Dependabot version updates helps you keep your dependencies up-to-date by opening pull requests when dependencies can be upgraded. With today's release, you can now group version updates by dependency name.
Until today, Dependabot would always open individual pull requests for every dependency update in accordance with your configuration in
dependabot.yml. Not only can this result in a large number of Dependabot pull requests, but there are some dependencies which must be updated in tandem with each other or the update will fail. In these cases, the individual Dependabot pull requests would always fail until you manually intervened to do the update.
Now, in your
dependabot.yml configuration file, you can set custom grouping rules for Dependabot based on pattern matching on package name. Here is an example of how these rules can be set up:
- package-ecosystem: "bundler"
# This is the name of your group, it will be used in PR titles and branch names
# A pattern can be...
- "rubocop" # a single dependency name
- "aws*" # or a wildcard string that matches multiple dependencies
# If you'd simply like to group as many dependencies together as possible,
# you can use the wildcard * - but keep in mind this may open a very large PR!
# Additionally, you can specify any dependencies to be excluded from the group
This configuration applies to regularly scheduled Dependabot version updates only. Security updates for Dependabot will continue to open as individual pull requests, even if they match a configured grouping rule.
This feature is in beta, so you may encounter instability and the feature-set is currently limited. You may file any bugs encountered in the dependabot-core repo.
To learn more about grouping rules for Dependabot version updates, please refer to our documentation.