--- title: Configuring Dependabot security updates intro: You can use {% data variables.product.prodname_dependabot_security_updates %} or manual pull requests to easily update vulnerable dependencies. shortTitle: Configure security updates permissions: '{% data reusables.permissions.dependabot-yml-configure %}' redirect_from: - /articles/configuring-automated-security-fixes - /github/managing-security-vulnerabilities/configuring-automated-security-fixes - /github/managing-security-vulnerabilities/configuring-automated-security-updates - /github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates - /github/managing-security-vulnerabilities/configuring-dependabot-security-updates - /code-security/supply-chain-security/configuring-dependabot-security-updates - /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates - /code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates versions: fpt: '*' ghec: '*' ghes: '*' contentType: how-tos category: - Secure your dependencies --- {% data reusables.dependabot.enterprise-enable-dependabot %} ## Managing {% data variables.product.prodname_dependabot_security_updates %} for your repositories You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all qualifying repositories owned by your personal account or organization. For more information, see [AUTOTITLE](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/managing-security-and-analysis-settings-for-your-personal-account) or [AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization). You can also enable or disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository. ### Enabling or disabling {% data variables.product.prodname_dependabot_security_updates %} for an individual repository {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. To the right of "{% data variables.product.prodname_dependabot %} security updates," click **Enable** to enable the feature or **Disable** to disable it. {% ifversion fpt or ghec %}For public repositories, the button is disabled if the feature is always enabled.{% endif %} ## Grouping {% data variables.product.prodname_dependabot_security_updates %} into a single pull request In order to use grouped security updates, you must first enable the following features: * **Dependency graph**. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph). * **{% data variables.product.prodname_dependabot_alerts %}**. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts). * **{% data variables.product.prodname_dependabot_security_updates %}**. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates). > [!NOTE] > When grouped security updates are first enabled, {% data variables.product.prodname_dependabot %} will immediately try to create grouped pull requests. You may notice {% data variables.product.prodname_dependabot %} closing old pull requests and opening new ones. {% data reusables.dependabot.dependabot-grouped-security-updates-how-enable %} {% data reusables.dependabot.dependabot-grouped-security-updates-order %} ### Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an individual repository {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}," to the right of "Grouped security updates," click **Enable** to enable the feature or **Disable** to disable it. ### Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an organization {% ifversion security-configurations %} You can enable grouped {% data variables.product.prodname_dependabot_security_updates %} into a single pull request. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#grouping-dependabot-security-updates). {% else %} {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} {% data reusables.organizations.security-and-analysis %} 1. Under "{% data variables.product.UI_advanced_security %}," to the right of "Grouped security updates," click **Disable all** or **Enable all**. 1. Optionally, to enable grouped {% data variables.product.prodname_dependabot_security_updates %} for new repositories in your organization, select **Automatically enable for new repositories**. {% endif %} ## Overriding the default behavior with a configuration file You can override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} by adding a `dependabot.yml` file to your repository. With a `dependabot.yml` file, you can have more granular control of grouping, and override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} settings. Use the `groups` option with the `applies-to: security-updates` key to create sets of dependencies (per package manager), so that {% data variables.product.prodname_dependabot %} opens a single pull request to update multiple dependencies at the same time. You can define groups by package name (the `patterns` and `exclude-patterns` keys), dependency type (`dependency-type` key), and SemVer (the `update-types` key). {% data reusables.dependabot.dependabot-version-updates-groups-match-first %} If you only require _security_ updates and want to exclude _version_ updates, you can set `open-pull-requests-limit` to `0` in order to prevent version updates for a given `package-ecosystem`. For more information about the configuration options available for security updates, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs). ```yaml copy # Example configuration file that: # - Has a private registry # - Ignores lodash dependency # - Disables version-updates # - Defines a group by package name, for security updates for golang dependencies version: 2 registries: example: type: npm-registry url: https://example.com token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %} updates: - package-ecosystem: "npm" directory: "/src/npm-project" schedule: interval: "daily" # For Lodash, ignore all updates ignore: - dependency-name: "lodash" # Disable version updates for npm dependencies open-pull-requests-limit: 0 registries: - example - package-ecosystem: "gomod" directories: - "**/*" schedule: interval: "weekly" open-pull-requests-limit: 0 groups: golang: applies-to: security-updates patterns: - "golang.org*" ``` > [!NOTE] > In order for {% data variables.product.prodname_dependabot %} to use this configuration for security updates, the `directory` must be the path to the manifest files (or `directories` must contain paths or glob patterns matching the manifest file locations), and you should not specify a `target-branch`. ## Further reading * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts) * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#supported-package-ecosystems)