# Dependabot > Dependabot is GitHub's automated dependency management tool designed to help you maintain secure and up-to-date project dependencies. The service monitors vulnerabilities in your project's dependencie --- # Dependabot Overview Source: https://docs.github.com/en/code-security/dependabot ## What is Dependabot? Dependabot is GitHub's automated dependency management tool designed to help you maintain secure and up-to-date project dependencies. The service monitors vulnerabilities in your project's dependencies and enables automatic updates. ## Core Capabilities ### Vulnerability Detection Dependabot identifies security vulnerabilities within your project's dependency ecosystem. It continuously scans your dependencies against known vulnerability databases to alert you to potential risks. ### Automated Updates The tool offers two primary update mechanisms: **Security Updates**: Automatically generates pull requests to address dependencies with known vulnerabilities. When a vulnerability is discovered, Dependabot can immediately propose fixes. **Version Updates**: Maintains your dependencies at current versions through regular automated pull requests. This keeps your projects current beyond just security patches. ### Alert Management Dependabot provides comprehensive alert handling including: - Configuration of alert sensitivity and scope - Auto-triage rules for intelligent alert prioritization - Delegated dismissal workflows for team-based decision-making - Customizable notifications ## The Three Dependabot Features ### 1. Dependabot Alerts Informs you about vulnerabilities in the dependencies that you use in your repository. The system alerts users to every vulnerable dependency in the full dependency graph. ### 2. Dependabot Security Updates Automatically generates pull requests when vulnerabilities are detected. When a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it by raising a pull request. ### 3. Dependabot Version Updates "Takes the effort out of maintaining your dependencies" by automatically keeping packages current with their latest releases. Dependabot uses semantic versioning to determine when updates are available, then automatically raises pull requests to update manifests to the latest dependency versions. ## Ecosystem Support Dependabot supports numerous package management ecosystems across different programming languages and platforms, enabling broad coverage for various project types. This includes: - Python (pip) - Node.js (npm, yarn) - Ruby (bundler) - Java (Maven, Gradle) - Go (go modules) - Rust (Cargo) - PHP (Composer) - .NET (NuGet) - Docker - Terraform - And many others ## Integration Features The platform integrates with GitHub's workflow systems, allowing you to: - Automate dependency updates alongside your CI/CD pipelines - Customize pull request behavior and formatting - Configure access to private package registries - Manage multi-ecosystem updates simultaneously - Automatically sign commits - Filter notifications to show only Dependabot pull requests ## Availability Dependabot features are available for all repositories on GitHub across free, pro, and team plans. --- # Dependabot Quickstart Guide Source: https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide ## Overview Dependabot comprises three integrated features for dependency management: - **Dependabot alerts**: Inform you about vulnerabilities in the dependencies that you use in your repository - **Dependabot security updates**: Automatically generates pull requests addressing known security vulnerabilities - **Dependabot version updates**: Keeps dependencies current through automated pull requests ## Getting Started ### Prerequisites To follow along with practical examples, you can fork the demonstration repository at: https://github.com/dependabot/demo ### Step 1: Access Repository Settings 1. Navigate to your repository's main page 2. Click **Settings** (or access via the dropdown menu if unavailable) ### Step 2: Enable Dependabot Features 1. In the sidebar, locate the "Security" section 2. Click **Advanced Security** 3. Under "Dependabot," click **Enable** for each feature you want: - Dependabot alerts - Dependabot security updates - Dependabot version updates **Note**: The dependency graph activates automatically when enabling Dependabot if not already enabled. ### Step 3: Configure Version Updates If you've selected Dependabot version updates: 1. A default `dependabot.yml` file will be created in `/.github/` 2. Edit this file to suit your repository's needs 3. Commit your changes The file uses YAML format with the following basic structure: ```yaml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" ``` ## Viewing and Managing Alerts ### Access Dependabot Alerts 1. Click the **Security** tab on your repository (use the dropdown if unavailable) 2. In the "Vulnerability alerts" sidebar, select **Dependabot** 3. The page displays open alerts by default; switch to **Closed** to see dismissed ones ### Review Alert Details Click any alert to review: - Affected package information - Vulnerability severity - Available patches - Associated CVE/GHSA identifiers ## Resolving Vulnerabilities ### Merge a Security Fix 1. Click "Review security update" to examine Dependabot's proposed pull request 2. Review the changes and CI results 3. Merge the PR once confirmed ### Dismiss an Alert If you choose not to upgrade: 1. Click "Dismiss alert" on the details page 2. Select a dismissal reason 3. Optionally add explanatory comments 4. Confirm dismissal (alerts move to the Closed tab) ## Common Dismissal Reasons - **Not affected**: The vulnerability doesn't apply to your use case - **Tolerable risk**: You accept the risk of the vulnerability - **No bandwidth**: You don't have resources to address it now - **Inaccurate**: The alert is incorrect or misidentified ## Troubleshooting If Dependabot cannot generate pull requests or detection seems inaccurate, consult the full documentation for troubleshooting guidance. ## Next Steps After completing the quickstart: - Explore additional configuration options for security updates - Learn advanced version management techniques - Set up organization-wide deployment - Configure alert notifications - Implement custom commit messages and labels --- # Dependabot Version Updates Source: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates ## Overview Dependabot version updates is a feature that "takes the effort out of maintaining your dependencies" by automatically keeping packages current with their latest releases. ## How It Works The system operates through a `dependabot.yml` configuration file checked into your repository. Dependabot uses semantic versioning to determine when updates are available, then automatically raises pull requests to update manifests to the latest dependency versions. For vendored (cached) dependencies stored directly in repositories rather than referenced in manifests, Dependabot can replace outdated versions directly. ## Availability This feature is available for all repositories on GitHub across free, pro, and team plans. ## Update Frequency Users specify check schedules in their configuration using intervals: - `daily` - `weekly` (default) - `monthly` - `quarterly` - `semiannually` - `yearly` - Custom `cron` expressions When first enabled, Dependabot may generate pull requests within minutes, depending on how many manifest files need updates. ### Pull Request Limits To manage volume, Dependabot initially raises a maximum of five pull requests. Users can adjust this limit using the `open-pull-requests-limit` configuration option. The `groups` option further consolidates multiple dependency updates into single pull requests. ## Key Features - **Automatic commit signing** for signed commits - **Integration with GitHub Actions workflows** for CI/CD automation - **Support for security updates** (separate from version updates) - **Customizable notifications** that can be filtered to show only Dependabot pull requests - **Dependency grouping** to consolidate updates into single PRs - **Rebase strategy configuration** for conflict resolution - **Private package registry support** for internal dependencies ## Configuration Version updates are configured in `.github/dependabot.yml`: ```yaml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" day: "monday" time: "03:00" ``` ## Supported Package Ecosystems Dependabot version updates supports 20+ package management systems: - **Python**: pip, pip-tools - **JavaScript/TypeScript**: npm, yarn, pnpm - **Ruby**: bundler - **Java**: Maven, Gradle - **Go**: go modules - **Rust**: Cargo - **PHP**: Composer - **.NET**: NuGet - **Elm**: Elm - **Elixir**: Mix - **Erlang**: Rebar3 - **Dart**: Pub - **Deno**: Deno - **Docker**: Docker - **Terraform**: Terraform - **Helm**: Helm - **And others** ## Automatic Deactivation When repository maintainers stop engaging with Dependabot pull requests, the system temporarily pauses updates and notifies users. Specifically, if you don't interact with Dependabot pull requests for a repository during a 90-day time period, Dependabot considers your repository as inactive and will automatically pause Dependabot updates. To reactivate: 1. Engage with Dependabot PRs by merging or closing them 2. Manually re-enable in repository settings if needed ## Managing Updates Users can: - Set specific dependencies to always or never update - Filter by dependency type (direct, indirect, production, development) - Group multiple updates into single PRs - Customize commit messages and PR labels - Configure different schedules per package ecosystem - Set target branches for updates --- # Dependabot Security Updates Source: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates ## Overview Dependabot security updates automate the process of fixing vulnerable dependencies by raising pull requests when vulnerabilities are detected. ## Vulnerability Detection Dependabot identifies vulnerabilities through the dependency graph. As the documentation states: "If you enable Dependabot security updates, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it." The system alerts users to every vulnerable dependency in the full dependency graph, though security updates are only triggered for dependencies explicitly listed in manifest or lock files. ## How Security Updates Work ### Automatic Response When vulnerabilities are identified, "Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository. Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch." This process is automatic—when a security update PR is available, Dependabot will create it without waiting for user action. ### Alert Resolution Upon merging a security update pull request, the corresponding alert is automatically marked as resolved. ### Comprehensive Coverage The system attempts to address every available vulnerability: "When Dependabot security updates are enabled for a repository, Dependabot will automatically try to open pull requests to resolve **every** open Dependabot alert that has an available patch." ## Key Features ### Grouped Updates Multiple vulnerable dependencies can be grouped into single pull requests to reduce notification volume. This is controlled via the `groups` configuration option. ### Compatibility Scoring Updates include compatibility metrics showing potential breaking changes, helping you assess the impact of security patches. ### Automatic Deactivation If maintainers ignore pull requests, the system temporarily pauses updates. Specifically, if you don't interact with Dependabot pull requests for a repository during a 90-day time period, Dependabot considers your repository as inactive and will pause updates. ## Dependabot Alerts Dependabot alerts inform you about vulnerabilities in your dependencies. These alerts: - Appear in the Security tab of your repository - Show severity levels (critical, high, moderate, low) - Include CVE and GHSA identifiers - Link to vulnerability databases and security advisories - Provide patch availability information ### Alert Management You can: - Review detailed vulnerability information - Merge Dependabot's proposed security update PRs - Dismiss alerts with reasons (not affected, tolerable risk, no bandwidth, inaccurate) - Add comments to explain dismissals - Track alert status over time ## Configuration Security updates are enabled separately from version updates. In your `dependabot.yml`: ```yaml version: 2 updates: - package-ecosystem: "pip" directory: "/" schedule: interval: "daily" # Security updates run on their own schedule (realtime) ``` Security updates run independently and trigger immediately when vulnerabilities are detected, regardless of the version update schedule. ## Best Practices 1. **Enable both features**: Use security updates for urgent fixes and version updates for maintenance 2. **Monitor alerts regularly**: Check your Security tab weekly 3. **Merge security PRs promptly**: Prioritize security patches over other work 4. **Review the patches**: Understand what's being changed before merging 5. **Keep repository active**: Interact with PRs to prevent automatic deactivation 6. **Configure notifications**: Set up alerts to notify your team immediately ## Supported Ecosystems Security updates work with all supported package ecosystems: - Python (pip) - Node.js (npm, yarn, pnpm) - Ruby (bundler) - Java (Maven, Gradle) - Go (go modules) - Rust (Cargo) - PHP (Composer) - .NET (NuGet) - Docker - Terraform - Helm - And others --- # Dependabot Configuration Reference Source: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference ## File Location The `dependabot.yml` file must be stored in the `.github` directory of your repository: ``` .github/dependabot.yml ``` ## Basic Structure ```yaml version: 2 updates: - package-ecosystem: "pip" directory: "/" schedule: interval: "weekly" ``` All values are case-sensitive. ## Required Fields ### version Always set to `2` for the latest Dependabot configuration format. ```yaml version: 2 ``` ### updates Array of package managers to monitor. Each entry requires: - `package-ecosystem` - `directory` or `directories` - `schedule.interval` ## Configuration Options ### package-ecosystem Specifies the package manager to monitor. **Supported values:** - `bundler` (Ruby) - `pip` (Python) - `npm` (Node.js) - `yarn` (Node.js, alternative) - `pnpm` (Node.js, alternative) - `composer` (PHP) - `cargo` (Rust) - `hex` (Erlang) - `nuget` (.NET) - `maven` (Java) - `gradle` (Java) - `docker` (Docker) - `terraform` (Terraform) - `helm` (Kubernetes) - `go` (Go modules) - `pub` (Dart) - `elm` (Elm) - `deno` (Deno) - `mix` (Elixir) - `rebar3` (Erlang) - And others ```yaml updates: - package-ecosystem: "npm" ``` ### directory Single directory containing dependency manifests. ```yaml directory: "/" directory: "/src" directory: "/packages/app" ``` ### directories (alternative) Update multiple directories with the same configuration. ```yaml directories: - "/" - "/app" - "/utils" ``` ### schedule Defines when Dependabot checks for updates. #### schedule.interval **Required**. Update frequency. **Values:** - `daily` - `weekly` (default) - `monthly` - `quarterly` - `semiannually` - `yearly` ```yaml schedule: interval: "weekly" ``` #### schedule.day Day of the week for weekly updates (Monday-Sunday). ```yaml schedule: interval: "weekly" day: "monday" ``` #### schedule.time Time of day for updates (00:00-23:59 UTC). ```yaml schedule: interval: "daily" time: "03:00" ``` #### schedule.timezone Timezone for the `time` setting. Use IANA timezone identifiers. ```yaml schedule: interval: "daily" time: "09:00" timezone: "America/Los_Angeles" ``` #### schedule.cron Custom cron expression for advanced scheduling (overrides interval/day/time). ```yaml schedule: cron: "0 3 * * 1" # 3 AM every Monday UTC ``` ### allow Specify which dependencies to update. ```yaml allow: - dependency-name: "express" - dependency-name: "lodash*" ``` ### ignore Exclude specific dependencies from updates. ```yaml ignore: - dependency-name: "express" versions: ["4.0.0", "5.0.0"] - dependency-name: "lodash*" ``` ### dependency-type Filter dependencies by type. **Values:** - `direct` - `indirect` - `all` (default) - `production` - `development` ```yaml dependency-type: "direct" dependency-type: "production" ``` ### assignees Automatically assign reviewers to pull requests. ```yaml assignees: - "alice" - "bob" ``` ### labels Add labels to pull requests. ```yaml labels: - "dependencies" - "automated" ``` ### milestone Associate PRs with a milestone. ```yaml milestone: 1 ``` ### commit-message Customize commit message formatting. ```yaml commit-message: prefix: "chore(deps):" include: "scope" ``` ### pull-request-branch-name.separator Customize branch naming convention. ```yaml pull-request-branch-name: separator: "-" # "dependabot-npm-express-4.0.0" separator: "/" # "dependabot/npm/express-4.0.0" ``` ### open-pull-requests-limit Maximum concurrent Dependabot pull requests. **Default:** 5 **Range:** 1-99 ```yaml open-pull-requests-limit: 10 ``` ### rebase-strategy How to handle conflicts. **Values:** - `auto` (default) - Automatically rebase and force-push - `disabled` - Don't rebase automatically ```yaml rebase-strategy: "disabled" ``` By default, Dependabot automatically rebases pull requests to resolve conflicts. After 30 days without merging, Dependabot stops automatic rebasing. ### target-branch Specify a non-default branch for updates. ```yaml target-branch: "develop" ``` ### versioning-strategy Control how version changes are applied. **Values:** - `auto` (default) - Detect best strategy - `increase` - Always increase versions - `increase-if-necessary` - Only increase if required - `lockfile-only` - Only update lock files - `widen` - Widen version ranges ```yaml versioning-strategy: "increase-if-necessary" ``` ### groups Consolidate multiple dependency updates into single pull requests. ```yaml groups: production-dependencies: dependency-type: "production" development-dependencies: dependency-type: "development" exclude-patterns: - "eslint*" ``` ### multi-ecosystem-groups Span groups across multiple package managers. ```yaml multi-ecosystem-groups: all-dependencies: package-ecosystems: - "npm" - "pip" ``` ### cooldown Delay updates with customizable periods. ```yaml cooldown: default-days: 3 semver-patch-days: 0 semver-minor-days: 3 semver-major-days: 7 ``` ### registries Configure access to private package registries. ```yaml registries: npm-registry: type: "npm-registry" url: "https://registry.npmjs.org" username: "my-username" password: "${{ secrets.NPM_TOKEN }}" ``` ### vendor Update vendored dependencies (cached in repository). ```yaml vendor: true ``` ### exclude-paths Ignore specific directories or files. ```yaml exclude-paths: - "vendor/" - "node_modules/" ``` ### insecure-external-code-execution Allow code execution during dependency updates (required for some ecosystems). ```yaml insecure-external-code-execution: "allow" ``` ## Complete Example ```yaml version: 2 updates: # Python - package-ecosystem: "pip" directory: "/" schedule: interval: "weekly" day: "monday" time: "03:00" timezone: "America/Los_Angeles" open-pull-requests-limit: 10 labels: - "dependencies" - "python" assignees: - "alice" dependency-type: "production" # Node.js - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" groups: production: dependency-type: "production" development: dependency-type: "development" rebase-strategy: "auto" # Docker - package-ecosystem: "docker" directory: "/" schedule: interval: "weekly" ``` ## Variable Substitution Use GitHub Actions secrets in registry credentials: ```yaml registries: custom-registry: type: "npm-registry" username: "my-user" password: "${{ secrets.REGISTRY_TOKEN }}" ``` ## Notes - All configuration is case-sensitive - File must be valid YAML (use a YAML validator) - Comments starting with `#` are allowed - Empty values must be quoted: `directory: ""` --- # Managing Dependabot Pull Requests Source: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates ## Overview Dependabot pull requests are managed similarly to standard pull requests but include specialized features. The documentation emphasizes that users with **write access** can manage these PRs. ## Identifying Dependabot Pull Requests Dependabot PRs are easily recognizable by two characteristics: - The author is the `dependabot` or `dependabot[bot]` account - They carry the `dependencies` label by default ## Rebase and Merge Strategy ### Automatic Rebasing By default, Dependabot automatically rebases pull requests to resolve any conflicts. However, after 30 days without merging, Dependabot ceases automatic rebasing. The `rebase-strategy` configuration option allows manual conflict handling if preferred: ```yaml updates: - package-ecosystem: "npm" rebase-strategy: "disabled" # Disable auto-rebase ``` ### Force Push To permit Dependabot to force-push over additional commits you've made, include one of these strings in your commit messages (case-insensitive): - `[dependabot skip]` - `[skip dependabot]` - `[dependabot-skip]` - `[skip-dependabot]` Example commit message: ``` Add new tests [dependabot skip] ``` ## Comment Commands Dependabot responds to specific commands in PR comments. You can use these commands to manage updates: ### @dependabot merge Automatically merges the pull request after CI passes. ``` @dependabot merge ``` ### @dependabot rebase Rebases the pull request to resolve conflicts. ``` @dependabot rebase ``` ### @dependabot close Closes the pull request and prevents Dependabot from recreating it for the same dependency update. ``` @dependabot close ``` ### @dependabot ignore [dependency/version] Prevents Dependabot from creating updates for this dependency/version combination. The dependency must be specified as a package name. Examples: ``` @dependabot ignore express @dependabot ignore lodash 4.17.0 ``` You can still enable updates later by editing the `dependabot.yml` file. ### @dependabot squash and merge Squashes commits before merging the PR. ``` @dependabot squash and merge ``` ## Pull Request Configuration ### Commit Message Customization Customize how commits are formatted: ```yaml commit-message: prefix: "chore(deps):" include: "scope" ``` Options for `include`: - `scope` - Add dependency name as scope - `references` - Include issue/PR references - `all` - Include both scope and references ### Branch Naming Customize the branch naming convention: ```yaml pull-request-branch-name: separator: "/" # "dependabot/npm/lodash-4.17.20" ``` ### Labels Add custom labels to PRs: ```yaml labels: - "dependencies" - "automated" ``` ### Assignees Automatically assign reviewers: ```yaml assignees: - "alice" - "bob" ``` ### Milestone Associate with a project milestone: ```yaml milestone: 1 ``` ## Repository Inactivity Critical note: "If you don't interact with Dependabot pull requests for a repository during a 90-day time period, Dependabot considers your repository as inactive, and will automatically pause Dependabot updates." ### Reactivating a Paused Repository To reactivate Dependabot after 90 days of inactivity: 1. Merge or close some existing Dependabot pull requests 2. Re-enable Dependabot in Settings > Security > Advanced Security > Dependabot 3. Dependabot will resume creating pull requests ## Best Practices ### 1. Use Labels for Organization Organize PRs with consistent labels: ```yaml labels: - "dependencies" - "npm" ``` ### 2. Assign to Team Automatically route PRs to appropriate team members: ```yaml assignees: - "frontend-team" ``` ### 3. Limit Concurrent PRs Control volume with `open-pull-requests-limit`: ```yaml open-pull-requests-limit: 5 ``` ### 4. Group Updates Reduce notification noise by grouping related updates: ```yaml groups: production-dependencies: dependency-type: "production" ``` ### 5. Monitor Regularly Check for Dependabot PRs at least weekly to prevent auto-deactivation. ### 6. Merge Security Updates First Prioritize security update PRs over version updates. ### 7. Enable Auto-Merge for Safe Updates Use GitHub's auto-merge feature for minor updates after CI passes: 1. Enable auto-merge on the PR 2. Select "Squash and merge" 3. PR merges automatically when CI passes ## Handling Conflicts If a Dependabot PR has conflicts: 1. Comment with `@dependabot rebase` to attempt auto-rebase 2. If that fails, manually fix conflicts in the PR 3. Add `[dependabot skip]` to your commit message if adding commits 4. Request Dependabot to rebase again ## Security Updates Security update PRs follow the same management rules but should be prioritized: - Review and merge promptly - Don't ignore/dismiss unless truly not applicable - Automate merging when possible ## Notifications You can filter notifications to focus on Dependabot PRs: 1. Go to Settings > Notifications 2. Create a custom filter for `is:pull-request author:dependabot` 3. Set up label-based filters in your workflow --- # Dependabot Best Practices Source: https://docs.github.com/en/code-security/dependabot ## Overview This guide covers recommended practices for using Dependabot effectively to maintain secure and up-to-date Python projects and other codebases. ## Enable All Three Features Dependabot works best when you enable all three components: 1. **Dependabot Alerts** - Immediate notification of vulnerabilities 2. **Dependabot Security Updates** - Automatic fixes for vulnerabilities 3. **Dependabot Version Updates** - Regular maintenance updates Together, they provide comprehensive dependency management. ## Alerts ### Monitor Regularly - Check your repository's Security tab at least weekly - Set up notifications for Dependabot alerts - Review severity levels (critical, high, moderate, low) - Keep your team informed about active vulnerabilities ### Triage Alerts Don't dismiss all alerts: - **Not affected**: Only dismiss if the code path isn't used - **Tolerable risk**: Document why you're accepting the risk - **No bandwidth**: Set a reminder to address later - **Inaccurate**: Report to GitHub if the alert is wrong ### Example Alert Review 1. Click the alert in the Security tab 2. Review affected package and vulnerability details 3. Check the proposed patch version 4. Review associated CVE/GHSA links 5. Decide: merge patch, dismiss, or defer ## Security Updates ### Prioritize Security Over Features Security updates should be merged faster than other PRs: - Review security PRs within 24 hours if possible - Merge after CI passes (assuming no failures) - Automate merging if your process allows - Don't let security updates age unnecessarily ### Configuration Example ```yaml version: 2 updates: - package-ecosystem: "pip" directory: "/" schedule: interval: "daily" labels: - "security" assign ees: - "security-team" ``` ### Group Security Updates Reduce notification fatigue by grouping related vulnerabilities: ```yaml updates: - package-ecosystem: "pip" directory: "/" groups: security: patterns: - "*" update-types: - "minor" # Group minor security patches ``` ## Version Updates ### Choose Appropriate Update Schedules Different ecosystems and projects need different cadences: - **High-security projects**: Weekly or bi-weekly - **Libraries**: Weekly (stay current with dependencies) - **Internal tools**: Monthly or quarterly - **Legacy projects**: Monthly ```yaml version: 2 updates: - package-ecosystem: "pip" schedule: interval: "weekly" day: "monday" time: "03:00" ``` ### Separate Production and Development Dependencies Reduce risk by updating development dependencies more frequently: ```yaml updates: - package-ecosystem: "npm" groups: production: dependency-type: "production" schedule: interval: "monthly" development: dependency-type: "development" schedule: interval: "weekly" ``` ### Limit Concurrent Pull Requests Avoid overwhelming your team with updates: ```yaml open-pull-requests-limit: 5 ``` Start with 5, adjust based on your team's capacity. ### Use Dependency Groups Consolidate updates to reduce noise: ```yaml groups: major-updates: dependency-type: "direct" update-types: - "major" minor-patch-updates: dependency-type: "direct" update-types: - "minor" - "patch" ``` ### Configure Intelligent Rebasing Allow Dependabot to automatically resolve conflicts: ```yaml rebase-strategy: "auto" # Default, recommended ``` This keeps PRs mergeable without manual intervention. ## Python-Specific Practices ### Use dependabot.yml for pip ```yaml version: 2 updates: - package-ecosystem: "pip" directory: "/" schedule: interval: "weekly" dependency-type: "production" labels: - "dependencies" ``` ### Support Multiple Python Versions If your project supports multiple Python versions: 1. Test updates against all versions in CI 2. Verify compatibility before merging 3. Use GitHub Actions matrix builds Example matrix CI config: ```yaml strategy: matrix: python-version: ["3.9", "3.10", "3.11", "3.12"] ``` ### Keep Requirements Files Organized If using `requirements.txt`, `requirements-dev.txt`, etc.: ```yaml version: 2 updates: - package-ecosystem: "pip" directory: "/" dependency-type: "production" - package-ecosystem: "pip" directory: "/" dependency-type: "development" schedule: interval: "weekly" ``` ## Workflow Integration ### Use GitHub Actions for CI/CD Ensure Dependabot PRs run through the same CI checks as regular PRs: 1. Run tests on all Dependabot PRs 2. Check for breaking changes 3. Verify compatibility 4. Enable auto-merge when tests pass Example workflow: ```yaml on: [pull_request] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: python-version: "3.11" - run: pip install -r requirements.txt - run: pytest - run: lint ``` ### Customize Commit Messages Make PR history clear: ```yaml commit-message: prefix: "chore(deps):" include: "scope" ``` Results in commits like: `chore(deps): bump requests from 2.28 to 2.29` ### Automate with Labels Use labels for automation: ```yaml labels: - "dependencies" - "automated" ``` Then set up rules: ```yaml auto-merge: filter: - label: "dependencies" merge-type: "squash" ``` ## Organizational Practices ### Enable Across Organization Use GitHub organization settings to enforce Dependabot: 1. Go to Organization Settings 2. Enable Dependabot in Security settings 3. Set organization-wide policies 4. Make dependabot.yml a template in new repos ### Document Your Policy Create a `DEPENDABOT.md` guide for your team: ```markdown # Dependabot Policy ## For Security Updates - Review within 24 hours - Merge after CI passes - Prioritize over feature work ## For Version Updates - Review within 1 week - Check compatibility - Run full test suite ``` ### Assign to Teams Route PRs to appropriate teams: ```yaml assignees: - "backend-team" # Group or username ``` ### Monitor Inactive Repositories Set up alerts for repos that go 90 days without Dependabot activity: ```bash # Check which repos have paused Dependabot gh repo list --limit 1000 --json name | jq -r '.[].name' ``` ## Common Mistakes to Avoid ### 1. Dismissing Too Many Alerts Don't just dismiss alerts without review. Only dismiss if: - Truly not applicable to your code - Risk has been assessed and accepted - Documented in dismissal comment ### 2. Ignoring Inactivity Warnings If Dependabot goes inactive: - Merge some PRs to reactivate - Don't let security updates pile up - Re-enable in settings ### 3. Setting Conflicting Schedules Be consistent: - Don't have weekly schedules for major and minor updates together - Separate by dependency type or ecosystem - Use groups to organize ### 4. Neglecting Documentation Keep team informed: - Update CONTRIBUTING.md with Dependabot guidance - Document dismissal policies - Track security update SLAs ### 5. Ignoring Breaking Changes Always review: - Major version updates - Dependency compatibility - Migration requirements - Test suite results ## Monitoring and Metrics ### Track Metrics Monitor your Dependabot usage: - Number of alerts per repository - Average time to merge security updates - Version update cadence compliance - Automatic deactivation incidents ### Set Service Level Objectives (SLOs) Example targets: - Critical security updates: Merge within 24 hours - High severity updates: Merge within 72 hours - Regular updates: Merge within 2 weeks - Inactivity: Never exceed 90 days ## Resources - [GitHub Dependabot Documentation](https://docs.github.com/en/code-security/dependabot) - [Dependabot Demo Repository](https://github.com/dependabot/demo) - [Dependabot Blog](https://github.blog/tag/dependabot/) - [GitHub Security Best Practices](https://docs.github.com/en/code-security)