Dependabot can now exclude automatic pull requests for manifests in selected subdirectories
You can now tell Dependabot to completely skip dependency manifests that live in specific subdirectories of your repository. This general availability release reduces noise by preventing unwanted update pull requests from ever being opened. This is especially true in large monorepos or repositories with examples, templates, test fixtures, or experimental code.
What’s new
The exclude-paths
option in the dependabot.yml
file allows you to exclude specific folders or files explicitly or via glob patterns so Dependabot skips manifests in “sub-monorepo” directories.
Why this matters
Previously, if you only wanted Dependabot updates for core production code, you had to do one of the following:
- List many separate
updates
entries — one per directory you did want - Accept pull request noise from manifests in
examples/
,samples/
,playgrounds/
, generated scaffolds, or archived/legacy areas
With directory-level exclusion rules you can keep a single, broad configuration (e.g., directory: "/"
) and carve out what you don’t want Dependabot to scan.
Tips and tricks
- Applies before manifest parsing: Dependabot will not list, parse, or open pull requests for excluded paths.
- Supports glob patterns (
**
,*
). - Evaluated relative to the root of the repository — the same base as the
directory
you specify. - Available per update configuration block so you can tailor exclusions per ecosystem.
- Does not replace dependency-level
ignore
rules — those still control versions or specific packages. Use both when you want to suppress directories plus certain dependency updates globally. - If you have multiple
updates
blocks that overlap, each block’sexclude-paths
applies only to the manifests that block would otherwise scan. - Grouping (i.e.,
groups:
) only considers manifests that are not ignored. - Check out our documentation to learn more and get started using this feature in your
dependabot.yml
config file.
Security & compliance
Ignoring manifests in specified subdirectories means Dependabot will not surface pull requests for dependencies only referenced in those excluded directories. Ensure directories you exclude are truly non-production or intentionally unmanaged.
Availability
- github.com: Available today
- GHES: Will ship in GHES 3.19
Join the discussion within the Dependabot Community.