Developers can now use Dependabot to keep their bun dependencies up to date automatically. For projects that use bun as a package manager, Dependabot Version Updates can now ensure dependencies stay current with the latest releases.
Support for bun security updates will be added in the future.
As of February 5, 2025, Dependabot no longer supports Python 3.8, which has reached its end-of-life. If you continue to use Python 3.8, Dependabot will not be able to create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Python. As of February 2025, Python 3.13 is the newest supported release.
View Python’s official documentation for more information about supported releases.
Starting today, Dependabot offers full support for pnpm workspace catalogs.
pnpm workspace catalogs are widely used in monorepos, and improper dependency handling can lead to:
Starting today, Dependabot fully supports pnpm workspace catalogs. This means that Dependabot now:
Learn more about Dependabot
Learn more about pnpm catalogs
Join the community discussion to share feedback and tips
As of January 20th, 2025, Dependabot no longer supports npm version 6, which has reached its end-of-life. If you continue to use npm version 6, Dependabot will be unable to create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of npm. As of December 2024, npm 11 is the newest supported release.
View npm’s official documentation for more information about supported releases.
On February 5th, 2025, Dependabot will end support for Python version 3.8, which has reached its end-of-life. If you continue to use Python version 3.8, there’s a risk that Dependabot will not create pull requests to update dependencies. To prevent this from happening, please update to a supported release of Python. As of January 2025, the latest supported release of Python is version 3.13. View Python’s official documentation for more information about supported releases.
On January 20th, 2025, Dependabot will end support for npm version 6, which has reached its end-of-life. If you continue to use npm version 6, there’s a risk that Dependabot will not create pull requests to update dependencies. In that case, we recommend updating to a supported release of npm. As of December 2024, the newest supported release of npm is version 11. View NPM’s official documentation for more information about supported releases.
As part of our ongoing efforts to improve flexibility and control for managing the security manager role, we are retiring the security manager API and replacing it with the more robust organization roles API, which provides expanded functionality for managing roles in an organization, including security managers.
The following security manager endpoints will be retired in 12 months:
GET /orgs/{org}/security-managers/teamsPUT /orgs/{org}/security-managers/teams/{team_slug}DELETE /orgs/{org}/security-managers/teams/{team_slug}After this period, these endpoints will no longer be available. Instead, you can use the organization roles API to perform the same actions and much more.
The organization roles API offers enhanced capabilities for managing roles across an organization. Use the following endpoint as a replacement:
GET /orgs/{org}/rolesGET /orgs/{org}/roles/{role_id}/teamsPUT /orgs/{org}/roles/{role_id}/teams/{team_slug}DELETE /orgs/{org}/roles/{role_id}/teams/{team_slug}You can start transitioning to the organization roles API today on GitHub.com. For GitHub Enterprise Server users, the organization roles API will support the security manager role starting in version 3.16.
Learn more about the organization roles API and send us your feedback
Dependabot can now keep you up to date with the latest version of the .NET SDK by updating the global.json file in your repository. You can enable updates for the .NET SDK by adding a dotnet-sdk entry to your dependabot.yml file. At this time, Dependabot will not create security alerts for the .NET SDK, although performing regular version updates will ensure you’re always using the latest .NET SDK.
See our documentation to learn more about configuring Dependabot.
As of November 6, 2024, Dependabot no longer supports Composer version 1, which has reached its end-of-life. If you continue to use Composer version 1, Dependabot will be unable to create pull requests to update your dependencies. If this affects you, we recommend updating to a supported release of Composer. As of October 2024, the newest supported version of Composer is 2.8, and the long-term supported version is 2.2.
View Composer’s official documentation for more information about supported releases.
Copilot Autofix for Dependabot is now available in private preview for TypeScript repositories.
This new feature combines the power of GitHub Copilot with Dependabot, making it easier than ever to automatically fix breaking changes introduced by dependency updates. With Copilot Autofix, you can save time and minimize disruptions by receiving AI-generated fixes to resolve breaking changes caused by dependency upgrades in Dependabot-authored pull requests.
Dependency updates can introduce breaking changes that lead to failing CI tests and deployment delays. Identifying the exact cause of these breaks and implementing the correct fix can require significant time and effort, making it challenging to stay on the most up-to-date and secure version of a dependency.
Dependabot can now leverage the power of Copilot Autofix to analyze dependency updates that fail CI tests and suggest fixes, all within the pull request. Copilot Autofix for Dependabot not only helps keep your dependencies up to date, but also keeps your CI green. Staying up-to-date on dependencies upgrades with breaking changes is now easier and faster than ever.
To sign up for the feature waitlist, fill out the form to express your interest. We’ll notify selected participants as we roll out the feature over the coming weeks.
This feature is available in private preview to GitHub Advanced Security customers on cloud deployments. Starting today, we support TypeScript repos with tests set up in GitHub Actions. As we continue to develop this feature, we will expand coverage for additional languages and testing requirements.
Please keep an eye on future changelogs for more updates as the feature moves to public preview and general availability.
To learn more, please join the waitlist or check out the latest GitHub feature previews.
To hear what others are saying and offer your own take, join the discussion in the GitHub Community.
In the coming months, the current interface for managing code security settings for an enterprise will be deprecated and replaced with new and improved code security configurations that will provide you a more consistent and scalable way to manage security settings across repositories within your enterprise.
The current REST API endpoint to enable or disable a security feature for an enterprise is now deprecated. It will continue to work for an additional year in the current version of the REST API before being removed in September of 2025, but note that it may conflict with settings assigned in code security configurations if the configuration is unenforced, potentially resulting in a security configuration being unintentionally removed from a repository. To change the security settings for repositories at the enterprise level, you can use the current enterprise-level security settings UI or the upcoming code security configurations API.
As of November 6, 2024, Dependabot will no longer support Composer version 1, which has reached its end of life. If you continue to use Composer version 1, there’s a risk that Dependabot will not create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Composer. As of October 2024, the newest supported release of Composer is 2.8, and the long-term supported version is 2.2. View Composer’s official documentation for more information about supported releases. This will take effect in GHEC as of today and GHES in version 3.16.
As of October 7, 2024, Dependabot no longer supports Bundler version 1, which has reached its end-of-life. If you continue to use Bundler version 1, Dependabot will be unable to create pull requests to update your dependencies. If this affects you, we recommend updating to a supported release of Bundler. As of October 2024, the newest supported version is 2.5.
View Bundler’s official support policies for more information about supported releases.
As of October 7, 2024, Dependabot will no longer support Bundler version 1, which has reached its end-of-life. If you continue to use Bundler version 1, there’s a risk that Dependabot will not create pull requests to update dependencies. If this affects you, we recommend updating to a supported release of Bundler. As of September 2024, the newest supported version of Bundler is 2.5. View Bundler’s official support policies for more information about supported releases.
You can now use Copilot Chat in GitHub.com to search across GitHub to find and learn more about GitHub Advanced Security Alerts from code scanning, secret scanning, and Dependabot. This change helps you to better understand and seamlessly fix security alerts in your pull request. ✨
Try it yourself by asking questions like:
– How would I fix this alert?
– How many alerts do I have on this PR?
– What class is this code scanning alert referencing?
– What library is affected by this Dependabot alert?
– What security alerts do I have in this repository?
Learn more about asking questions in Copilot Chat on GitHub.com or about GitHub Advanced Security.