Labsco
github logo

dependabot

✓ Official36,200

by github · part of github/awesome-copilot

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

🔥🔥FreeAdvanced setup
🧩 One of 7 skills in the github/awesome-copilot package — works on its own, and pairs well with its siblings.

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by github

Dependabot is GitHub's built-in dependency management tool with three core capabilities: npx skills add https://github.com/github/awesome-copilot --skill dependabot Download ZIPGitHub36.2k

Overview

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

  • Dependabot Alerts — Notify when dependencies have known vulnerabilities (CVEs)

  • Dependabot Security Updates — Auto-create PRs to fix vulnerable dependencies

  • Dependabot Version Updates — Auto-create PRs to keep dependencies current

All configuration lives in a single file: .github/dependabot.yml on the default branch. GitHub does not support multiple dependabot.yml files per repository.

Monorepo Strategies

Glob Patterns for Workspace Coverage

For monorepos with many packages, use glob patterns to avoid listing each directory:

Copy & paste — that's it
- package-ecosystem: "npm"
 directories:
 - "/"
 - "/apps/*"
 - "/packages/*"
 - "/services/*"
 schedule:
 interval: "weekly"

Cross-Directory Grouping

Use group-by: dependency-name to create a single PR when the same dependency updates across multiple directories:

Copy & paste — that's it
groups:
 monorepo-deps:
 group-by: dependency-name

This creates one PR per dependency across all specified directories, reducing CI costs and review burden.

Limitations:

  • All directories must use the same package ecosystem

  • Applies to version updates only

  • Incompatible version constraints create separate PRs

Standalone Packages Outside Workspaces

If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in .github/), create a separate ecosystem entry for it.

Dependency Grouping

Reduce PR noise by grouping related dependencies into single PRs.

By Dependency Type

Copy & paste — that's it
groups:
 dev-dependencies:
 dependency-type: "development"
 update-types: ["minor", "patch"]
 production-dependencies:
 dependency-type: "production"
 update-types: ["minor", "patch"]

By Name Pattern

Copy & paste — that's it
groups:
 angular:
 patterns: ["@angular*"]
 update-types: ["minor", "patch"]
 testing:
 patterns: ["jest*", "@testing-library*", "ts-jest"]

For Security Updates

Copy & paste — that's it
groups:
 security-patches:
 applies-to: security-updates
 patterns: ["*"]
 update-types: ["patch", "minor"]

Key behaviors:

  • Dependencies matching multiple groups go to the first match

  • applies-to defaults to version-updates when absent

  • Ungrouped dependencies get individual PRs

Multi-Ecosystem Groups

Combine updates across different package ecosystems into a single PR:

Copy & paste — that's it
version: 2

multi-ecosystem-groups:
 infrastructure:
 schedule:
 interval: "weekly"
 labels: ["infrastructure", "dependencies"]

updates:
 - package-ecosystem: "docker"
 directory: "/"
 patterns: ["nginx", "redis"]
 multi-ecosystem-group: "infrastructure"

 - package-ecosystem: "terraform"
 directory: "/"
 patterns: ["aws*"]
 multi-ecosystem-group: "infrastructure"

The patterns key is required when using multi-ecosystem-group.

PR Customization

Labels

Copy & paste — that's it
labels:
 - "dependencies"
 - "npm"

Set labels: [] to disable all labels including defaults. SemVer labels (major, minor, patch) are always applied if present in the repo.

Commit Messages

Copy & paste — that's it
commit-message:
 prefix: "deps"
 prefix-development: "deps-dev"
 include: "scope" # adds deps/deps-dev scope after prefix

Assignees and Milestones

Copy & paste — that's it
assignees: ["security-team-lead"]
milestone: 4 # numeric ID from milestone URL

Branch Name Separator

Copy & paste — that's it
pull-request-branch-name:
 separator: "-" # default is /

Target Branch

Copy & paste — that's it
target-branch: "develop" # PRs target this instead of default branch

Note: When target-branch is set, security updates still target the default branch; all ecosystem config only applies to version updates.

Schedule Optimization

Intervals

Supported: daily, weekly, monthly, quarterly, semiannually, yearly, cron

Copy & paste — that's it
schedule:
 interval: "weekly"
 day: "monday" # for weekly only
 time: "09:00" # HH:MM format
 timezone: "America/New_York"

Cron Expressions

Copy & paste — that's it
schedule:
 interval: "cron"
 cronjob: "0 9 * * 1" # Every Monday at 9 AM

Cooldown Periods

Delay updates for newly released versions to avoid early-adopter issues:

Copy & paste — that's it
cooldown:
 default-days: 5
 semver-major-days: 30
 semver-minor-days: 7
 semver-patch-days: 3
 include: ["*"]
 exclude: ["critical-lib"]

Cooldown applies to version updates only, not security updates.

PR Comment Commands

Interact with Dependabot PRs using @dependabot comments.

Note: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (gh pr merge), or auto-merge instead.

Command Effect @dependabot rebase Rebase the PR @dependabot recreate Recreate the PR from scratch @dependabot ignore this dependency Close and never update this dependency @dependabot ignore this major version Ignore this major version @dependabot ignore this minor version Ignore this minor version @dependabot ignore this patch version Ignore this patch version

For grouped PRs, additional commands:

  • @dependabot ignore DEPENDENCY_NAME — ignore specific dependency in group

  • @dependabot unignore DEPENDENCY_NAME — clear ignores, reopen with updates

  • @dependabot unignore * — clear all ignores for all dependencies in group

  • @dependabot show DEPENDENCY_NAME ignore conditions — display current ignores

For the complete command reference, see references/pr-commands.md.

Ignore and Allow Rules

Ignore Specific Dependencies

Copy & paste — that's it
ignore:
 - dependency-name: "lodash"
 - dependency-name: "@types/node"
 update-types: ["version-update:semver-patch"]
 - dependency-name: "express"
 versions: ["5.x"]

Allow Only Specific Types

Copy & paste — that's it
allow:
 - dependency-type: "production"
 - dependency-name: "express"

Rule: If a dependency matches both allow and ignore, it is ignored.

Exclude Paths

Copy & paste — that's it
exclude-paths:
 - "vendor/**"
 - "test/fixtures/**"

Advanced Options

Versioning Strategy

Controls how Dependabot edits version constraints:

Value Behavior auto Default — increase for apps, widen for libraries increase Always increase minimum version increase-if-necessary Only change if current range excludes new version lockfile-only Only update lockfiles, ignore manifests widen Widen range to include both old and new versions

Rebase Strategy

Copy & paste — that's it
rebase-strategy: "disabled" # stop auto-rebasing

Allow rebase over extra commits by including [dependabot skip] in commit messages.

Open PR Limit

Copy & paste — that's it
open-pull-requests-limit: 10 # default is 5 for version, 10 for security

Set to 0 to disable version updates entirely.

Private Registries

Copy & paste — that's it
registries:
 npm-private:
 type: npm-registry
 url: https://npm.example.com
 token: ${{secrets.NPM_TOKEN}}

updates:
 - package-ecosystem: "npm"
 directory: "/"
 registries:
 - npm-private

Pre-Commit Dependency Scanning via AI Coding Agents

For scanning code changes for vulnerable dependencies inside an AI coding agent before committing, the GitHub MCP Server's dependabot toolset can check your dependency additions against the GitHub Advisory Database and return structured results with affected packages, severity, and recommended fixed versions. For more thorough post-commit checks, it can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.

Install the Advanced Security plugin which provides dedicated dependency scanning tools and the /dependency-scanning skill.

GitHub Copilot CLI (shell):

Copy & paste — that's it
# Enable the dependabot toolset for the GitHub MCP Server
copilot --add-github-mcp-toolset dependabot

GitHub Copilot CLI (inside copilot):

Copy & paste — that's it
> /plugin install advanced-security@copilot-plugins

Visual Studio Code:

  • Add "X-MCP-Toolsets": "dependabot" to your GitHub MCP Server headers, or pick Dependabot from the toolset selector in Copilot Chat

  • Install the advanced-security plugin, then use /dependency-scanning in Copilot Chat

Example prompt:

Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.

See: Advanced Security Plugin — Dependency Scanning Skill

Announced in Dependency scanning with GitHub MCP Server is in public preview (May 2026)

Resources

  • references/dependabot-yml-reference.md — Complete YAML options reference

  • references/pr-commands.md — Full PR comment commands reference

  • references/example-configs.md — Real-world configuration examples