `root` directory
    directory: "/"
    # Check for updates once a week
    schedule:
      interval: "weekly"

In the example above, if the Docker dependencies were very outdated, you might want to start with a daily schedule until the dependencies are up-to-date, and then drop back to a weekly schedule.

Enabling version updates on forks

If you want to enable version updates on forks, there's an extra step. Version updates are not automatically enabled on forks when a dependabot.yml configuration file is present. This ensures that fork owners don't unintentionally enable version updates when they pull changes including a dependabot.yml configuration file from the original repository.

On a fork, you also need to explicitly enable GitHub Dependabot.

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Insights.
    Insights tab in the main repository navigation bar
  3. In the left sidebar, click Dependency graph.
    Dependency graph tab in the left sidebar
  4. Under "Dependency graph", click Dependabot.
    Dependency graph, Dependabot tab
  5. Under "Enable Dependabot", click Enable Dependabot.

Checking the status of version updates

After you enable version updates, you'll see a new Dependabot tab in the dependency graph for the repository. This tab shows which package managers GitHub Dependabot is configured to monitor and when Dependabot last checked for new versions.

Repository Insights tab, Dependency graph, Dependabot tab

For information, see "Listing dependencies configured for version updates."

Disabling GitHub Dependabot version updates

You can disable version updates entirely by deleting the dependabot.yml file from your repository. More usually, you want to disable updates temporarily for one or more dependencies, or package managers.

  • Package managers: disable by setting open-pull-requests-limit: 0 or by commenting out the relevant package-ecosystem in the configuration file.
  • Specific dependencies: disable by adding ignore attributes for packages or applications that you want to exclude from updates.

When you disable dependencies, you can use wild cards to match a set of related libraries. You can also specify which versions to exclude. This is particularly useful if you need to block updates to a library, pending work to support a breaking change to its API, but want to get any security fixes to the version you use.

Example disabling version updates for some dependencies

The example dependabot.yml file below includes examples of the different ways to disable updates to some dependencies, while allowing other updates to continue.

# dependabot.yml file with updates
# disabled for Docker and limited for npm

version: 2
updates:
  # Configuration for Dockerfile
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
      # Disable all pull requests for Docker dependencies
    open-pull-requests-limit: 0

  # Configuration for npm
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    # Overwrite any ignores created using `@dependabot ignore` commands
    ignore:
      # Ignore updates to packages that start 'aws'
      # Wildcards match zero or more arbitrary characters
      - dependency-name: "aws*"
      # Ignore some updates to the 'express' package
      - dependency-name: "express"
        # Ignore only new versions for 4.x and 5.x
        versions: ["4.x", "5.x"]

Warning: Before you add an ignore option to the dependabot.yml configuration file, check whether the repository already has any ignore preferences (created using the @dependabot ignore commands). When you add an ignore option to the dependabot.yml configuration file, this overwrites any ignore preferences stored centrally for that package manager, branch, and directory.

This affects both security and version updates.

For more information about checking for existing ignore preferences, see "Configuration options for dependency updates."

Did this doc help you?