You can now tell Dependabot to completely skip dependency manifests that live in specific subdirectories of your repository. This general availability release reduces noise by preventing unwanted update pull requests from ever being opened. This is especially true in large monorepos or repositories with examples, templates, test fixtures, or experimental code.

What’s new

The exclude-paths option in the dependabot.yml file allows you to exclude specific folders or files explicitly or via glob patterns so Dependabot skips manifests in “sub-monorepo” directories.

Why this matters

Previously, if you only wanted Dependabot updates for core production code, you had to do one of the following:

  • List many separate updates entries — one per directory you did want
  • Accept pull request noise from manifests in examples/, samples/, playgrounds/, generated scaffolds, or archived/legacy areas

With directory-level exclusion rules you can keep a single, broad configuration (e.g., directory: "/") and carve out what you don’t want Dependabot to scan.

Tips and tricks

  • Applies before manifest parsing: Dependabot will not list, parse, or open pull requests for excluded paths.
  • Supports glob patterns (**, *).
  • Evaluated relative to the root of the repository — the same base as the directory you specify.
  • Available per update configuration block so you can tailor exclusions per ecosystem.
  • Does not replace dependency-level ignore rules — those still control versions or specific packages. Use both when you want to suppress directories plus certain dependency updates globally.
  • If you have multiple updates blocks that overlap, each block’s exclude-paths applies only to the manifests that block would otherwise scan.
  • Grouping (i.e., groups:) only considers manifests that are not ignored.
  • Check out our documentation to learn more and get started using this feature in your dependabot.yml config file.

Security & compliance

Ignoring manifests in specified subdirectories means Dependabot will not surface pull requests for dependencies only referenced in those excluded directories. Ensure directories you exclude are truly non-production or intentionally unmanaged.

Availability

  • github.com: Available today
  • GHES: Will ship in GHES 3.19

Join the discussion within the Dependabot Community.