Starting today, Dependabot will pause automated pull request activity if you haven't merged, closed, or otherwise interacted with Dependabot for over 90 days. To resume activity when you're ready, simply interact with Dependabot.
This change will help Dependabot be more focused to the repositories you care about.
When will Dependabot become paused?
This change only applies to repositories where Dependabot pull requests exist but remain untouched. If no Dependabot pull requests have been opened, Dependabot will never become paused.
The following must be true for at least 90 days:
- Has not had a Dependabot PR merged
- Has not had changes made to the Dependabot config file
- Has not had any @dependabot comment-ops performed
- Has not had any Dependabot PRs closed by the user
- Has received at least one Dependabot PR before the 90 day window
- Has at least one Dependabot PR open at the end of the 90 day window
- Has had Dependabot enabled for this entire period
How will Dependabot let me know?
Dependabot will add a notice to the body of all open Dependabot pull requests and add a
dependabot-paused label to them. Dependabot will also add a banner notice in the UI of your repository settings page (under “Dependabot”) as well as your Dependabot alerts page (if Dependabot security updates are affected).
Who can use this feature?
This change does not apply to Dependabot alerts or subsequent notifications. So, only repositories that have automated Dependabot version updates or security updates, but haven't interacted with these pull requests for a while, will be affected.
This change will start to roll out today, expanding through January 2023 to include all repositories owned by individuals and by organizations with free and Team plans.
Later, it will roll out to GitHub Enterprise Cloud and GitHub Enterprise Server customers, where this improvement has the added benefit of enhanced efficiency with your self-hosted GitHub Actions runners.
Learn more about this change.