GitHub Dependabot now natively supports automatic dependency updates for pre-commit hooks. By adding pre-commit as a package ecosystem in your dependabot.yml configuration, Dependabot will parse your .pre-commit-config.yaml, check each hook’s repository for new tags or releases, and open pull requests to update the rev field. This is all fully integrated into your existing Dependabot workflow.

Supported features include:

  • Tag and SHA-based revisions: Works with hooks pinned to Git tags (e.g., v4.5.0) or commit SHAs.
  • Grouped updates: Combine multiple hook updates into a single pull request using Dependabot’s existing grouped updates configuration.
  • Changelog and release notes: Pull requests include changelogs and release notes from hook repositories so you can review what’s changed before merging.
  • YAML formatting preservation: Updates modify the rev value and any inline version comments (e.g., # frozen:) to reflect the new version, all while keeping your existing structure intact.
  • Graceful handling of local and meta repos: Dependabot automatically skips local and meta hook definitions that don’t require version updates.
  • Multi-host support: Works with hooks hosted on GitHub, GitLab, Bitbucket, and other Git hosting providers.

To get started, configure pre-commit support in Dependabot version updates and join the conversation in dependabot-core.