Dependabot Alerts & Updates

Updated March 2026 11 min read Intermediate

Dependabot is GitHub's automated dependency management tool. It scans your dependencies for known vulnerabilities, alerts you to security issues, and can automatically create pull requests to update vulnerable packages—keeping your project secure with minimal effort.

Security Alerts Version Updates Auto-Pull Requests

What is Dependabot?

Dependabot is a GitHub-native tool that monitors your project's dependencies and keeps them up to date. It performs two critical functions: security alerts and version updates. When a security vulnerability is discovered in a package your project uses, Dependabot alerts you immediately. It can then automatically open a pull request that upgrades the vulnerable package to a patched version.

Beyond security, Dependabot can also handle routine version updates. You can configure it to check for new versions of your dependencies on a schedule—daily, weekly, or monthly—and open pull requests when updates are available. This automates the tedious work of keeping dependencies current, reducing technical debt and ensuring you benefit from performance improvements and new features.

According to GitHub, projects using Dependabot resolve security vulnerabilities 7x faster than those that don't. It's one of the most impactful security tools you can enable.

Dependabot Security Alerts

Dependabot security alerts are enabled by default for all public repositories. When GitHub's security advisory database (which aggregates data from the National Vulnerability Database, npm security advisories, and other sources) identifies a vulnerability in a package your project uses, Dependabot creates an alert in your repository.

These alerts appear in the "Security" tab of your repository, under "Dependabot alerts." Each alert shows the vulnerable package, the severity level (critical, high, moderate, low), a description of the vulnerability, and which versions are affected. You'll also receive email notifications if you're watching the repository. From there, you can click to view details and, if available, Dependabot will often already have opened a pull request with the fix.

For private repositories, security alerts need to be explicitly enabled. Go to your repository Settings → Security & analysis → Enable "Dependabot alerts" and "Dependabot security updates." This is strongly recommended for any production codebase.

                # Example security alert details

Package: lodash

Severity: HIGH

Vulnerability: Prototype Pollution

Affected versions: < 4.17.21

Patched version: 4.17.21

Dependabot will open a PR updating lodash from 4.17.20 to 4.17.21

Security Updates: Automatic Pull Requests

When you enable "Dependabot security updates," Dependabot will automatically open pull requests to fix security vulnerabilities. For each alert where a patched version exists, Dependabot creates a branch, updates the package manifest, and opens a PR with the change.

These PRs include detailed information about the vulnerability being fixed, the version change, and any breaking changes you need to be aware of. You can then review the PR, run your CI tests, and merge it when ready. If your tests pass, you can merge with confidence. If there are issues, you can close the PR and investigate further.

This automation dramatically reduces the time between vulnerability disclosure and remediation. Instead of manually checking for updates and creating PRs, Dependabot handles everything. For many teams, the workflow becomes: receive alert → tests pass → merge → deploy. Security fixes can be deployed within hours instead of weeks.

Security updates are one of the highest-ROI automations you can implement. They protect your users from known vulnerabilities with minimal ongoing effort.

Dependabot Version Updates

Beyond security fixes, Dependabot can help you keep all your dependencies up to date. You configure version updates in a dependabot.yml file in the .github directory of your repository. This file specifies which package ecosystems to monitor, how often to check for updates, and other options.

Version updates work similarly to security updates: Dependabot checks for new versions according to your schedule, opens pull requests when updates are available, and includes release notes and change summaries. You can configure it to target specific dependency groups, ignore certain packages, or limit updates to patch versions only.

                # .github/dependabot.yml

version: 2

updates:

  # npm dependencies

  - package-ecosystem: "npm"

    directory: "/"

    schedule:

      interval: "weekly"

    open-pull-requests-limit: 10

    groups:

      production-dependencies:

        patterns:

          - "*"

        exclude-patterns:

          - "eslint*"

          - "prettier"

      development-dependencies:

        dependency-type: "development"

    # Ignore major version updates for React

    ignore:

      - dependency-name: "react"

        update-types: ["version-update:semver-major"]

  # Python dependencies

  - package-ecosystem: "pip"

    directory: "/"

    schedule:

      interval: "monthly"

  # GitHub Actions dependencies

  - package-ecosystem: "github-actions"

    directory: "/"

    schedule:

      interval: "weekly"

Supported Package Ecosystems

Dependabot supports a wide range of package managers and ecosystems. For each ecosystem, Dependabot reads the appropriate manifest files (like package.json, requirements.txt, Gemfile, Cargo.toml) and checks for updates in the corresponding registry.

JavaScript/Node.js: npm, yarn, pnpm via package.json and lockfiles

Python: pip via requirements.txt, setup.py, pyproject.toml, Poetry

Ruby: RubyGems via Gemfile and Gemfile.lock

Java: Maven (pom.xml), Gradle

.NET: NuGet via .csproj, packages.config

Go: Go modules via go.mod

Rust: Cargo via Cargo.toml

PHP: Composer via composer.json

Elixir: Hex via mix.exs

Docker: Dockerfiles for base images

GitHub Actions: actions used in workflows

Dependabot also supports monorepos with multiple manifests in different directories. Configure each ecosystem separately in the dependabot.yml file with different directory paths.

Configuring Dependabot

The dependabot.yml file gives you fine-grained control over how updates work. Here are the key configuration options:

Schedule interval: Choose daily, weekly, or monthly. Weekly is a good default for most projects—frequent enough to stay current, but not overwhelming.

Open pull requests limit: Controls how many PRs Dependabot will keep open at once. The default is 5, but you can increase this if you want more updates.

Target branch: By default, Dependabot opens PRs against the default branch. You can change this with the target-branch setting.

Ignore rules: Specify packages or update types to ignore. This is useful for pinning major versions or avoiding packages you don't want to update.

Groups: Group multiple dependency updates into a single PR. This reduces PR noise for related packages. For example, you can group all development dependencies together.

Labels and assignees: Automatically add labels (like "dependencies" or "security") and assign reviewers to Dependabot PRs.

                # Advanced configuration example

updates:

  - package-ecosystem: "npm"

    directory: "/"

    schedule:

      interval: "weekly"

      day: "monday"

      time: "09:00"

    target-branch: "main"

    labels:

      - "dependencies"

      - "automated-pr"

    reviewers:

      - "team-lead"

    assignees:

      - "developer"

    commit-message:

      prefix: "chore"

      include: "scope"

Automerging Dependabot PRs

For teams with strong CI pipelines, you can configure Dependabot PRs to merge automatically when tests pass. This reduces manual work to nearly zero. GitHub provides built-in automerge functionality that you can enable in repository settings.

To enable automerge, go to Settings → Code security and analysis → Dependabot → enable "Automatically merge Dependabot update PRs when they pass status checks." You can also require that certain status checks pass before merging. For security updates, many teams enable automerge for patches but require review for major version upgrades.

You can also use GitHub Actions with pull_request_target events to implement more sophisticated automerge rules. For example, automatically merge all patch version updates but create a team notification for major updates.

                # GitHub Actions workflow for automerge

name: Dependabot Auto-merge

on: pull_request_target

permissions:

  contents: write

  pull-requests: write

jobs:

  automerge:

    if: github.actor == 'dependabot[bot]'

    runs-on: ubuntu-latest

    steps:

      - name: Enable auto-merge

        run: |

          gh pr merge --auto --merge "$PR_URL"

        env:

          PR_URL: ${{github.event.pull_request.html_url}}

          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Dependabot Best Practices

Enable security updates immediately. This is the most important setting. Security updates protect your users from known vulnerabilities and should be enabled on every repository.

Set a reasonable update schedule. Weekly is a good default for most projects. Daily can be overwhelming, especially with many dependencies. Monthly may leave your dependencies too far behind.

Use groups to reduce PR noise. Grouping development dependencies together can reduce the number of PRs your team needs to review. Similarly, group related packages like testing frameworks.

Maintain good test coverage. Dependabot works best when you have confidence in your CI pipeline. Good tests ensure that when Dependabot opens a PR, you can trust that if tests pass, the update is safe.

Review major version updates carefully. Major version updates often contain breaking changes. Consider reviewing these manually, or configure Dependabot to ignore major updates for critical dependencies.

Monitor Dependabot alerts regularly. Even with auto-PR enabled, check the security tab periodically to ensure no alerts are being missed. Set up Slack or Teams notifications for critical alerts.

A well-configured Dependabot setup is one of the highest-impact security investments you can make. It automates what would otherwise be a time-consuming manual process.

Frequently Asked Questions

Is Dependabot free?

Yes! Dependabot is completely free for all public repositories. For private repositories, it's included in all GitHub paid plans. There's no additional cost for using Dependabot features.

How often does Dependabot check for security vulnerabilities?

Dependabot security alerts are updated continuously. When new vulnerabilities are added to GitHub's advisory database, Dependabot scans your repositories and creates alerts immediately—usually within hours of disclosure.

Can I configure Dependabot to ignore certain packages?

Yes. Use the ignore configuration in dependabot.yml. You can ignore specific packages, versions, or update types (like ignoring all major version updates).

What happens if Dependabot opens a PR that breaks my build?

Your CI tests will fail, and you can close the PR. Dependabot won't reopen it. You can then investigate the failure and manually update when ready. You can also configure Dependabot to ignore that version in the future.

How do I get notified about Dependabot alerts?

GitHub sends email notifications to repository watchers. You can also configure webhooks or use GitHub Actions to send notifications to Slack, Teams, or other services. The Security tab shows all open alerts.

Can Dependabot update dependencies in a monorepo?

Yes! You can configure multiple ecosystem entries in dependabot.yml with different directory paths. Each entry handles dependencies in that subdirectory independently.

Does Dependabot support private package registries?

Yes, for some ecosystems. You can configure Dependabot to authenticate with private registries using secrets stored in your repository settings. This requires additional configuration.

How do I handle dependency updates that require code changes?

For updates that require code changes beyond the package version, you'll need to manually update. Dependabot will open a PR that shows the version change, and you can add your own commits to fix any breaking changes before merging.

Previous: Jekyll & Static Generators Next: Secret Scanning

Dependabot is your automated security guardian. Enable it today, and let it handle the critical work of keeping your dependencies safe and up to date.