c4914d70df
* Update topics for Dependabot private repo support * Fix typo * Undo VS Code's auto-numbering * Fix broken anchor * Update content/github/administering-a-repository/configuration-options-for-dependency-updates.md Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> * Update content/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors.md Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> * Update content/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization.md Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> * Updated to put supported package managers in table Alex suggested moving this information about which package managers are not supported (bundler, hex, pip) into the table on the About topic, rather than as text in the note box. This changes does that, adding a new row to the table for hex (as discussed with Alex). * Remove redundant image Review comment asked for the line about filtering repos to be removed. With that line gone there's no point showing the s/shot of a filtered list. * Updates for revised UI As per comments from @thepwagner * Make changes requested by Maya Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
6.9 KiB
title, intro, permissions, versions
| title | intro | permissions | versions | ||
|---|---|---|---|---|---|
| Enabling and disabling version updates | You can configure your repository so that {% data variables.product.prodname_dependabot %} automatically updates the packages you use. | People with write permissions to a repository can enable or disable {% data variables.product.prodname_dependabot_version_updates %} for the repository. |
|
{% data reusables.dependabot.beta-note-no-link %}
About version updates for dependencies
You enable {% data variables.product.prodname_dependabot_version_updates %} by checking a dependabot.yml configuration file in to your repository's .github directory. {% data variables.product.prodname_dependabot %} then raises pull requests to keep the dependencies you configure up-to-date. For each package manager's dependencies that you want to update, you must specify the location of the package manifest files and how often to check for updates to the dependencies listed in those files. For information about enabling security updates, see "Configuring {% data variables.product.prodname_dependabot_security_updates %}."
{% data reusables.dependabot.initial-updates %} For more information, see "Customizing dependency updates."
{% data reusables.dependabot.private-dependencies-note %} Additionally, {% data variables.product.prodname_dependabot %} doesn't support private {% data variables.product.prodname_dotcom %} dependencies for all package managers. For more information, see "About Dependabot version updates."
Enabling {% data variables.product.prodname_dependabot_version_updates %}
{% data reusables.dependabot.create-dependabot-yml %}
- Use
package-ecosystemto specify the package managers to monitor. - For each package manager, use:
directoryto specify the location of the manifest or other definition files.schedule.intervalto specify how often to check for new versions. {% data reusables.dependabot.check-in-dependabot-yml %}
Example dependabot.yml file
The example dependabot.yml file below configures version updates for two package mangers: npm and Docker. When this file is checked in, {% data variables.product.prodname_dependabot %} checks the manifest files on the default branch for outdated dependencies. If it finds outdated dependencies, it will raise pull requests against the default branch to update the dependencies.
# Basic dependabot.yml file with
# minimum configuration for two package managers
version: 2
updates:
# Enable version updates for npm
- package-ecosystem: "npm"
# Look for `package.json` and `lock` files in the `root` directory
directory: "/"
# Check the npm registry for updates every day (weekdays)
schedule:
interval: "daily"
# Enable version updates for Docker
- package-ecosystem: "docker"
# Look for a `Dockerfile` in the `root` directory
directory: "/"
# Check for updates once a week
schedule:
interval: "weekly"
In the example above, if the Docker dependencies were very outdated, you might want to start with a daily schedule until the dependencies are up-to-date, and then drop back to a weekly schedule.
Enabling version updates on forks
If you want to enable version updates on forks, there's an extra step. Version updates are not automatically enabled on forks when a dependabot.yml configuration file is present. This ensures that fork owners don't unintentionally enable version updates when they pull changes including a dependabot.yml configuration file from the original repository.
On a fork, you also need to explicitly enable {% data variables.product.prodname_dependabot %}.
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} {% data reusables.repositories.click-dependency-graph %} {% data reusables.dependabot.click-dependabot-tab %} 5. Under "Enable Dependabot", click Enable Dependabot.
Checking the status of version updates
After you enable version updates, you'll see a new Dependabot tab in the dependency graph for the repository. This tab shows which package managers {% data variables.product.prodname_dependabot %} is configured to monitor and when {% data variables.product.prodname_dependabot %} last checked for new versions.
For information, see "Listing dependencies configured for version updates."
Disabling {% data variables.product.prodname_dependabot_version_updates %}
You can disable version updates entirely by deleting the dependabot.yml file from your repository. More usually, you want to disable updates temporarily for one or more dependencies, or package managers.
- Package managers: disable by setting
open-pull-requests-limit: 0or by commenting out the relevantpackage-ecosystemin the configuration file. - Specific dependencies: disable by adding
ignoreattributes for packages or applications that you want to exclude from updates.
When you disable dependencies, you can use wild cards to match a set of related libraries. You can also specify which versions to exclude. This is particularly useful if you need to block updates to a library, pending work to support a breaking change to its API, but want to get any security fixes to the version you use.
Example disabling version updates for some dependencies
The example dependabot.yml file below includes examples of the different ways to disable updates to some dependencies, while allowing other updates to continue.
# dependabot.yml file with updates
# disabled for Docker and limited for npm
version: 2
updates:
# Configuration for Dockerfile
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
# Disable all pull requests for Docker dependencies
open-pull-requests-limit: 0
# Configuration for npm
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
# Overwrite any ignores created using `@dependabot ignore` commands
ignore:
# Ignore updates to packages that start 'aws'
# Wildcards match zero or more arbitrary characters
- dependency-name: "aws*"
# Ignore some updates to the 'express' package
- dependency-name: "express"
# Ignore only new versions for 4.x and 5.x
versions: ["4.x", "5.x"]
{% data reusables.dependabot.warning-ignore-option %}
For more information about checking for existing ignore preferences, see "Configuration options for dependency updates."