Reduce pull request noise and fix multiple security alerts at once with Dependabot grouped security updates.
Starting today, you can enable grouped security updates for Dependabot at the repository or organization-level. When you click “Enable” for this feature, Dependabot will collect all available security updates in a repository and attempt to open one pull request with all of them, per ecosystem, across directories. There is no further configuration available at this time.
Known limitations
- Dependabot will NOT group across ecosystem (e.g. it will not group pip updates and npm updates together)
- Dependabot WILL group across directories (e.g. if you have multiple package.json’s in different directories in the same repository)
- If you have version updates enabled as well, Dependabot will NOT group security updates with version updates
- If you use grouping for version updates, your
groups
configuration independabot.yml
will NOT apply to security updates
To enable this feature, go to your repository or organization settings page, then go to the Code security and analysis
tab, and click “Enable” for grouped security updates (this also requires each affected repository to enable Dependency graph, Dependabot alerts, and Dependabot security updates). When you enable this feature, Dependabot will immediately attempt to create grouped security pull requests for any available security updates in your repository.
We’d love to hear your feedback as you try this feature! Join the discussion within GitHub Community.