Loading...
Loading...
Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot.
npx skill4agent add github/awesome-copilot dependabot.github/dependabot.ymldependabot.ymldependabot.yml| Ecosystem | YAML Value | Manifest Files |
|---|---|---|
| npm/pnpm/yarn | | |
| pip/pipenv/poetry/uv | | |
| Docker | | |
| Docker Compose | | |
| GitHub Actions | | |
| Go modules | | |
| Bundler (Ruby) | | |
| Cargo (Rust) | | |
| Composer (PHP) | | |
| NuGet (.NET) | | |
| .NET SDK | | |
| Maven (Java) | | |
| Gradle (Java) | | |
| Terraform | | |
| OpenTofu | | |
| Helm | | |
| Hex (Elixir) | | |
| Swift | | |
| Pub (Dart) | | |
| Bun | | |
| Dev Containers | | |
| Git Submodules | | |
| Pre-commit | | |
npmdirectoriesdirectories:
- "/" # root
- "/apps/*" # all app subdirs
- "/packages/*" # all package subdirs
- "/lib-*" # dirs starting with lib-
- "**/*" # recursive (all subdirs)directorydirectories- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"- package-ecosystem: "npm"
directories:
- "/"
- "/apps/*"
- "/packages/*"
- "/services/*"
schedule:
interval: "weekly"group-by: dependency-namegroups:
monorepo-deps:
group-by: dependency-name.github/groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
production-dependencies:
dependency-type: "production"
update-types: ["minor", "patch"]groups:
angular:
patterns: ["@angular*"]
update-types: ["minor", "patch"]
testing:
patterns: ["jest*", "@testing-library*", "ts-jest"]groups:
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]applies-toversion-updatesversion: 2
multi-ecosystem-groups:
infrastructure:
schedule:
interval: "weekly"
labels: ["infrastructure", "dependencies"]
updates:
- package-ecosystem: "docker"
directory: "/"
patterns: ["nginx", "redis"]
multi-ecosystem-group: "infrastructure"
- package-ecosystem: "terraform"
directory: "/"
patterns: ["aws*"]
multi-ecosystem-group: "infrastructure"patternsmulti-ecosystem-grouplabels:
- "dependencies"
- "npm"labels: []majorminorpatchcommit-message:
prefix: "deps"
prefix-development: "deps-dev"
include: "scope" # adds deps/deps-dev scope after prefixassignees: ["security-team-lead"]
milestone: 4 # numeric ID from milestone URLpull-request-branch-name:
separator: "-" # default is /target-branch: "develop" # PRs target this instead of default branchtarget-branchdailyweeklymonthlyquarterlysemiannuallyyearlycronschedule:
interval: "weekly"
day: "monday" # for weekly only
time: "09:00" # HH:MM format
timezone: "America/New_York"schedule:
interval: "cron"
cronjob: "0 9 * * 1" # Every Monday at 9 AMcooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include: ["*"]
exclude: ["critical-lib"]groups:
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]open-pull-requests-limit: 0 # disables version update PRs@dependabotNote: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (), or auto-merge instead.gh pr merge
| Command | Effect |
|---|---|
| Rebase the PR |
| Recreate the PR from scratch |
| Close and never update this dependency |
| Ignore this major version |
| Ignore this minor version |
| Ignore this patch version |
@dependabot ignore DEPENDENCY_NAME@dependabot unignore DEPENDENCY_NAME@dependabot unignore *@dependabot show DEPENDENCY_NAME ignore conditionsreferences/pr-commands.mdignore:
- dependency-name: "lodash"
- dependency-name: "@types/node"
update-types: ["version-update:semver-patch"]
- dependency-name: "express"
versions: ["5.x"]allow:
- dependency-type: "production"
- dependency-name: "express"allowignoreexclude-paths:
- "vendor/**"
- "test/fixtures/**"| Value | Behavior |
|---|---|
| Default — increase for apps, widen for libraries |
| Always increase minimum version |
| Only change if current range excludes new version |
| Only update lockfiles, ignore manifests |
| Widen range to include both old and new versions |
rebase-strategy: "disabled" # stop auto-rebasing[dependabot skip]open-pull-requests-limit: 10 # default is 5 for version, 10 for security0registries:
npm-private:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-privatedependabot.yml.github/dependabot.ymlupdatespackage-ecosystem: "npm"pnpm-lock.yamlgroupsdirectoriesgroup-by: dependency-namemonthlyquarterlydirectoryreferences/dependabot-yml-reference.mdreferences/pr-commands.mdreferences/example-configs.md