dependabot

What this skill does

# Dependabot Configuration & Management

## Overview

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

1. **Dependabot Alerts** — Notify when dependencies have known vulnerabilities (CVEs)
2. **Dependabot Security Updates** — Auto-create PRs to fix vulnerable dependencies
3. **Dependabot Version Updates** — Auto-create PRs to keep dependencies current

All configuration lives in a **single file**: `.github/dependabot.yml` on the default branch. GitHub does **not** support multiple `dependabot.yml` files per repository.

## Configuration Workflow

Follow this process when creating or optimizing a `dependabot.yml`:

### Step 1: Detect All Ecosystems

Scan the repository for dependency manifests. Look for:

| Ecosystem | YAML Value | Manifest Files |
|---|---|---|
| npm/pnpm/yarn | `npm` | `package.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock` |
| pip/pipenv/poetry/uv | `pip` | `requirements.txt`, `Pipfile`, `pyproject.toml`, `setup.py` |
| Docker | `docker` | `Dockerfile` |
| Docker Compose | `docker-compose` | `docker-compose.yml` |
| GitHub Actions | `github-actions` | `.github/workflows/*.yml` |
| Go modules | `gomod` | `go.mod` |
| Bundler (Ruby) | `bundler` | `Gemfile` |
| Cargo (Rust) | `cargo` | `Cargo.toml` |
| Composer (PHP) | `composer` | `composer.json` |
| NuGet (.NET) | `nuget` | `*.csproj`, `packages.config` |
| .NET SDK | `dotnet-sdk` | `global.json` |
| Maven (Java) | `maven` | `pom.xml` |
| Gradle (Java) | `gradle` | `build.gradle` |
| Terraform | `terraform` | `*.tf` |
| OpenTofu | `opentofu` | `*.tf` |
| Helm | `helm` | `Chart.yaml` |
| Hex (Elixir) | `mix` | `mix.exs` |
| Swift | `swift` | `Package.swift` |
| Pub (Dart) | `pub` | `pubspec.yaml` |
| Bun | `bun` | `bun.lockb` |
| Dev Containers | `devcontainers` | `devcontainer.json` |
| Git Submodules | `gitsubmodule` | `.gitmodules` |
| Pre-commit | `pre-commit` | `.pre-commit-config.yaml` |

Note: pnpm and yarn both use the `npm` ecosystem value.

### Step 2: Map Directory Locations

For each ecosystem, identify where manifests live. Use `directories` (plural) with glob patterns for monorepos:

```yaml
directories:
  - "/"           # root
  - "/apps/*"     # all app subdirs
  - "/packages/*" # all package subdirs
  - "/lib-*"      # dirs starting with lib-
  - "**/*"        # recursive (all subdirs)
```

Important: `directory` (singular) does NOT support globs. Use `directories` (plural) for wildcards.

### Step 3: Configure Each Ecosystem Entry

Every entry needs at minimum:

```yaml
- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"
```

### Step 4: Optimize with Grouping, Labels, and Scheduling

See sections below for each optimization technique.

## Monorepo Strategies

### Glob Patterns for Workspace Coverage

For monorepos with many packages, use glob patterns to avoid listing each directory:

```yaml
- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"
```

### Cross-Directory Grouping

Use `group-by: dependency-name` to create a single PR when the same dependency updates across multiple directories:

```yaml
groups:
  monorepo-deps:
    group-by: dependency-name
```

This creates one PR per dependency across all specified directories, reducing CI costs and review burden.

Limitations:
- All directories must use the same package ecosystem
- Applies to version updates only
- Incompatible version constraints create separate PRs

### Standalone Packages Outside Workspaces

If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in `.github/`), create a separate ecosystem entry for it.

## Dependency Grouping

Reduce PR noise by grouping related dependencies into single PRs.

### By Dependency Type

```yaml
groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]
```

### By Name Pattern

```yaml
groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]
```

### For Security Updates

```yaml
groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]
```

Key behaviors:
- Dependencies matching multiple groups go to the **first** match
- `applies-to` defaults to `version-updates` when absent
- Ungrouped dependencies get individual PRs

## Multi-Ecosystem Groups

Combine updates across different package ecosystems into a single PR:

```yaml
version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"
```

The `patterns` key is required when using `multi-ecosystem-group`.

## PR Customization

### Labels

```yaml
labels:
  - "dependencies"
  - "npm"
```

Set `labels: []` to disable all labels including defaults. SemVer labels (`major`, `minor`, `patch`) are always applied if present in the repo.

### Commit Messages

```yaml
commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # adds deps/deps-dev scope after prefix
```

### Assignees and Milestones

```yaml
assignees: ["security-team-lead"]
milestone: 4  # numeric ID from milestone URL
```

### Branch Name Separator

```yaml
pull-request-branch-name:
  separator: "-"  # default is /
```

### Target Branch

```yaml
target-branch: "develop"  # PRs target this instead of default branch
```

Note: When `target-branch` is set, security updates still target the default branch; all ecosystem config only applies to version updates.

## Schedule Optimization

### Intervals

Supported: `daily`, `weekly`, `monthly`, `quarterly`, `semiannually`, `yearly`, `cron`

```yaml
schedule:
  interval: "weekly"
  day: "monday"         # for weekly only
  time: "09:00"         # HH:MM format
  timezone: "America/New_York"
```

### Cron Expressions

```yaml
schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # Every Monday at 9 AM
```

### Cooldown Periods

Delay updates for newly released versions to avoid early-adopter issues:

```yaml
cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]
```

Cooldown applies to version updates only, not security updates.

## Security Updates Configuration

### Enable via Repository Settings

Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.

### Group Security Updates in YAML

```yaml
groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]
```

### Disable Version Updates (Security Only)

```yaml
open-pull-requests-limit: 0  # disables version update PRs
```

### Auto-Triage Rules

GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.

## PR Comment Commands

Interact with Dependabot PRs using `@dependabot` comments.

> **Note:** As of January 2026, merge/close/reopen commands have been deprecated.
> Use GitHub's native UI, CLI (`gh pr merge`), or auto-merge instead.

| Command | Effect |
|---|---|
| `@dependabot rebase` | Rebase the PR |
| `@dependabot recreate` | Recreate the PR from scratch |
| `@dependabot ignore this dependency` | Close and never update this dependency |
| `@dependabot ignore this major version` | Ignore this major version |
| `@dependabot ignore this minor version` | Ignore this minor version |
| `@dep