5.7 KiB
The following table shows, for each package manager:
- The YAML value to use in the dependabot.yml file
- The supported versions of the package manager
- Whether dependencies in private {% data variables.product.prodname_dotcom %} repositories or registries are supported
- Whether vendored dependencies are supported
| Package manager | YAML value | Supported versions | Private repositories | Private registries | Vendoring |
|---|---|---|---|---|---|
| Bundler | bundler |
v1, v2 | ✓ | ✓ | |
| Cargo | cargo |
v1 | ✓ | ✓ | |
| Composer | composer |
v1, v2 | ✓ | ✓ | |
| Docker {% ifversion dependabot-version-updates-enhanced-docker-support %}[1]{% endif %} | docker |
v1 | ✓ | ✓ | |
| Hex | mix |
v1 | ✓ | ||
| elm-package | elm |
v0.19 | ✓ | ✓ | |
| git submodule | gitsubmodule |
N/A (no version) | ✓ | ✓ | |
| GitHub Actions | github-actions |
N/A (no version) | ✓ | ✓ | |
| Go modules | gomod |
v1 | ✓ | ✓ | ✓ |
| Gradle | gradle |
N/A (no version)[2] | ✓ | ✓ | |
| Maven | maven |
N/A (no version)[3] | ✓ | ✓ | |
| npm | npm |
v6, v7, v8 | ✓ | ✓ | |
| NuGet | nuget |
<= 4.8[4] | ✓ | ✓ | |
| pip{% ifversion dependabot-PEP621-support %}[5]{% endif %} | pip |
v21.1.2 | ✓ | ||
| pipenv | pip |
<= 2021-05-29 | ✓ | ||
| pip-compile{% ifversion dependabot-PEP621-support %}[5]{% endif %} | pip |
6.1.0 | ✓ | ||
| poetry | pip |
v1 | ✓ | ||
| pub | pub |
v2 [6] | |||
| Terraform | terraform |
>= 0.13, <= 1.2.x | ✓ | ✓ | |
| {% ifversion dependabot-yarn-v3-update %}yarn | npm |
v1, v2, v3 | ✓ | ✓ | ✓[7] |
| {% endif %} |
{% tip %}
Tip: For package managers such as pipenv and poetry, you need to use the pip YAML value. For example, if you use poetry to manage your Python dependencies and want {% data variables.product.prodname_dependabot %} to monitor your dependency manifest file for new versions, use package-ecosystem: "pip" in your dependabot.yml file.
{% endtip %}
{% ifversion dependabot-version-updates-enhanced-docker-support %}
[1] {% data variables.product.prodname_dependabot %} can update Docker image tags in Kubernetes manifests. Add an entry to the Docker package-ecosystem element of your dependabot.yml file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your dependabot.yml file for docker, see "package-ecosystem" in "Configuration options for the dependabot.yml file."
{% data variables.product.prodname_dependabot %} supports both public and private Docker registries. For a list of the supported registries, see "docker-registry" in "Configuration options for the dependabot.yml file."
{% endif %}
[2] {% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to the following files: build.gradle, build.gradle.kts (for Kotlin projects), and files included via the apply declaration that have dependencies in the filename. Note that apply does not support apply to, recursion, or advanced syntaxes (for example, Kotlin's apply with mapOf, filenames defined by property).
[3] {% data variables.product.prodname_dependabot %} doesn't run Maven but supports updates to pom.xml files.
[4] {% data variables.product.prodname_dependabot %} doesn't run the NuGet CLI but does support most features up until version 4.8.
{% ifversion dependabot-PEP621-support %}
[5] In addition to supporting updates to requirements.txt files, {% data variables.product.prodname_dependabot %} supports updates to pyproject.toml files if they follow the PEP 621 standard. {% endif %}
{% ifversion fpt or ghec or ghes > 3.4 %}
[6] {% ifversion ghes = 3.5 %}pub support is currently in beta. Any known limitations are subject to change. Note that {% data variables.product.prodname_dependabot %}:
- Doesn't support updating git dependencies for
pub. - Won't perform an update when the version that it tries to update to is ignored, even if an earlier version is available.
For information about configuring your dependabot.yml file for pub, see "Enabling support for beta-level ecosystems."
{%- else %}{% data variables.product.prodname_dependabot %} won't perform an update for pub when the version that it tries to update to is ignored, even if an earlier version is available.{% endif %}
{% endif %}
{% ifversion dependabot-yarn-v3-update %} [7] Dependabot supports vendored dependencies for v2 onwards.{% endif %}