--- title: Configuring Dependabot version updates intro: You can configure your repository so that {% data variables.product.prodname_dependabot %} automatically updates the packages you use. permissions: '{% data reusables.permissions.dependabot-yml-configure %}' redirect_from: - /github/administering-a-repository/enabling-and-disabling-version-updates - /code-security/supply-chain-security/enabling-and-disabling-version-updates - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates - /code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-dependabot-version-updates - /code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates versions: fpt: '*' ghec: '*' ghes: '*' shortTitle: Configure version updates contentType: how-tos category: - Secure your dependencies --- {% data reusables.dependabot.enterprise-enable-dependabot %} ## Enabling {% data variables.product.prodname_dependabot_version_updates %} You enable {% data variables.product.prodname_dependabot_version_updates %} by committing a `dependabot.yml` configuration file to your repository. {% ifversion dependabot-settings-update-37 %}If you enable the feature in your settings page, GitHub creates a basic file which you can edit, otherwise you can create the file using any file editor. {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}", to the right of "{% data variables.product.prodname_dependabot_version_updates %}", click **Enable** to open a basic `dependabot.yml` configuration file in the `.github` directory of your repository. {% data reusables.dependabot.link-to-yml-config-file %} {% else %} 1. Create a `dependabot.yml` configuration file in the `.github` directory of your repository. You can use the snippet below as a starting point. {% data reusables.dependabot.link-to-yml-config-file %} {% endif %} ```yaml copy # To get started with Dependabot version updates, you'll need to specify which # package ecosystems to update and where the package manifests are located. version: 2 updates: - package-ecosystem: "" # See documentation for possible values directory: "/" # Location of package manifests schedule: interval: "weekly" ``` 1. Add a `version`. This key is mandatory. The file must start with `version: 2`. 1. Optionally, if you have dependencies in a private registry, add a `registries` section containing authentication details. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot). 1. Add an `updates` section, with an entry for each package manager you want {% data variables.product.prodname_dependabot %} to monitor. This key is mandatory. You use it to configure how {% data variables.product.prodname_dependabot %} updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager. For more information, see [AUTOTITLE](/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file) and [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference). 1. For each package manager, use: * `package-ecosystem` to specify the package manager. For more information about the supported package managers, see [`package-ecosystem`](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#package-ecosystem-). * `directories` or `directory` to specify the location of multiple manifest or other definition files. For more information, see [Defining multiple locations for manifest files](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files). * `schedule.interval` to specify how often to check for new versions. {% data reusables.dependabot.check-in-dependabot-yml %} ### Example `dependabot.yml` file The example `dependabot.yml` file below configures version updates for three package managers: npm, Docker, and {% data variables.product.prodname_actions %}. When this file is checked in, {% data variables.product.prodname_dependabot %} checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies. ```yaml copy # Basic `dependabot.yml` file with # minimum configuration for three package managers version: 2 updates: # Enable version updates for npm - package-ecosystem: "npm" # Look for `package.json` and `lock` files in the `root` directory directory: "/" # Check the npm registry for updates every day (weekdays) schedule: interval: "daily" # Enable version updates for Docker - package-ecosystem: "docker" # Look for a `Dockerfile` in the `root` directory directory: "/" # Check for updates once a week schedule: interval: "weekly" # Enable version updates for GitHub Actions - package-ecosystem: "github-actions" # Workflow files stored in the default location of `.github/workflows` # You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`. directory: "/" schedule: interval: "weekly" ``` In the example above, if the Docker dependencies were very outdated, you might want to start with a `daily` schedule until the dependencies are up-to-date, and then drop back to a weekly schedule. ## Enabling version updates on forks If you want to enable version updates on forks, there's an extra step. Version updates are not automatically enabled on forks when a `dependabot.yml` configuration file is present. This ensures that fork owners don't unintentionally enable version updates when they pull changes including a `dependabot.yml` configuration file from the original repository. On a fork, you also need to explicitly enable {% data variables.product.prodname_dependabot %}. {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %} 1. Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}," to the right of "{% data variables.product.prodname_dependabot_version_updates %}," click **Enable** to allow {% data variables.product.prodname_dependabot %} to initiate version updates. ## Receiving updates for indirect dependencies By default, only direct dependencies that are explicitly defined in a manifest are kept up to date by {% data variables.product.prodname_dependabot_version_updates %}. You can choose to receive updates for indirect dependencies defined in lock files. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated). ## Enabling access to private dependencies {% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories) and [AUTOTITLE](/get-started/learning-about-github/github-language-support). ## Checking the status of version updates After you enable version updates, the **Dependabot** tab in the dependency graph for the repository is populated. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot %} last checked for new versions. ![Screenshot of the Dependency graph page. A tab, titled "{% data variables.product.prodname_dependabot %}," is highlighted with an orange outline.](/assets/images/help/dependabot/dependabot-tab-view.png) For information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/listing-dependencies-configured-for-version-updates). ## Disabling {% data variables.product.prodname_dependabot_version_updates %} You can disable version updates entirely by deleting the `dependabot.yml` file from your repository. More usually, you want to disable updates temporarily for one or more dependencies, or package managers. * Package managers: disable by setting `open-pull-requests-limit: 0` or by commenting out the relevant `package-ecosystem` in the configuration file. * Specific dependencies: disable by adding `ignore` attributes for packages or applications that you want to exclude from updates. When you disable dependencies, you can use wild cards to match a set of related libraries. You can also specify which versions to exclude. This is particularly useful if you need to block updates to a library, pending work to support a breaking change to its API, but want to get any security fixes to the version you use. ### Example disabling version updates for some dependencies The example `dependabot.yml` file below includes examples of the different ways to disable updates to some dependencies, while allowing other updates to continue. ```yaml # `dependabot.yml` file with updates # disabled for Docker and limited for npm version: 2 updates: # Configuration for Dockerfile - package-ecosystem: "docker" directory: "/" schedule: interval: "weekly" # Disable all pull requests for Docker dependencies open-pull-requests-limit: 0 # Configuration for npm - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" ignore: # Ignore updates to packages that start with 'aws' # Wildcards match zero or more arbitrary characters - dependency-name: "aws*" # Ignore some updates to the 'express' package - dependency-name: "express" # Ignore only new versions for 4.x and 5.x versions: ["4.x", "5.x"] # For all packages, ignore all patch updates - dependency-name: "*" update-types: ["version-update:semver-patch"] ``` For more information about checking for existing ignore preferences, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--).