Enabling and disabling version updates

You can configure your repository so that Dependabot de GitHub automatically updates the packages you use.

People with write permissions to a repository can enable or disable Actualizaciones de versión para el Dependabot de GitHub for the repository.

About version updates for dependencies

You enable Actualizaciones de versión para el Dependabot de GitHub by checking a dependabot.yml configuration file in to your repository's .github directory. Dependabot de GitHub then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "Configuring Actualizaciones de seguridad del Dependabot de GitHub."

Cuando habilitas las actualizaciones de versión por primera vez, podrías tener muchas dependencias desactualizadas y algunas podrían estar varias versiones debajo de la última. Dependabot de GitHub verifica las dependencias que estén desactualizadas tan pronto se habilita. Podrías ver nuevas solicitudes de extracción para las actualizaciones de versión después de algunos minutos de haber agregado el archivo de configuración, dependiendo de la cantidad de archivos de manifiesto para los cuales configuras las actualizaciones.

Para mantener la fácil administración y revisión de las solicitudes de extracción, levanta un máximo de cinco solicitudes de extracción para comenzar a actualizar a las dependencias a su versión más reciente. Si fusionas algunas de estas primeras solicitudes de extracción antes de la siguiente actualización programada, entonces se abrirá un máximo de cinco solicitudes para todas aquellas subsecuentes (puedes cambiar este límite). For more information, see "Customizing dependency updates."

When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, Dependabot de GitHub must be able to access the location at which those dependencies are hosted. Organization owners can grant Dependabot de GitHub access to private repositories containing dependencies for a project within the same organization. For more information, see "Managing security and analysis settings for your organization." You can configure access to private registries in a repository's dependabot.yml configuration file. For more information, see "Configuration options for dependency updates." Additionally, Dependabot de GitHub doesn't support private GitHub dependencies for all package managers. For more information, see "About Dependabot version updates" and "GitHub language support."

Enabling Actualizaciones de versión para el Dependabot de GitHub

  1. Crea un archivo de configuración dependabot.yml. For information, see "Configuration options for dependency updates."
  2. Add a version.
  3. Optionally, if you have dependencies in a private registry, add a registries section containing authentication details.
  4. Add an updates section, with an entry for each package manager you want Dependabot de GitHub to monitor.
  5. For each package manager, use:
    • package-ecosystem to specify the package manager.
    • directory to specify the location of the manifest or other definition files.
    • schedule.interval to specify how often to check for new versions.
  6. Revisa el archivo de configuración dependabot.yml en el directorio .github del repositorio.

Example dependabot.yml file

The example dependabot.yml file below configures version updates for two package managers: npm and Docker. When this file is checked in, Dependabot de GitHub checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies.

# Basic dependabot.yml file with
# minimum configuration for two package managers

version: 2
  # Enable version updates for npm
  - package-ecosystem: "npm"
    # Look for `package.json` and `lock` files in the `root` directory
    directory: "/"
    # Check the npm registry for updates every day (weekdays)
      interval: "daily"

  # Enable version updates for Docker
  - package-ecosystem: "docker"
    # Look for a `Dockerfile` in the `root` directory
    directory: "/"
    # Check for updates once a week
      interval: "weekly"

In the example above, if the Docker dependencies were very outdated, you might want to start with a daily schedule until the dependencies are up-to-date, and then drop back to a weekly schedule.

Enabling version updates on forks

If you want to enable version updates on forks, there's an extra step. Version updates are not automatically enabled on forks when a dependabot.yml configuration file is present. This ensures that fork owners don't unintentionally enable version updates when they pull changes including a dependabot.yml configuration file from the original repository.

On a fork, you also need to explicitly enable Dependabot de GitHub.

  1. En GitHub, visita la página principal del repositorio.
  2. Debajo de tu nombre de repositorio, da clic en Perspectivas. Pestaña de perspectivas en la barra de navegación del repositorio principal
  3. En la barra lateral izquierda, da clic en Gráfica de dependencias. Pestaña de gráfica de dependencias en la barra lateral izquierda
  4. Debajo de "Gráfica de dependencias", da clic en ****. Gráfica de dependencias, pestaña de
  5. Under "Enable Dependabot", click Enable Dependabot.

Checking the status of version updates

After you enable version updates, you'll see a new Dependabot tab in the dependency graph for the repository. This tab shows which package managers Dependabot de GitHub is configured to monitor and when Dependabot de GitHub last checked for new versions.

Repository Insights tab, Dependency graph, Dependabot tab

For information, see "Listing dependencies configured for version updates."

Disabling Actualizaciones de versión para el Dependabot de GitHub

You can disable version updates entirely by deleting the dependabot.yml file from your repository. More usually, you want to disable updates temporarily for one or more dependencies, or package managers.

  • Package managers: disable by setting open-pull-requests-limit: 0 or by commenting out the relevant package-ecosystem in the configuration file.
  • Specific dependencies: disable by adding ignore attributes for packages or applications that you want to exclude from updates.

When you disable dependencies, you can use wild cards to match a set of related libraries. You can also specify which versions to exclude. This is particularly useful if you need to block updates to a library, pending work to support a breaking change to its API, but want to get any security fixes to the version you use.

Example disabling version updates for some dependencies

The example dependabot.yml file below includes examples of the different ways to disable updates to some dependencies, while allowing other updates to continue.

# dependabot.yml file with updates
# disabled for Docker and limited for npm

version: 2
  # Configuration for Dockerfile
  - package-ecosystem: "docker"
    directory: "/"
      interval: "weekly"
      # Disable all pull requests for Docker dependencies
    open-pull-requests-limit: 0

  # Configuration for npm
  - package-ecosystem: "npm"
    directory: "/"
      interval: "daily"
      # Ignore updates to packages that start with 'aws'
      # Wildcards match zero or more arbitrary characters
      - dependency-name: "aws*"
      # Ignore some updates to the 'express' package
      - dependency-name: "express"
        # Ignore only new versions for 4.x and 5.x
        versions: ["4.x", "5.x"]
      # For all packages, ignore all patch updates
      - dependency-name: "*"
        update-types: ["version-update:semver-patch"]

For more information about checking for existing ignore preferences, see "Configuration options for dependency updates."

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.