About Dependabot version updates

You can use Dependabot de GitHub to keep the packages you use updated to the latest versions.

About Actualizaciones de versión para el Dependabot de GitHub

Dependabot de GitHub takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.

You enable Actualizaciones de versión para el Dependabot de GitHub by checking a configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. Dependabot de GitHub uses this information to check for outdated packages and applications. Dependabot de GitHub determines if there is a new version of a dependency by looking at the semantic versioning (semver) of the dependency to decide whether it should update to that version. For certain package managers, Actualizaciones de versión para el Dependabot de GitHub also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. Actualizaciones de versión para el Dependabot de GitHub can be configured to check vendored dependencies for new versions and update them if necessary.

When Dependabot de GitHub identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, Dependabot de GitHub raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "Enabling and disabling version updates."

If you enable security updates, Dependabot de GitHub also raises pull requests to update vulnerable dependencies. For more information, see "About Actualizaciones de seguridad del Dependabot de GitHub."

When Dependabot de GitHub raises pull requests, these pull requests could be for security or version updates:

  • Actualizaciones de seguridad del Dependabot de GitHub are automated pull requests that help you update dependencies with known vulnerabilities.
  • Actualizaciones de versión para el Dependabot de GitHub are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the Insights tab of your repository, then Dependency Graph, and Dependabot de GitHub.

En las Condiciones de Servicio de GitHub se incluyen al Dependabot de GitHub y a todas sus características relacionadas.

Frequency of Dependabot de GitHub pull requests

You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.

Cuando habilitas las actualizaciones de versión por primera vez, podrías tener muchas dependencias desactualizadas y algunas podrían estar varias versiones debajo de la última. Dependabot de GitHub verifica las dependencias que estén desactualizadas tan pronto se habilita. Podrías ver nuevas solicitudes de extracción para las actualizaciones de versión después de algunos minutos de haber agregado el archivo de configuración, dependiendo de la cantidad de archivos de manifiesto para los cuales configuras las actualizaciones.

Para mantener la fácil administración y revisión de las solicitudes de extracción, levanta un máximo de cinco solicitudes de extracción para comenzar a actualizar a las dependencias a su versión más reciente. Si fusionas algunas de estas primeras solicitudes de extracción antes de la siguiente actualización programada, entonces se abrirá un máximo de cinco solicitudes para todas aquellas subsecuentes (puedes cambiar este límite).

If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a Dependabot de GitHub alert for a dependency on your default branch. Dependabot de GitHub automatically raises a pull request to update the vulnerable dependency.

Supported repositories and ecosystems

You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "Configuration options for dependency updates."

When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, Dependabot de GitHub must be able to access the location at which those dependencies are hosted. Organization owners can grant Dependabot de GitHub access to private repositories containing dependencies for a project within the same organization. For more information, see "Managing security and analysis settings for your organization." You can configure access to private registries in a repository's dependabot.yml configuration file. For more information, see "Configuration options for dependency updates."

Dependabot de GitHub doesn't support private GitHub dependencies for all package managers. See the details in the table below.

  • Bundler: bundler
  • Cargo: cargo
  • Composer: composer
  • Docker: docker
  • Elm: elm
  • git submodule: gitsubmodule
  • GitHub Actions: github-actions
  • Go modules: gomod
  • Gradle: gradle
  • Maven: maven
  • Mix: mix
  • npm: npm
  • NuGet: nuget
  • pip: pip
  • Terraform: terraform

If your repository already uses an integration for dependency management, you will need to disable this before enabling Dependabot de GitHub. For more information, see "About integrations."

About notifications for Dependabot de GitHub version updates

You can filter your notifications on GitHub to show Dependabot de GitHub version updates. For more information, see "Managing notifications from your inbox."

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.