Monitors vulnerabilities in dependencies used in the project and keep dependencies up-to-date.
All Dependabot features are free to use for all repositories on GitHub.
Features
Dependabot alerts
Tell you that your code depends on a package that is insecure.
Watches the National Vulnerability Database and other sources for vulnerabilities in open source packages.
How to enable
Under the “Security” tab in the repository there’s a “Dependabot alerts” section that can be enabled.
Dependabot version updates
You can use Dependabot to keep the packages you use updated to the latest versions.
How to enable
- Create
.github/dependabot.yamlconfiguration file in the repository.
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
target-branch: "dev"
reviewers:
- "artemudovyk-konstankino"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
target-branch: "dev"
reviewers:
- "artemudovyk-konstankino"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
- Look at Insights > Dependency graph > Dependabot (../network/updates) to validate that it’s configured properly.