Skip to main content

This version of GitHub Enterprise was discontinued on 2023-07-06. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

About Dependabot version updates

You can use Dependabot to keep the packages you use updated to the latest versions.

Dependabot version updates are free to use for repositories (user-owned and organization-owned) on GitHub Enterprise Server, provided enterprise administrators enable the feature for your enterprise.

Note: Your site administrator must set up Dependabot updates for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Enabling Dependabot for your enterprise."

About Dependabot version updates

Dependabot takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.

You enable Dependabot version updates by checking a dependabot.yml configuration file into your repository. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. Dependabot uses this information to check for outdated packages and applications. Dependabot determines if there is a new version of a dependency by looking at the semantic versioning (semver) of the dependency to decide whether it should update to that version. For certain package managers, Dependabot version updates also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. Dependabot version updates can be configured to check vendored dependencies for new versions and update them if necessary.

When Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, Dependabot raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see "Configuring Dependabot version updates."

If you enable security updates, Dependabot also raises pull requests to update vulnerable dependencies. For more information, see "About Dependabot security updates."

When Dependabot raises pull requests, these pull requests could be for security or version updates:

  • Dependabot security updates are automated pull requests that help you update dependencies with known vulnerabilities.
  • Dependabot version updates are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the Insights tab of your repository, then Dependency Graph, and Dependabot.

GitHub Actions is required for Dependabot version updates and Dependabot security updates to run on GitHub Enterprise Server. Before you enable Dependabot updates, you must configure your GitHub Enterprise Server instance to use GitHub Actions with self-hosted runners. For more information, see "Enabling Dependabot for your enterprise."

Frequency of Dependabot pull requests

You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.

When you first enable version updates, you may have many dependencies that are outdated and some may be many versions behind the latest version. Dependabot checks for outdated dependencies as soon as it's enabled. You may see new pull requests for version updates within minutes of adding the configuration file, depending on the number of manifest files for which you configure updates. Dependabot will also run an update on subsequent changes to the configuration file.

Dependabot may also create pull requests when you change a manifest file after an update has failed. This is because changes to a manifest, such as removing the dependency that caused the update to fail, may cause the newly triggered update to succeed.

To keep pull requests manageable and easy to review, Dependabot raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, remaining pull requests will be opened on the next update, up to that maximum. You can change the maximum number of open pull requests by setting the open-pull-requests-limit configuration option.

For more information, see "Customizing dependency updates."

If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a Dependabot alert for a dependency on your default branch. Dependabot automatically raises a pull request to update the vulnerable dependency.

Supported repositories and ecosystems

You can configure version updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see "Configuration options for the dependabot.yml file."

Note: To ensure that GitHub Enterprise Server supports Dependabot updates for the latest supported ecosystem versions, your enterprise owner must download the most recent version of the Dependabot action. For more information about the action, and for instructions about how to download the most recent version, see "Using the latest version of the official bundled actions."

Note: When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, Dependabot must be able to access the location at which those dependencies are hosted. Organization owners can grant Dependabot access to private repositories containing dependencies for a project within the same organization. For more information, see "Managing security and analysis settings for your organization." You can configure access to private registries in a repository's dependabot.yml configuration file. For more information, see "Configuration options for the dependabot.yml file."

Dependabot doesn't support private GitHub dependencies for all package managers. See the details in the table below.

The following table shows, for each package manager:

  • The YAML value to use in the dependabot.yml file
  • The supported versions of the package manager
  • Whether dependencies in private GitHub repositories or registries are supported
  • Whether vendored dependencies are supported
Package managerYAML valueSupported versionsPrivate repositoriesPrivate registriesVendoring
Bundlerbundlerv1, v2
Cargocargov1 (git only)
Composercomposerv1, v2
Dockerdockerv1Not applicable
Hexmixv1
elm-packageelmv0.19
git submodulegitsubmoduleNot applicableNot applicable
GitHub Actionsgithub-actionsNot applicableNot applicable
Go modulesgomodv1
GradlegradleNot applicable
MavenmavenNot applicable
npmnpmv6, v7, v8, v9
NuGetnuget<= 4.8
pippipv21.1.2
pipenvpip<= 2021-05-29
pip-compilepip6.1.0
poetrypipv1
pubpubv2
Terraformterraform>= 0.13, <= 1.5.xNot applicable
yarnnpmv1

Tip: For package managers such as pipenv and poetry, you need to use the pip YAML value. For example, if you use poetry to manage your Python dependencies and want Dependabot to monitor your dependency manifest file for new versions, use package-ecosystem: "pip" in your dependabot.yml file.

Cargo

Private registry support applies to git registries, and doesn't include cargo registries.

GitHub Actions

Dependabot only supports updates to GitHub Actions using the GitHub repository syntax, such as actions/checkout@v3. Docker Hub and GitHub Packages Container registry URLs are currently not supported.

Gradle

Dependabot doesn't run Gradle but supports updates to the following files:

  • build.gradle, build.gradle.kts (for Kotlin projects)
  • Files included via the apply declaration that have dependencies in the filename. Note that apply does not support apply to, recursion, or advanced syntaxes (for example, Kotlin's apply with mapOf, filenames defined by property).

Maven

Dependabot doesn't run Maven but supports updates to pom.xml files.

NuGet CLI

Dependabot doesn't run the NuGet CLI but does support most features up until version 4.8.

pub

pub support is currently in beta. Any known limitations are subject to change. Note that Dependabot:

  • Doesn't support updating git dependencies for pub.
  • Won't perform an update when the version that it tries to update to is ignored, even if an earlier version is available.

For information about configuring your dependabot.yml file for pub, see "Configuration options for the dependabot.yml file."

If your repository already uses an integration for dependency management, you will need to disable this before enabling Dependabot.

About notifications for Dependabot version updates

You can filter your notifications on GitHub to show notifications for pull requests created by Dependabot. For more information, see "Managing notifications from your inbox."