Skip to content

Dependabot for module updates

Dependabot alleviates that pain by raising a PR against a particular module automatically, so you can spend less time updating dependencies and more time building.

General notes:

  • You can not select the source branch for your dependency/package branch.
  • To run the Dependabot, the .yml file needs to be in the default branch (main), If you want to run your Dependabot from any other branch, then you have to change your default branch to required one.
  • Specify target branch should be present in the remote branches.

Creating .yml config file for Dependabot

Please follow the below link: Configuration options for the dependabot.yml file - GitHub Docs

Steps to config Dependabot:

  • Go to your repository
  • Click on “insights” from top menus
  • Select “Dependency Graph”
  • Click on “Dependabot” option from the sub top-menus
  • Click on “create config file”
  • Paste the below code into config file:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
version: 2
- package-ecosystem: "npm" # See documentation for possible values
directory: "/" # Location of package manifests
interval: "weekly"
day: "monday"
time: "05:00"
# Use USA Standard Time (UTC +05:00)
timezone: "America/New_York"
# Allow up to 10 open pull requests for npm dependencies
open-pull-requests-limit: 10
# to npm package against the `main` or any other branch of your choice like `develop`
target-branch: "main"
# Labels on pull requests for version updates only
- "npm dependency"
# Add assignees
- "smayuraxioned"
# Add reviewers
- "smayuraxioned"
  • Commit the changes into the default branch
  • After successfully configuring Dependabot, you will start getting mails about PR for module updates

Future enhancement to keep eye out for: