Developers can now use Dependabot to automatically keep their Bazel dependencies up to date. For projects that use Bazel—either Bzlmod or WORKSPACE—Dependabot version updates can now ensure dependencies stay current with the latest releases.

A huge thanks to the Bazel team for their contributions and collaboration bringing support to Dependabot.

Background

The open source community’s top requests for Bazel support for Dependabot included:

  • Proper lockfile generation
  • *.MODULE.bazel support
  • WORKSPACE support (still widely used despite upcoming deprecation)

Bazel uses two dependency systems, both the modern Bzlmod system (MODULE.bazel files) and the legacy WORKSPACE system. Community feedback showed many teams still rely on WORKSPACE, so we built support for both. Additionally, Bazel’s MODULE.bazel.lock files capture complex transitive dependency graphs, including module extensions and repository rules. Incorrect lockfile generation breaks reproducible builds, so we worked closely with the Bazel community to get this right.

Community partnership

The Bazel community provided critical guidance:

  • Fabian Meumertzheim: Lockfile semantics and behavior matching
  • Yun Peng: Testing, validation, and implementation data
  • Alex Eagle: File naming conventions and *.MODULE.bazel patterns

Thank you especially to these folks, and to everyone who tested and provided feedback during our preview support for this ecosystem.

How it works

  1. Dependency detection: Dependabot scans your MODULE.bazel, *.MODULE.bazel, or WORKSPACE files and checks the Bazel central registry for updates.
  2. Lockfile management: Dependabot regenerates lockfiles to maintain reproducible builds.
  3. Pull requests: Dependabot opens pull requests with updated declarations, regenerated lockfiles, release notes, and compatibility information.

Getting started

Requirements include: