dependabot

Solid

Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot.

AI & Automation 34,887 stars 4287 forks Updated today MIT

Install

View on GitHub

Quality Score: 93/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Dependabot Configuration & Management ## Overview Dependabot is GitHub's built-in dependency management tool with three core capabilities: 1. **Dependabot Alerts** — Notify when dependencies have known vulnerabilities (CVEs) 2. **Dependabot Security Updates** — Auto-create PRs to fix vulnerable dependencies 3. **Dependabot Version Updates** — Auto-create PRs to keep dependencies current All configuration lives in a **single file**: `.github/dependabot.yml` on the default branch. GitHub does **not** support multiple `dependabot.yml` files per repository. ## Configuration Workflow Follow this process when creating or optimizing a `dependabot.yml`: ### Step 1: Detect All Ecosystems Scan the repository for dependency manifests. Look for: | Ecosystem | YAML Value | Manifest Files | |---|---|---| | npm/pnpm/yarn | `npm` | `package.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock` | | pip/pipenv/poetry/uv | `pip` | `requirements.txt`, `Pipfile`, `pyproject.toml`, `setup.py` | | Docker | `docker` | `Dockerfile` | | Docker Compose | `docker-compose` | `docker-compose.yml` | | GitHub Actions | `github-actions` | `.github/workflows/*.yml` | | Go modules | `gomod` | `go.mod` | | Bundler (Ruby) | `bundler` | `Gemfile` | | Cargo (Rust) | `cargo` | `Cargo.toml` | | Composer (PHP) | `composer` | `composer.json` | | NuGet (.NET) | `nuget` | `*.csproj`, `packages.config` | | .NET SDK | `dotnet-sdk` | `global.json` | | Maven (Java) | `maven` | `pom.xml` | | Gradle (Java) | `g...

Details

Author
github
Repository
github/awesome-copilot
Created
1 years ago
Last Updated
today
Language
Python
License
MIT

Integrates with

GitHub · DevTools Docker · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

dependabot

Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot.

4 Updated 2 months ago
beel-collab
AI & Automation Solid

dependabot-review

Review and manage Dependabot PRs. Categorizes by risk, checks CI status, auto-merges safe updates, and reports issues. Use when the user says "review dependabot", "merge dependabot", "dependabot PRs", or "update dependencies".

27,984 Updated today
davila7
AI & Automation Solid

update-deps

Dependabot-aware dependency updates with security audit, real-CI validation, and a unified PR. Framework-agnostic.

418 Updated 5 days ago
joshukraine