Dependabot is GitHub's built-in dependency management tool with three core capabilities:
All configuration lives in a single file: .github/dependabot.yml on the default branch. GitHub does not support multiple dependabot.yml files per repository.
Follow this process when creating or optimizing a dependabot.yml:
Scan the repository for dependency manifests. Look for:
| Ecosystem | YAML Value | Manifest Files |
|---|---|---|
| npm/pnpm/yarn | npm |
package.json, package-lock.json, pnpm-lock.yaml, yarn.lock |
| pip/pipenv/poetry/uv | pip |
requirements.txt, Pipfile, pyproject.toml, setup.py |
| Docker | docker |
Dockerfile |
| Docker Compose | docker-compose |
docker-compose.yml |
| GitHub Actions | github-actions |
.github/workflows/*.yml |
| Go modules | gomod |
go.mod |
| Bundler (Ruby) | bundler |
Gemfile |
| Cargo (Rust) | cargo |
Cargo.toml |
| Composer (PHP) | composer |
composer.json |
| NuGet (.NET) | nuget |
*.csproj, packages.config |
| .NET SDK | dotnet-sdk |
global.json |
| Maven (Java) | maven |
pom.xml |
| Gradle (Java) | gradle |
build.gradle |
| Terraform | terraform |
*.tf |
| OpenTofu | opentofu |
*.tf |
| Helm | helm |
Chart.yaml |
| Hex (Elixir) | mix |
mix.exs |
| Swift | swift |
Package.swift |
| Pub (Dart) | pub |
pubspec.yaml |
| Bun | bun |
bun.lockb |
| Dev Containers | devcontainers |
devcontainer.json |
| Git Submodules | gitsubmodule |
.gitmodules |
| Pre-commit | pre-commit |
.pre-commit-config.yaml |
Note: pnpm and yarn both use the npm ecosystem value.
For each ecosystem, identify where manifests live. Use directories (plural) with glob patterns for monorepos:
directories:
- "/" # root
- "/apps/*" # all app subdirs
- "/packages/*" # all package subdirs
- "/lib-*" # dirs starting with lib-
- "**/*" # recursive (all subdirs)
Important: directory (singular) does NOT support globs. Use directories (plural) for wildcards.
Every entry needs at minimum:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
See sections below for each optimization technique.
For monorepos with many packages, use glob patterns to avoid listing each directory:
- package-ecosystem: "npm"
directories:
- "/"
- "/apps/*"
- "/packages/*"
- "/services/*"
schedule:
interval: "weekly"
Use group-by: dependency-name to create a single PR when the same dependency updates across multiple directories:
groups:
monorepo-deps:
group-by: dependency-name
This creates one PR per dependency across all specified directories, reducing CI costs and review burden.
Limitations:
If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in .github/), create a separate ecosystem entry for it.
Reduce PR noise by grouping related dependencies into single PRs.
groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
production-dependencies:
dependency-type: "production"
update-types: ["minor", "patch"]
groups:
angular:
patterns: ["@angular*"]
update-types: ["minor", "patch"]
testing:
patterns: ["jest*", "@testing-library*", "ts-jest"]
groups:
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
Key behaviors:
applies-to defaults to version-updates when absentCombine updates across different package ecosystems into a single PR:
version: 2
multi-ecosystem-groups:
infrastructure:
schedule:
interval: "weekly"
labels: ["infrastructure", "dependencies"]
updates:
- package-ecosystem: "docker"
directory: "/"
patterns: ["nginx", "redis"]
multi-ecosystem-group: "infrastructure"
- package-ecosystem: "terraform"
directory: "/"
patterns: ["aws*"]
multi-ecosystem-group: "infrastructure"
The patterns key is required when using multi-ecosystem-group.
labels:
- "dependencies"
- "npm"
Set labels: [] to disable all labels including defaults. SemVer labels (major, minor, patch) are always applied if present in the repo.
commit-message:
prefix: "deps"
prefix-development: "deps-dev"
include: "scope" # adds deps/deps-dev scope after prefix
assignees: ["security-team-lead"]
milestone: 4 # numeric ID from milestone URL
pull-request-branch-name:
separator: "-" # default is /
target-branch: "develop" # PRs target this instead of default branch
Note: When target-branch is set, security updates still target the default branch; all ecosystem config only applies to version updates.
Supported: daily, weekly, monthly, quarterly, semiannually, yearly, cron
schedule:
interval: "weekly"
day: "monday" # for weekly only
time: "09:00" # HH:MM format
timezone: "America/New_York"
schedule:
interval: "cron"
cronjob: "0 9 * * 1" # Every Monday at 9 AM
Delay updates for newly released versions to avoid early-adopter issues:
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include: ["*"]
exclude: ["critical-lib"]
Cooldown applies to version updates only, not security updates.
Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.
groups:
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
open-pull-requests-limit: 0 # disables version update PRs
GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.
Interact with Dependabot PRs using @dependabot comments.
Note: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (
gh pr merge), or auto-merge instead.
| Command | Effect |
|---|---|
@dependabot rebase |
Rebase the PR |
@dependabot recreate |
Recreate the PR from scratch |
@dependabot ignore this dependency |
Close and never update this dependency |
@dependabot ignore this major version |
Ignore this major version |
@dependabot ignore this minor version |
Ignore this minor version |
@dependabot ignore this patch version |
Ignore this patch version |
For grouped PRs, additional commands:
@dependabot ignore DEPENDENCY_NAME — ignore specific dependency in group@dependabot unignore DEPENDENCY_NAME — clear ignores, reopen with updates@dependabot unignore * — clear all ignores for all dependencies in group@dependabot show DEPENDENCY_NAME ignore conditions — display current ignoresFor the complete command reference, see references/pr-commands.md.
ignore:
- dependency-name: "lodash"
- dependency-name: "@types/node"
update-types: ["version-update:semver-patch"]
- dependency-name: "express"
versions: ["5.x"]
allow:
- dependency-type: "production"
- dependency-name: "express"
Rule: If a dependency matches both allow and ignore, it is ignored.
exclude-paths:
- "vendor/**"
- "test/fixtures/**"
Controls how Dependabot edits version constraints:
| Value | Behavior |
|---|---|
auto |
Default — increase for apps, widen for libraries |
increase |
Always increase minimum version |
increase-if-necessary |
Only change if current range excludes new version |
lockfile-only |
Only update lockfiles, ignore manifests |
widen |
Widen range to include both old and new versions |
rebase-strategy: "disabled" # stop auto-rebasing
Allow rebase over extra commits by including [dependabot skip] in commit messages.
open-pull-requests-limit: 10 # default is 5 for version, 10 for security
Set to 0 to disable version updates entirely.
registries:
npm-private:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-private
Can I have multiple dependabot.yml files?
No. GitHub supports exactly one file at .github/dependabot.yml. Use multiple updates entries within that file for different ecosystems and directories.
Does Dependabot support pnpm?
Yes. Use package-ecosystem: "npm" — Dependabot detects pnpm-lock.yaml automatically.
How do I reduce PR noise in a monorepo?
Use groups to batch updates, directories with globs for coverage, and group-by: dependency-name for cross-directory grouping. Consider monthly or quarterly intervals for low-priority ecosystems.
How do I handle dependencies outside the workspace?
Create a separate ecosystem entry with its own directory pointing to that location.
references/dependabot-yml-reference.md — Complete YAML options referencereferences/pr-commands.md — Full PR comment commands referencereferences/example-configs.md — Real-world configuration examples