Dependabot version updates help you keep your dependencies up-to-date by opening pull requests when dependencies can be upgraded. With today's release, you can now use flexible grouping options in
dependabot.yml to take control of how Dependabot structures its pull requests to make them more mergeable for you based on your context. Whether you'd like to simply update as many dependencies at once as possible (
patterns: *) or minimize the risk of breaking changes (
dependency-type: development or
update-types: "patch"), there are grouping options for you.
Until today, Dependabot would always open individual pull requests for every dependency update in accordance with your configuration in
dependabot.yml. Not only can this result in a large number of Dependabot pull requests, but there are some dependencies which must be updated in tandem with each other or the update will fail. In these cases, the individual Dependabot pull requests would always fail until you manually intervened to do the update.
The available grouping options are:
patterns, which will match based on package names
dependency-type, which will group based on development or production dependencies, for ecosystems where this is supported, and
update-types, which will group based on SemVer level update
At this time, grouping is not available for security updates or Dependabot alerts.