About Dependabot
Dependabot helps you stay on top of your dependency ecosystems. With Dependabot, you can keep the dependencies you rely on up-to-date, addressing any potential security issues in your supply chain.
Dependabot consists of three different features that help you manage your dependencies:
- Dependabot alerts: Inform you about vulnerabilities in the dependencies that you use in your repository.
- Dependabot security updates: Automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
- Dependabot version updates: Automatically raise pull requests to keep your dependencies up-to-date.
For more information about Dependabot, see "Dependabot quickstart guide."
In this article, you can see what the supported ecosystems and repositories are.
Supported ecosystems and repositories
You can configure updates for repositories that contain a dependency manifest or lock file for one of the supported package managers. For some package managers, you can also configure vendoring for dependencies. For more information, see vendor
.
Dependabot also supports dependencies in private registries. For more information, see registries
.
Note
To ensure that GitHub Enterprise Server supports Dependabot updates for the latest supported ecosystem versions, your enterprise owner must download the most recent version of the Dependabot action. For more information about the action, and for instructions about how to download the most recent version, see "Using the latest version of the official bundled actions."
Note
- When running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, Dependabot must be able to access the location at which those dependencies are hosted. Organization owners can grant Dependabot access to private repositories containing dependencies for a project within the same organization. For more information, see "Managing security and analysis settings for your organization." You can configure access to private registries in a repository's
dependabot.yml
configuration file. For more information, see "Configuration options for the dependabot.yml file." - Dependabot doesn't support private GitHub dependencies for all package managers. See the details in the table below.
If your repository already uses an integration for dependency management, you will need to disable this before enabling Dependabot.
Package manager | YAML value | Supported versions | Version updates | Security updates | Private repositories | Private registries | Vendoring |
---|---|---|---|---|---|---|---|
Bundler | bundler | v1, v2 | |||||
Cargo | cargo | v1 | (Git only) | ||||
Composer | composer | v1, v2 | |||||
Dev containers | devcontainers | Not applicable | |||||
Docker | docker | v1 | Not applicable | ||||
Hex | mix | v1 | |||||
elm-package | elm | v0.19 | |||||
git submodule | gitsubmodule | Not applicable | Not applicable | ||||
GitHub Actions | github-actions | Not applicable | Not applicable | ||||
Go modules | gomod | v1 | |||||
Gradle | gradle | Not applicable | |||||
Maven | maven | Not applicable | |||||
npm | npm | v6, v7, v8, v9 | |||||
NuGet | nuget | <= 6.8.0 | |||||
pip | pip | v21.1.2 | |||||
pipenv | pip | <= 2021-05-29 | |||||
pip-compile | pip | 6.1.0 | |||||
pnpm | npm | v7, v8, v9 | (v7 and v8 only) | ||||
poetry | pip | v1 | |||||
pub | pub | v2 | |||||
Swift | swift | v5 | (git only) | ||||
Terraform | terraform | >= 0.13, <= 1.8.x | Not applicable | ||||
yarn | npm | v1, v2, v3 |
Tip
For package managers such as pipenv
and poetry
, you need to use the pip
YAML value. For example, if you use poetry
to manage your Python dependencies and want Dependabot to monitor your dependency manifest file for new versions, use package-ecosystem: "pip"
in your dependabot.yml
file.
For further information about ecosystem support for Dependabot security updates, see also "Dependency graph supported package ecosystems."
Cargo
Private registry support applies to Git registries, and doesn't include cargo registries.
Dev containers
You can use devcontainers
as a package-ecosystem
in your dependabot.yml
file to update Features in your devcontainer.json
configuration files. For more information about this support, and for configuration file examples, see General Availability of Dependabot Integration in the Development Containers documentation.
Dev containers are used in several tools and services, including Codespaces. For more information about Features and the supported services, see Features and Supporting tools and services in the Development Containers documentation, respectively.
This updater ensures Features are pinned to the latest major
version in the associated devcontainer.json
file. If a dev container has a lockfile, that file will also be updated. For more information about lockfile specifications, see Lockfiles in the devcontainers/spec
repository.
Features in any valid dev container location will be updated in a single pull request. For more information about the dev container specification, see Specification in the Development Containers documentation.
Docker
Dependabot can add metadata from Docker images to pull requests for version updates. The metadata includes release notes, changelogs and the commit history. Repository administrators can use the metadata to quickly evaluate the stability risk of the dependency update.
In order for Dependabot to fetch Docker metadata, maintainers of Docker images must add the org.opencontainers.image.source
label to their Dockerfile, and include the URL of the source repository. Additionally, maintainers must tag the repository with the same tags as the published Docker images. For an example, see the dependabot-fixtures/docker-with-source
repository. For more information on Docker labels, see Extension image labels and BUILDX_GIT_LABELS in the Docker documentation.
Dependabot can update Docker image tags in Kubernetes manifests. Add an entry to the Docker package-ecosystem
element of your dependabot.yml
file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your dependabot.yml
file for docker
, see "package-ecosystem
" in "Configuration options for the dependabot.yml file."
Dependabot supports both public and private Docker registries. For a list of the supported registries, see "docker-registry
" in "Configuration options for the dependabot.yml file."
Dependabot parses Docker image tags for Semantic Versioning (SemVer). If Dependabot detects a tag with a pre-release, then it will only suggest an update to the latest version with a matching pre-release, and it will not suggest a newer version that use a different pre-release label. For more information, see the dependabot-docker
README.md file in the dependabot/dependabot-core
repository.
GitHub Actions
Dependabot supports version updates for GitHub Actions with the following caveats.
- Dependabot only supports updates to GitHub Actions using the GitHub repository syntax, such as
actions/checkout@v4
. Dependabot will ignore actions or reusable workflows referenced locally (for example,./.github/actions/foo.yml
). - Docker Hub and GitHub Packages Container registry URLs are currently not supported. For example, references to Docker container actions using
docker://
syntax aren't supported. - Dependabot supports both public and private repositories for GitHub Actions. For private registry configuration options, see "
git
" in "Configuration options for the dependabot.yml file."
For more information about using Dependabot version updates with GitHub Actions, see "Using GitHub's security features to secure your use of GitHub Actions."
Gradle
Dependabot doesn't run Gradle but supports updates to the following files:
build.gradle
,build.gradle.kts
(for Kotlin projects)gradle/libs.versions.toml
(for projects using a standard Gradle version catalog)- Files included via the
apply
declaration that havedependencies
in the filename. Note thatapply
does not supportapply to
, recursion, or advanced syntaxes (for example, Kotlin'sapply
withmapOf
, filenames defined by property).
Dependabot uses information from the pom.xml
file of dependencies to add links to release information in update pull requests. If the information is omitted from the pom.xml
file, then it cannot be included in Dependabot pull requests, see "Optimizing Java packages for Dependabot updates".
For Dependabot security updates, Gradle support is limited to manual uploads of the dependency graph data using the dependency submission API. For more information about the dependency submission API, see "Using the dependency submission API."
Note
- When you upload Gradle dependencies to the dependency graph using the dependency submission API, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, Dependabot isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert.
- Dependabot version updates will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file.
Maven
Dependabot doesn't run Maven but supports updates to pom.xml
files.
Dependabot uses information from the pom.xml
file of dependencies to add links to release information in update pull requests. If the information is omitted from the pom.xml
file, then it cannot be included in Dependabot pull requests, see "Optimizing Java packages for Dependabot updates".
NuGet CLI
Dependabot doesn't run the NuGet CLI but does support most features up until version 6.8.0.
pip and pip-compile
In addition to supporting updates to requirements.txt
files, Dependabot supports updates to pyproject.toml
files if they follow the PEP 621 standard.
pnpm
pnpm is supported for Dependabot version updates (on v7, v8, and v9) and Dependabot security updates (on v7 and v8 only).
pub
Dependabot won't perform an update for pub
when the version that it tries to update to is ignored, even if an earlier version is available.
You can use Dependabot to keep Dart dependencies up-to-date if you use private hosted pub repositories. For information about allowing Dependabot to access private GitHub dependencies, see "Allowing Dependabot to access private dependencies."
Swift
Private registry support applies to git registries only. Swift registries are not supported. Non-declarative manifests are not supported. For more information on non-declarative manifests, see Editing Non-Declarative Manifests in the Swift Evolution documentation.
Terraform
Terraform support includes:
- Modules hosted on Terraform Registry or a publicly reachable Git repository.
- Terraform providers.
- Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your
dependabot.yml
file. For more information, seegit
.
yarn
Dependabot supports vendored dependencies for v2 onwards.