Skip to content

Grouped version updates for Dependabot public beta

Dependabot version updates helps you keep your dependencies up-to-date by opening pull requests when dependencies can be upgraded. With today's release, you can now group version updates by dependency name.

Until today, Dependabot would always open individual pull requests for every dependency update in accordance with your configuration in dependabot.yml. Not only can this result in a large number of Dependabot pull requests, but there are some dependencies which must be updated in tandem with each other or the update will fail. In these cases, the individual Dependabot pull requests would always fail until you manually intervened to do the update.

Now, in your dependabot.yml configuration file, you can set custom grouping rules for Dependabot based on pattern matching on package name. Here is an example of how these rules can be set up:

version: 2
  - package-ecosystem: "bundler"
    directory: "/"
      interval: weekly
    # New!
      # This is the name of your group, it will be used in PR titles and branch names
        # A pattern can be...
          - "rubocop" # a single dependency name
          - "aws*"  # or a wildcard string that matches multiple dependencies
          # If you'd simply like to group as many dependencies together as possible, 
          # you can use the wildcard * - but keep in mind this may open a very large PR!
        # Additionally, you can specify any dependencies to be excluded from the group
          - "aws-sdk"

This configuration applies to regularly scheduled Dependabot version updates only. Security updates for Dependabot will continue to open as individual pull requests, even if they match a configured grouping rule.

This feature is in beta, so you may encounter instability and the feature-set is currently limited. You may file any bugs encountered in the dependabot-core repo.

To learn more about grouping rules for Dependabot version updates, please refer to our documentation.

During two-factor authentication and when entering sudo mode for sensitive actions on, TOTP codes could be successfully used multiple times within their validity window. To improve security, this reuse is no longer allowed on, and will be updated in GHES with version 3.10.

Systems that have attempted to script the login flow, across multiple parallel jobs, may break as a result of this change.

Learn more about two-factor authentication with TOTP.

See more

Today we are announcing the general availability of our organization and enterprise-level security risk and coverage pages.

Additionally, the alert-centric pages for Dependabot, code scanning, and secret scanning are also now generally available at both the organization and enterprise levels.

The enterprise-level security overview page has been replaced by the risk and coverage pages as previously announced. The risk page is designed to help you assess security exposure, and the coverage view is intended to help you manage security feature enablement.

To access the new enterprise-level risk and coverage pages, follow these steps:

  1. Navigate to your profile photo in the top-right corner of
  2. Click Your enterprises.
  3. From the list of enterprises, select the enterprise you wish to view.
  4. In the enterprise account sidebar, click on Code Security.

These improvements have shipped to and will be available in GitHub Enterprise Server 3.10.

Learn more about the new risk and coverage pages and send us your feedback

See more