My Dependabot cheat sheet


Be aware it's not an exhaustive list.

Permalink to heading Basic concepts Basic concepts

Permalink to heading What is Dependabot? What is Dependabot?

Dependabot automates dependencies management and supply chain security for free.

With a simple dependabot.yml file in your repository and a few lines inside, you can automatically raise pull requests to keep your dependencies up-to-date.

This is major in terms of security, as supply chain attacks are rising these days.

Permalink to heading Is it only for GitHub? Is it only for GitHub?

Yes. Microsoft (GitHub) acquired the company some time ago.

Permalink to heading What is GitHub Advisory Database? What is GitHub Advisory Database?

It’s the main database that Dependabot uses to learn about security vulnerabilities.

Permalink to heading How can I enable Dependabot? How can I enable Dependabot?

Go to YOUR_REPO/settings/security_analysis. You get a dedicated page “Code security and analysis” where you can enable Dependabot’s features.

Permalink to heading Where do I put the configuration file? Where do I put the configuration file?

On GitHub, you can create the file here: /.github/dependabot.yml.

Permalink to heading Getting started with dependabot.yml Getting started with dependabot.yml

Here is a very basic example to handle npm dependencies:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"

Don’t forget the version parameter!

Permalink to heading Is it for public packages only? Is it for public packages only?

No. You can add a registries section containing authentication details to the dependabot.yml file:

version: 2
registries:
	npm-npmjs:
	    type: npm-registry
	    url: https://registry.npmjs.org
	    username: my_username
	    password: ${{secrets.MY_NPM_PASSWORD}}
updates:
  - package-ecosystem: "npm" # could be "bundler", pip", "docker", "composer", etc @see https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
    directory: "/"
    schedule:
      interval: "weekly"

Permalink to heading Schedule interval Schedule interval

The schedule interval is a required setting and probably one of the most critical ones as it determines the cycle of updates and PRs.

I really appreciate the possibility to delay updates because you don’t have infinite time to allocate to each repository. There are different options:

You can add schedule.day if you choose weekly to start the cycle on some day other than Monday:

    schedule:
      interval: "weekly"
      day: "friday"

You can even add a specific time:

    schedule:
      interval: "weekly"
      day: "friday"
      time: "10:01" #10:01am UTC

If you don’t want to use UTC, you can specify a timezone:

    schedule:
      interval: "weekly"
      day: "friday"
      time: "10:01"
      timezone: "Europe/Vatican"

Permalink to heading Custom labels Custom labels

The default label for all PRs is “dependencies” by default, but you might want to customize that, especially when you handle multiple packages ecosystems:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    labels: "npm-dependencies"
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "docker-dependencies"

It’s also great to keep things organized. Note that you can use several labels for each package ecosystem.

Permalink to heading Target branches Target branches

You can use the target-branch parameter to prevent Dependabot from raising PRs only on the default branch. Note that you can add a custom branch per each package ecosystem:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    labels: "npm-dependencies"
    target-branch: "trunk"

Permalink to heading Available packages ecosystems Available packages ecosystems

Go there

Permalink to heading Helpful commands Helpful commands

CommandDescription
@dependabot cancel mergecancel a merge
@dependabot closeclose the PR and Dependabot will not recreate the same PR
@dependabot ignoreclose the PR and stop depdendabot on this repository
@dependabot ignore this major versionclose the PR and Dependabot will not recreate PRs for this major version
@dependabot ignore this minor versionclose the PR and Dependabot will not recreate PRs for this minor version
@dependabot mergemerge the pull after CI tests
@dependabot rebaserebase the PR
@dependabot recreateforce recreate the PR
@dependabot reopenreopen the closed PR
@dependabot squash and mergesquash and merge after CI tests

You can “talk” with the bot by commenting the PR with special commands, which can save a lot of time. For example, I often use the @dependabot rebase command to resolve merge conflicts between several PRs that update the same dependencies.

It’s quite often enough to proceed!

Permalink to heading Things to know and errors to avoid Things to know and errors to avoid

Dependabot is fantastic but be aware of potential mistakes:

Permalink to heading More advanced usages More advanced usages

Dependabot is pretty straightforward but you might need more advanced usages.

Permalink to heading open-pull-requests-limit open-pull-requests-limit

By default, Dependabot cannot open more than 5 PRs at the same time, but you can change this setting per each package ecosystem:

version: 2
updates:
  - package-ecosystem: "composer"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 12

Permalink to heading How to disable PRs for a specific package ecosystem How to disable PRs for a specific package ecosystem

You may set the open pull requests limit to 0:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    labels: "npm-dependencies"
    open-pull-requests-limit: 0 # 0 will disable PRs
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "docker-dependencies"
    open-pull-requests-limit: 12

Permalink to heading Auto merges Auto merges

It’s possible to connect Dependabot to scheduled actions for automatic merges. While it’s not something I would recommend, you might beg to differ. Here’s a nice introduction.

Permalink to heading versioning-strategy versioning-strategy

The versioning-strategy parameter can be helpful to change the default strategy according to the package manager.

For example, you might want to increase the version with Composer dependencies only when it’s required. In such case, you can do:

version: 2
updates:
  - package-ecosystem: "composer"
    directory: "/"
    schedule:
      interval: "weekly"
    versioning-strategy: increase-if-necessary

Permalink to heading Dependency Graph Dependency Graph

Go to YOUR_REPO/network/dependencies to get an overview of all your dependencies. There’s even a tab called “Dependents” where you can list repositories that depend on your repository.