{"meta":{"title":"Configuring Dependabot version updates","intro":"You can configure your repository so that Dependabot automatically updates the packages you use.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/how-tos","title":"How-tos"},{"href":"/en/code-security/how-tos/secure-your-supply-chain","title":"Secure your supply chain"},{"href":"/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies","title":"Secure your dependencies"},{"href":"/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates","title":"Configure version updates"}],"documentType":"article"},"body":"# Configuring Dependabot version updates\n\nYou can configure your repository so that Dependabot automatically updates the packages you use.\n\n<!--Marketing-LINK: From /features/security/software-supply-chain page \"About version updates for dependencies\".-->\n\n## Enabling Dependabot version updates\n\nYou enable Dependabot version updates by committing a `dependabot.yml` configuration file to your repository.\nIf you enable the feature in your settings page, GitHub creates a basic file which you can edit, otherwise you can create the file using any file editor.\n\n1. On GitHub, navigate to the main page of the repository.\n\n2. Under your repository name, click **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-gear\" aria-label=\"gear\" role=\"img\"><path d=\"M8 0a8.2 8.2 0 0 1 .701.031C9.444.095 9.99.645 10.16 1.29l.288 1.107c.018.066.079.158.212.224.231.114.454.243.668.386.123.082.233.09.299.071l1.103-.303c.644-.176 1.392.021 1.82.63.27.385.506.792.704 1.218.315.675.111 1.422-.364 1.891l-.814.806c-.049.048-.098.147-.088.294.016.257.016.515 0 .772-.01.147.038.246.088.294l.814.806c.475.469.679 1.216.364 1.891a7.977 7.977 0 0 1-.704 1.217c-.428.61-1.176.807-1.82.63l-1.102-.302c-.067-.019-.177-.011-.3.071a5.909 5.909 0 0 1-.668.386c-.133.066-.194.158-.211.224l-.29 1.106c-.168.646-.715 1.196-1.458 1.26a8.006 8.006 0 0 1-1.402 0c-.743-.064-1.289-.614-1.458-1.26l-.289-1.106c-.018-.066-.079-.158-.212-.224a5.738 5.738 0 0 1-.668-.386c-.123-.082-.233-.09-.299-.071l-1.103.303c-.644.176-1.392-.021-1.82-.63a8.12 8.12 0 0 1-.704-1.218c-.315-.675-.111-1.422.363-1.891l.815-.806c.05-.048.098-.147.088-.294a6.214 6.214 0 0 1 0-.772c.01-.147-.038-.246-.088-.294l-.815-.806C.635 6.045.431 5.298.746 4.623a7.92 7.92 0 0 1 .704-1.217c.428-.61 1.176-.807 1.82-.63l1.102.302c.067.019.177.011.3-.071.214-.143.437-.272.668-.386.133-.066.194-.158.211-.224l.29-1.106C6.009.645 6.556.095 7.299.03 7.53.01 7.764 0 8 0Zm-.571 1.525c-.036.003-.108.036-.137.146l-.289 1.105c-.147.561-.549.967-.998 1.189-.173.086-.34.183-.5.29-.417.278-.97.423-1.529.27l-1.103-.303c-.109-.03-.175.016-.195.045-.22.312-.412.644-.573.99-.014.031-.021.11.059.19l.815.806c.411.406.562.957.53 1.456a4.709 4.709 0 0 0 0 .582c.032.499-.119 1.05-.53 1.456l-.815.806c-.081.08-.073.159-.059.19.162.346.353.677.573.989.02.03.085.076.195.046l1.102-.303c.56-.153 1.113-.008 1.53.27.161.107.328.204.501.29.447.222.85.629.997 1.189l.289 1.105c.029.109.101.143.137.146a6.6 6.6 0 0 0 1.142 0c.036-.003.108-.036.137-.146l.289-1.105c.147-.561.549-.967.998-1.189.173-.086.34-.183.5-.29.417-.278.97-.423 1.529-.27l1.103.303c.109.029.175-.016.195-.045.22-.313.411-.644.573-.99.014-.031.021-.11-.059-.19l-.815-.806c-.411-.406-.562-.957-.53-1.456a4.709 4.709 0 0 0 0-.582c-.032-.499.119-1.05.53-1.456l.815-.806c.081-.08.073-.159.059-.19a6.464 6.464 0 0 0-.573-.989c-.02-.03-.085-.076-.195-.046l-1.102.303c-.56.153-1.113.008-1.53-.27a4.44 4.44 0 0 0-.501-.29c-.447-.222-.85-.629-.997-1.189l-.289-1.105c-.029-.11-.101-.143-.137-.146a6.6 6.6 0 0 0-1.142 0ZM11 8a3 3 0 1 1-6 0 3 3 0 0 1 6 0ZM9.5 8a1.5 1.5 0 1 0-3.001.001A1.5 1.5 0 0 0 9.5 8Z\"></path></svg> Settings**. If you cannot see the \"Settings\" tab, select the **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-kebab-horizontal\" aria-label=\"More\" role=\"img\"><path d=\"M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z\"></path></svg>** dropdown menu, then click **Settings**.\n\n   ![Screenshot of a repository header showing the tabs. The \"Settings\" tab is highlighted by a dark orange outline.](/assets/images/help/repository/repo-actions-settings.png)\n\n3. In the \"Security\" section of the sidebar, click **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-codescan\" aria-label=\"codescan\" role=\"img\"><path d=\"M8.47 4.97a.75.75 0 0 0 0 1.06L9.94 7.5 8.47 8.97a.75.75 0 1 0 1.06 1.06l2-2a.75.75 0 0 0 0-1.06l-2-2a.75.75 0 0 0-1.06 0ZM6.53 6.03a.75.75 0 0 0-1.06-1.06l-2 2a.75.75 0 0 0 0 1.06l2 2a.75.75 0 1 0 1.06-1.06L5.06 7.5l1.47-1.47Z\"></path><path d=\"M12.246 13.307a7.501 7.501 0 1 1 1.06-1.06l2.474 2.473a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM1.5 7.5a6.002 6.002 0 0 0 3.608 5.504 6.002 6.002 0 0 0 6.486-1.117.748.748 0 0 1 .292-.293A6 6 0 1 0 1.5 7.5Z\"></path></svg> Advanced Security**.\n\n4. Under \"Dependabot\", to the right of \"Dependabot version updates\", click **Enable** to open a basic `dependabot.yml` configuration file in the `.github` directory of your repository. For information about the options you can use to customize how Dependabot maintains your repositories, see [Dependabot options reference](/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference).\n\n   ```yaml copy\n   # To get started with Dependabot version updates, you'll need to specify which\n   # package ecosystems to update and where the package manifests are located.\n\n   version: 2\n   updates:\n   - package-ecosystem: \"\" # See documentation for possible values\n     directory: \"/\" # Location of package manifests\n     schedule:\n       interval: \"weekly\"\n   ```\n\n5. Add a `version`. This key is mandatory. The file must start with `version: 2`.\n\n6. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [Configuring access to private registries for Dependabot](/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot).\n\n7. Add an `updates` section, with an entry for each package manager you want Dependabot to monitor. This key is mandatory. You use it to configure how Dependabot updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [About the dependabot.yml file](/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file) and [Dependabot options reference](/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference).\n\n8. For each package manager, use:\n\n   * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-).\n   * `directories` or `directory` to specify the location of multiple manifest or other definition files. For more information, see [Defining multiple locations for manifest files](/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files).\n   * `schedule.interval` to specify how often to check for new versions.\n\n9. Check the `dependabot.yml` configuration file in to the `.github` directory of the repository.\n\n### Example `dependabot.yml` file\n\nThe example `dependabot.yml` file below configures version updates for three package managers: npm, Docker, and GitHub Actions. When this file is checked in, Dependabot checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies.\n\n```yaml copy\n# Basic `dependabot.yml` file with\n# minimum configuration for three package managers\n\nversion: 2\nupdates:\n  # Enable version updates for npm\n  - package-ecosystem: \"npm\"\n    # Look for `package.json` and `lock` files in the `root` directory\n    directory: \"/\"\n    # Check the npm registry for updates every day (weekdays)\n    schedule:\n      interval: \"daily\"\n\n  # Enable version updates for Docker\n  - package-ecosystem: \"docker\"\n    # Look for a `Dockerfile` in the `root` directory\n    directory: \"/\"\n    # Check for updates once a week\n    schedule:\n      interval: \"weekly\"\n\n  # Enable version updates for GitHub Actions\n  - package-ecosystem: \"github-actions\"\n    # Workflow files stored in the default location of `.github/workflows`\n    # You don't need to specify `/.github/workflows` for `directory`. You can use `directory: \"/\"`.\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n```\n\nIn the example above, if the Docker dependencies were very outdated, you might want to start with a `daily` schedule until the dependencies are up-to-date, and then drop back to a weekly schedule.\n\n## Enabling version updates on forks\n\nIf you want to enable version updates on forks, there's an extra step. Version updates are not automatically enabled on forks when a `dependabot.yml` configuration file is present. This ensures that fork owners don't unintentionally enable version updates when they pull changes including a `dependabot.yml` configuration file from the original repository.\n\nOn a fork, you also need to explicitly enable Dependabot.\n\n1. On GitHub, navigate to the main page of the repository.\n2. Under your repository name, click **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-gear\" aria-label=\"gear\" role=\"img\"><path d=\"M8 0a8.2 8.2 0 0 1 .701.031C9.444.095 9.99.645 10.16 1.29l.288 1.107c.018.066.079.158.212.224.231.114.454.243.668.386.123.082.233.09.299.071l1.103-.303c.644-.176 1.392.021 1.82.63.27.385.506.792.704 1.218.315.675.111 1.422-.364 1.891l-.814.806c-.049.048-.098.147-.088.294.016.257.016.515 0 .772-.01.147.038.246.088.294l.814.806c.475.469.679 1.216.364 1.891a7.977 7.977 0 0 1-.704 1.217c-.428.61-1.176.807-1.82.63l-1.102-.302c-.067-.019-.177-.011-.3.071a5.909 5.909 0 0 1-.668.386c-.133.066-.194.158-.211.224l-.29 1.106c-.168.646-.715 1.196-1.458 1.26a8.006 8.006 0 0 1-1.402 0c-.743-.064-1.289-.614-1.458-1.26l-.289-1.106c-.018-.066-.079-.158-.212-.224a5.738 5.738 0 0 1-.668-.386c-.123-.082-.233-.09-.299-.071l-1.103.303c-.644.176-1.392-.021-1.82-.63a8.12 8.12 0 0 1-.704-1.218c-.315-.675-.111-1.422.363-1.891l.815-.806c.05-.048.098-.147.088-.294a6.214 6.214 0 0 1 0-.772c.01-.147-.038-.246-.088-.294l-.815-.806C.635 6.045.431 5.298.746 4.623a7.92 7.92 0 0 1 .704-1.217c.428-.61 1.176-.807 1.82-.63l1.102.302c.067.019.177.011.3-.071.214-.143.437-.272.668-.386.133-.066.194-.158.211-.224l.29-1.106C6.009.645 6.556.095 7.299.03 7.53.01 7.764 0 8 0Zm-.571 1.525c-.036.003-.108.036-.137.146l-.289 1.105c-.147.561-.549.967-.998 1.189-.173.086-.34.183-.5.29-.417.278-.97.423-1.529.27l-1.103-.303c-.109-.03-.175.016-.195.045-.22.312-.412.644-.573.99-.014.031-.021.11.059.19l.815.806c.411.406.562.957.53 1.456a4.709 4.709 0 0 0 0 .582c.032.499-.119 1.05-.53 1.456l-.815.806c-.081.08-.073.159-.059.19.162.346.353.677.573.989.02.03.085.076.195.046l1.102-.303c.56-.153 1.113-.008 1.53.27.161.107.328.204.501.29.447.222.85.629.997 1.189l.289 1.105c.029.109.101.143.137.146a6.6 6.6 0 0 0 1.142 0c.036-.003.108-.036.137-.146l.289-1.105c.147-.561.549-.967.998-1.189.173-.086.34-.183.5-.29.417-.278.97-.423 1.529-.27l1.103.303c.109.029.175-.016.195-.045.22-.313.411-.644.573-.99.014-.031.021-.11-.059-.19l-.815-.806c-.411-.406-.562-.957-.53-1.456a4.709 4.709 0 0 0 0-.582c-.032-.499.119-1.05.53-1.456l.815-.806c.081-.08.073-.159.059-.19a6.464 6.464 0 0 0-.573-.989c-.02-.03-.085-.076-.195-.046l-1.102.303c-.56.153-1.113.008-1.53-.27a4.44 4.44 0 0 0-.501-.29c-.447-.222-.85-.629-.997-1.189l-.289-1.105c-.029-.11-.101-.143-.137-.146a6.6 6.6 0 0 0-1.142 0ZM11 8a3 3 0 1 1-6 0 3 3 0 0 1 6 0ZM9.5 8a1.5 1.5 0 1 0-3.001.001A1.5 1.5 0 0 0 9.5 8Z\"></path></svg> Settings**. If you cannot see the \"Settings\" tab, select the **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-kebab-horizontal\" aria-label=\"More\" role=\"img\"><path d=\"M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z\"></path></svg>** dropdown menu, then click **Settings**.\n\n   ![Screenshot of a repository header showing the tabs. The \"Settings\" tab is highlighted by a dark orange outline.](/assets/images/help/repository/repo-actions-settings.png)\n3. In the \"Security\" section of the sidebar, click **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-codescan\" aria-label=\"codescan\" role=\"img\"><path d=\"M8.47 4.97a.75.75 0 0 0 0 1.06L9.94 7.5 8.47 8.97a.75.75 0 1 0 1.06 1.06l2-2a.75.75 0 0 0 0-1.06l-2-2a.75.75 0 0 0-1.06 0ZM6.53 6.03a.75.75 0 0 0-1.06-1.06l-2 2a.75.75 0 0 0 0 1.06l2 2a.75.75 0 1 0 1.06-1.06L5.06 7.5l1.47-1.47Z\"></path><path d=\"M12.246 13.307a7.501 7.501 0 1 1 1.06-1.06l2.474 2.473a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM1.5 7.5a6.002 6.002 0 0 0 3.608 5.504 6.002 6.002 0 0 0 6.486-1.117.748.748 0 0 1 .292-.293A6 6 0 1 0 1.5 7.5Z\"></path></svg> Advanced Security**.\n4. Under \"Dependabot,\" to the right of \"Dependabot version updates,\" click **Enable** to allow Dependabot to initiate version updates.\n\n## Receiving updates for indirect dependencies\n\nBy default, only direct dependencies that are explicitly defined in a manifest are kept up to date by Dependabot version updates. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [Controlling which dependencies are updated by Dependabot](/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated).\n\n## Enabling access to private dependencies\n\nWhen running security or version updates, some ecosystems must be able to resolve all dependencies from their source to verify that updates have been successful. If your manifest or lock files contain any private dependencies, Dependabot must be able to access the location at which those dependencies are hosted. Organization owners can grant Dependabot access to private repositories containing dependencies for a project within the same organization. For more information, see [Managing security and analysis settings for your organization](/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-dependencies). You can configure access to private registries in a repository's `dependabot.yml` configuration file. For more information, see [Configuring access to private registries for Dependabot](/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot).\n\nAdditionally, Dependabot doesn't support private GitHub dependencies for all package managers. For more information, see [Dependabot supported ecosystems and repositories](/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories) and [GitHub language support](/en/get-started/learning-about-github/github-language-support).\n\n## Checking the status of version updates\n\nAfter you enable version updates, the **Dependabot** tab in the dependency graph for the repository is populated. This tab shows which package managers Dependabot is configured to monitor and when Dependabot last checked for new versions.\n\n![Screenshot of the Dependency graph page. A tab, titled \"Dependabot,\" is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png)\n\nFor information, see [Listing dependencies configured for version updates](/en/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates).\n\n## Disabling Dependabot version updates\n\nYou can disable version updates entirely by deleting the `dependabot.yml` file from your repository. More usually, you want to disable updates temporarily for one or more dependencies, or package managers.\n\n* Package managers: disable by setting `open-pull-requests-limit: 0` or by commenting out the relevant `package-ecosystem` in the configuration file.\n* Specific dependencies: disable by adding `ignore` attributes for packages or applications that you want to exclude from updates.\n\nWhen you disable dependencies, you can use wild cards to match a set of related libraries. You can also specify which versions to exclude. This is particularly useful if you need to block updates to a library, pending work to support a breaking change to its API, but want to get any security fixes to the version you use.\n\n### Example disabling version updates for some dependencies\n\nThe example `dependabot.yml` file below includes examples of the different ways to disable updates to some dependencies, while allowing other updates to continue.\n\n```yaml\n# `dependabot.yml` file with updates\n# disabled for Docker and limited for npm\n\nversion: 2\nupdates:\n  # Configuration for Dockerfile\n  - package-ecosystem: \"docker\"\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n      # Disable all pull requests for Docker dependencies\n    open-pull-requests-limit: 0\n\n  # Configuration for npm\n  - package-ecosystem: \"npm\"\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n    ignore:\n      # Ignore updates to packages that start with 'aws'\n      # Wildcards match zero or more arbitrary characters\n      - dependency-name: \"aws*\"\n      # Ignore some updates to the 'express' package\n      - dependency-name: \"express\"\n        # Ignore only new versions for 4.x and 5.x\n        versions: [\"4.x\", \"5.x\"]\n      # For all packages, ignore all patch updates\n      - dependency-name: \"*\"\n        update-types: [\"version-update:semver-patch\"]\n```\n\nFor more information about checking for existing ignore preferences, see [Dependabot options reference](/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--)."}