# Basic set up for three package managers version: 2 updates: # Maintain dependencies for GitHub Actions - package-ecosystem: "github-actions" directory: "/" schedule: interval: "daily" # Maintain dependencies for npm - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" # Maintain dependencies for Composer - package-ecosystem: "composer" directory: "/" schedule: interval: "daily" directory For example, if you use poetry to manage your Python dependencies and want Dependabot to monitor your dependency manifest file for new versions, use package-ecosystem: "pip" in your dependabot.yml file. Dependabot doesn't run the NuGet CLI but does support most features up until version 4.8.įor package managers such as pipenv and poetry, you need to use the pip YAML value. Dependabot doesn't run Maven but supports updates to pom.xml files. Note that apply does not support apply to, recursion, or advanced syntaxes (for example, Kotlin's apply with mapOf, filenames defined by property). Dependabot doesn't run Gradle but supports updates to the following files: adle, (for Kotlin projects), and files included via the apply declaration that have dependencies in the filename. Whether vendored dependencies are supported.Whether dependencies in private GitHub repositories or registries are supported.The supported versions of the package manager.The YAML value to use in the dependabot.yml file.The following table shows, for each package manager: If you want to enable vendoring for a package manager that supports it, the vendored dependencies must be located in the required directory. The repository must also contain a dependency manifest or lock file for each of these package managers.
You add one package-ecosystem element for each package manager that you want Dependabot to monitor for new versions. For more information about security updates, see " Configuring Dependabot security updates." package-ecosystem In general, security updates use any configuration options that affect pull requests, for example, adding metadata or changing their behavior. When configuration options are set for the same branch (true unless you use target-branch), and specify a package-ecosystem and directory for the vulnerable manifest, then pull requests for security updates use relevant options. Security updates are raised for vulnerable package manifests only on the default branch. Note: Some of these configuration options may also affect pull requests raised for security updates of vulnerable package manifests. In addition, the open-pull-requests-limit option changes the maximum number of pull requests for version updates that Dependabot can open.
Options to customize the update schedule: schedule.time, schedule.timezone, schedule.day.Essential set up options that you must include in all configurations: package-ecosystem, directory, schedule.interval.These options fit broadly into the following categories.
How to update manifest version requirements Timezone for time of day (zone identifier) Private registries that Dependabot can access Limit number of open pull requests for version updatesĬhange separator for pull request branch names
OptionĪllow or deny code execution in manifest files Each entry configures the update settings for a particular package manager. You use it to configure how Dependabot updates the versions or your project's dependencies. You can, optionally, include a top-level registries key. The dependabot.yml file has two mandatory top-level keys: version, and updates. For more information, see " Enabling and disabling Dependabot version updates" and " Configuring Dependabot security updates." Any options that also affect security updates are used the next time a security alert triggers a pull request for a security update. When you add or update the dependabot.yml file, this triggers an immediate check for version updates. If you're new to YAML and want to learn more, see " Learn YAML in five minutes." The Dependabot configuration file, dependabot.yml, uses YAML syntax.