Goodbye Dependabot Preview, hello Dependabot!
Dependabot Preview has helped more than 30,000 organizations keep their packages updated with more than seven million pull requests merged since it launched. As a result of that success, the…
Dependabot Preview has helped more than 30,000 organizations keep their packages updated with more than seven million pull requests merged since it launched. As a result of that success, the Dependabot team joined GitHub in May 2019 and started building an updated version of Dependabot directly into GitHub. Now, we’re taking the next step, migrating customers from Dependabot Preview and onto the GitHub-native Dependabot.
As of today, the Dependabot Preview app and Dependabot.com no longer accept new customers, and will be shut down on August 3rd, 2021. To keep getting pull requests that update your packages, upgrade to GitHub Dependabot by merging the “Upgrade to GitHub-native Dependabot” pull request in your repository by August 3rd. After this date, any open pull requests from the Dependabot Preview bot will remain open, but the bot itself will no longer work on your GitHub accounts and organizations.
In GitHub Dependabot, most configuration is done via the configuration file. This file is very similar to the Dependabot Preview configuration file, but we’ve made a few changes and improvements that will be automatically included in the update pull request. You can see the update logs that used to be on the dependabot.com dashboard by going to your repository’s Insights page, clicking the Dependency graph tab on the left, and then clicking Dependabot.
Saying goodbye to a few features
With the recent launch of private registry support, almost all Dependabot Preview features are now available in GitHub Dependabot. However, some features will not be available in GitHub Dependabot:
- Live updates: We hope to bring these back in the future. For now, you can run GitHub Dependabot daily to catch new packages within one day of release.
- PHP environment variable registries: These features have not been added, but we are investigating if there are other solutions. For now, you can use GitHub Actions to fetch dependencies from these registries.
- Auto-merge: We always recommend verifying your dependencies before merging them; therefore, auto-merge will not be supported for the foreseeable future. For those of you who have vetted your dependencies, or are only using internal dependencies, we recommend adding third-party auto-merge apps, or setting up GitHub Actions to merge.
Keeping dependencies updated is a crucial part of securing your software supply chain—whether you’re working on an open source project or a large enterprise. We’ve got lots of exciting features on the roadmap, including more ecosystem updates, improved notifications, and Dependabot support for GitHub Enterprise Server.
If you have any questions or need help migrating, please contact GitHub Support.
Learn more about Dependabot in our documentation, or visit our public roadmap to see what’s next for Dependabot.
Tags:
Written by
Related posts
We need a European Sovereign Tech Fund
Open source software is critical infrastructure, but it’s underfunded. With a new feasibility study, GitHub’s developer policy team is building a coalition of policymakers and industry to close the maintenance funding gap.
GitHub Availability Report: June 2025
In June, we experienced three incidents that resulted in degraded performance across GitHub services.
From pair to peer programmer: Our vision for agentic workflows in GitHub Copilot
AI agents in GitHub Copilot don’t just assist developers but actively solve problems through multi-step reasoning and execution. Here’s what that means.