Dependabot Preview has helped more than 30,000 organizations keep their packages updated with more than seven million pull requests merged since it launched. As a result of that success, the Dependabot team joined GitHub in May 2019 and started building an updated version of Dependabot directly into GitHub. Now, we’re taking the next step, migrating customers from Dependabot Preview and onto the GitHub-native Dependabot.
As of today, the Dependabot Preview app and Dependabot.com no longer accept new customers, and will be shut down on August 3rd, 2021. To keep getting pull requests that update your packages, upgrade to GitHub Dependabot by merging the “Upgrade to GitHub-native Dependabot” pull request in your repository by August 3rd. After this date, any open pull requests from the Dependabot Preview bot will remain open, but the bot itself will no longer work on your GitHub accounts and organizations.
In GitHub Dependabot, most configuration is done via the configuration file. This file is very similar to the Dependabot Preview configuration file, but we’ve made a few changes and improvements that will be automatically included in the update pull request. You can see the update logs that used to be on the dependabot.com dashboard by going to your repository’s Insights page, clicking the Dependency graph tab on the left, and then clicking Dependabot.
With the recent launch of private registry support, almost all Dependabot Preview features are now available in GitHub Dependabot. However, some features will not be available in GitHub Dependabot:
- Live updates: We hope to bring these back in the future. For now, you can run GitHub Dependabot daily to catch new packages within one day of release.
- PHP environment variable registries: These features have not been added, but we are investigating if there are other solutions. For now, you can use GitHub Actions to fetch dependencies from these registries.
- Auto-merge: We always recommend verifying your dependencies before merging them; therefore, auto-merge will not be supported for the foreseeable future. For those of you who have vetted your dependencies, or are only using internal dependencies, we recommend adding third-party auto-merge apps, or setting up GitHub Actions to merge.
Keeping dependencies updated is a crucial part of securing your software supply chain—whether you’re working on an open source project or a large enterprise. We’ve got lots of exciting features on the roadmap, including more ecosystem updates, improved notifications, and Dependabot support for GitHub Enterprise Server.
If you have any questions or need help migrating, please contact GitHub Support.