By default, Dependabot opens a new pull request to update each dependency. When you enable security updates, new pull requests are opened when a vulnerable dependency is found. When you configure version updates for one or more ecosystems, new pull requests are opened when new versions of dependencies are available, with the frequency defined in the dependabot.yml file.
If your project has many dependencies, you might find that you have a very large number of Dependabot pull requests to review and merge, which can quickly become difficult to manage.
There are a couple of customization options you can implement to optimize Dependabot update pull requests to align with your processes, such as:
- Controlling the frequency with which Dependabot checks for newer versions of your dependencies with
schedule. - Prioritize meaningful updates with
groups.
Controlling the frequency and timings of dependency updates
Dependabot runs its checks for version updates at a frequency set by you in the configuration file (where the required field, schedule.interval, must be set to daily, weekly, or monthly).
By default, Dependabot balances its workload by assigning a random time to check and raise pull requests for dependency updates.
However, to reduce distraction, or to better organize time and resources for reviewing and addressing version updates, you might find it useful to modify the frequency and timings. For example, you may prefer Dependabot to run weekly rather than daily checks for updates, and at a time that ensures pull requests are raised before for your team's triage session.
You can use schedule with a combination of options to modify the frequency and timings of when Dependabot checks for version updates
The example dependabot.yml file below changes the npm configuration to specify that Dependabot should check for version updates to npm dependencies every day at 02:00 Japanese Standard Time (UTC +09:00).
# `dependabot.yml` file with
# customized schedule for version updates
version: 2
updates:
# Keep npm dependencies up to date
- package-ecosystem: "npm"
directory: "/"
# Check the npm registry every week on Tuesday at 02:00 Japan Standard Time (UTC +09:00)
schedule:
interval: "weekly"
day: "tuesday"
time: "02:00"
timezone: "Asia/Tokyo"
# `dependabot.yml` file with
# customized schedule for version updates
version: 2
updates:
# Keep npm dependencies up to date
- package-ecosystem: "npm"
directory: "/"
# Check the npm registry every week on Tuesday at 02:00 Japan Standard Time (UTC +09:00)
schedule:
interval: "weekly"
day: "tuesday"
time: "02:00"
timezone: "Asia/Tokyo"
See also schedule.
Prioritizing meaningful updates
You can use groups to consolidate updates for multiple dependencies into a single pull request. This helps you focus your review time on higher risk updates, and minimize the time spent reviewing minor version updates. For example, you can combine updates for minor or patch updates for development dependencies into a single pull request, and have a dedicated group for security or version updates that impact a key area of your codebase.
You must configure groups per individual package ecosystem, then you can create multiple groups per package ecosystem using a combination of criteria:
- Type of dependency:
dependency-type. - Dependency name:
patternsandexclude-patterns - Semantic versioning levels:
update-types
To see all supported values for each criterion, see groups.
The below examples present several different methods to create groups of dependencies using the criteria.
Example 1: Three version update groups
In this example, the dependabot.yml file:
- Creates three groups, called "
production-dependencies", "development-dependencies", and "rubocop". - Uses
patternsanddependency-typeto include dependencies in the group. - Uses
exclude-patternsto exclude a dependency (or multiple dependencies) from the group.
version: 2
updates:
# Keep bundler dependencies up to date
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "weekly"
groups:
production-dependencies:
dependency-type: "production"
development-dependencies:
dependency-type: "development"
exclude-patterns:
- "rubocop*"
rubocop:
patterns:
- "rubocop*"
As a result:
- Version updates are grouped by dependency type.
- Development dependencies matching the pattern
rubocop*are excluded from thedevelopment-dependenciesgroup. - Instead, development dependencies matching
rubocop*will be included in therubocopgroup. Due to the ordering, production dependencies matchingrubocop*will be included in theproduction-dependenciesgroup.
Example 2: Grouped updates with excluded dependencies
In this example, the dependabot.yml file:
- Creates a group called "
support-dependencies", as part of a customized Bundler configuration. - Uses
patternsthat match with the name of a dependency (or multiple dependencies) to include dependencies in the group. - Uses
exclude-patternsthat match with the name of a dependency (or multiple dependencies) to exclude dependencies from the group.
version: 2
updates:
# Keep bundler dependencies up to date
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "weekly"
# Create a group of dependencies to be updated together in one pull request
groups:
# Specify a name for the group, which will be used in pull request titles
# and branch names
support-dependencies:
# Define patterns to include dependencies in the group (based on
# dependency name)
patterns:
- "rubocop" # A single dependency name
- "rspec*" # A wildcard string that matches multiple dependency names
- "*" # A wildcard that matches all dependencies in the package
# ecosystem. Note: using "*" may open a large pull request
# Define patterns to exclude dependencies from the group (based on
# dependency name)
exclude-patterns:
- "gc_ruboconfig"
- "gocardless-*"
As a result:
- The majority of dependencies for bundler are consolidated into the
support-dependenciesgroup due to the wildcard ("*") pattern, apart from - Dependencies that match
gc_ruboconfigandgocardless-*are excluded from the group, and Dependabot continues to raise single pull requests for these dependencies. This can be helpful if updates for these dependencies need to be reviewed with closer scrutiny. - For
support-dependencies, Dependabot will only raise pull requests for version updates.
Example 3: Individual pull requests for major updates and grouped for minor/patch updates
In this example, the dependabot.yml file:
- Creates a group called "
angular". - Uses
patternsthat match with the name of a dependency to include dependencies in the group. - Uses
update-typeto only includeminororpatchupdates in the group.
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
# Specify a name for the group, which will be used in pull request titles
# and branch names
angular:
patterns:
- "@angular*"
update-types:
- "minor"
- "patch"
As a result:
- Dependabot will create a grouped pull request for all Angular dependencies that have a minor or patch update.
- All major updates will continue to be raised as individual pull requests.
Example 4: Grouped pull requests for minor/patch updates and no pull requests for major updates
In this example, the dependabot.yml file:
- Creates two groups called "
angular" and "minor-and-patch". - Uses
update-typeto only includeminororpatchupdates for both groups. - Uses an
ignorecondition to exclude updates tomajorversions of@angular*packages.
version: 2
updates:
# Keep npm dependencies up to date
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
angular:
patterns:
- "@angular*"
update-types:
- "minor"
- "patch"
ignore:
- dependency-name: "@angular*"
update-types: ["version-update:semver-major"]
As a result:
- Minor and patch version updates for Angular dependencies are grouped into a single pull request.
- Minor and patch security updates for Angular dependencies are also grouped together into a single pull request.
- Dependabot won't automatically open pull requests for major updates for Angular.