dependabot

As announced in April, Dependabot Preview is shutting down today, as it has been replaced by GitHub-native Dependabot.

To keep getting pull requests that update your packages, upgrade to GitHub-native Dependabot by merging the “Upgrade to GitHub-native Dependabot” pull request in your repository. This pull request, as well as any pull requests from the Dependabot Preview bot will remain open, but the bot itself will no longer work on your GitHub accounts and organizations.

If you have any questions or need help migrating, please contact GitHub Support.

Learn more about Dependabot in our documentation, or visit our public roadmap to see what’s next for Dependabot.

Unless a specific time is provided, Dependabot version updates run at 5AM UTC daily, weekly, or monthly; however, this results in large usage spikes that slow down updates for everyone.

Starting today, we no longer schedule unspecified updates at the same time. Instead, each repository is assigned a time at random, and all updates in that repository will start at that time. If you want to specify a different time for updates to begin, you can use the schedule.time and schedule.timezone properties on each update.

As an example, this config resets the /frontend/package.json to run at 5AM UTC, while specifying /backend/package.json to run at 13:30 Pacific:

updates:
- package-ecosystem: "npm"
  directory: "/frontend"
  schedule:
    interval: "daily"
    time: "05:00"
    timezone: "UTC"
- package-ecosystem: "npm"
  directory: "/backend"
  schedule:
    interval: "daily"
    time: "13:30"
    timezone: "America/Los_Angeles"

Learn more about configuring schedules for Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

Dependabot version updates now supports Terraform <= 1.0. We have also added support for lockfiles, providers, and private registries.

Thank you to @jmahowald and @userhas404d whose contributions were critical in making this happen.

Learn more about Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

Dependabot security and version updates now support pip version 21.1.2, pip-tools version 6.1.0, and pipenv version 2021-05-29.

This release also removes support for Python 2, which was officially sunset on Jan 1, 2020.

Learn more about Dependabot security updates.

Learn more about Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

Dependabot version updates now have the ability to ignore major, minor, or patch updates for a specific dependency or set of dependencies. For instance, you can use this feature to quiet noisy dependencies or easily avoid major version bumps across multiple dependencies.

You can ignore semver updates by modifying the ignore configuration option to ignore one or more update-types:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      # ignore all GitHub linguist patch updates
      - dependency-name: "github-linguist"
        update-types: ["version-update:semver-patch"]

Note: this feature only applies to version updates. If you have security updates enabled, you will still get pull requests updating you to the minimum patched version.

Learn more about Dependabot ignore conditions.

To see what's next for Dependabot, visit the public roadmap.

Dependabot version updates no longer support Elm 0.18. This version of Elm was hosted on Bintray, which was shut down on May 1, 2021. Dependabot still supports Elm 0.19, so please migrate if you wish to continue using Dependabot.

To see what's next for Dependabot, visit the public roadmap.

Millions of repos use Dependabot to keep their dependencies up to date, either by updating when a Dependabot alert lets them know about a vulnerable dependency (security updates), or on a fixed schedule (version updates). Dependabot security updates have been generally available for over a year, and it's time that version updates join them in general availability.

Dependabot version updates extend the functionality provided by security updates by creating pull requests updating all configured dependencies to their latest versions, staying ahead of potential security vulnerabilities. You can configure it to update selected ecosystems on your schedule, including or excluding desired dependencies.

Thanks to all Dependabot users who have filed issues, provided feedback, and helped us achieve this milestone.

Learn more about Dependabot version updates.

To see what's next for Dependabot, visit the public roadmap.

Dependabot now supports bundler v2 for both security and version updates.

Learn more about Dependabot version updates and security updates.

To see what’s next for Dependabot, visit the public roadmap.

We now group multiple Dependabot alerts together if they're discovered at the same time. This significantly reduces the volume of Dependabot alert notifications that users receive.

A user with admin permissions to a repository or who has been granted access to a repository's Dependabot alerts will receive a notification regarding Dependabot alerts when:

• Dependabot is first enabled on a repository.
• Vulnerable dependencies are added to a repository.
• A new vulnerability is discovered and added to GitHub's Advisory Database. This will send a notification including all repositories in an organization.

The new notification format is automatically enabled for repositories where you receive Dependabot alert notifications. These apply to email, web, and mobile notifications.

Learn more about configuring your Dependabot alert notifications