Configure options below — the preview updates in real time.
Root-level settings for the Dependabot configuration file.
Dependabot configuration syntax version. Must be 2.
Primary settings for a Dependabot update block defining which ecosystem and directory to monitor.
The package manager to monitor for updates.
Location of the package manifests relative to the repository root.
Multiple directories containing manifests (alternative to single directory). Supports glob patterns.
Branch to check manifests and raise PRs against (defaults to the repo default branch).
Paths of directories and files Dependabot should ignore when scanning for manifests and dependencies. Supports glob patterns.
How often Dependabot checks for version updates.
The frequency to check for updates.
Day to check for updates (only applies when interval is weekly). Defaults to Monday.
Time of day to check for updates (HH:MM format). Defaults to a random time in UTC.
Timezone for the schedule (IANA tz database format). Defaults to UTC.
A cron expression for the schedule (required when interval is cron). Uses standard five-field cron syntax.
Pull request configuration including assignees, reviewers, labels, and commit messages.
GitHub usernames to assign to Dependabot PRs.
GitHub usernames or team names to request reviews from.
Custom GitHub labels applied to Dependabot PRs. Defaults to "dependencies" plus an ecosystem-specific label.
GitHub milestone ID to associate with PRs.
String prefix added to all commit messages (max 50 chars, e.g. chore).
Separate prefix for development dependency updates (max 50 chars).
Include additional info in commits. Currently only "scope" is supported.
Separator character used between components in Dependabot branch names. Defaults to "/".
Maximum number of concurrent open Dependabot version update PRs. Defaults to 5.
Controls how Dependabot handles version bumps, rebasing, vendoring, and external code execution.
How Dependabot bumps version requirements in manifest files.
How Dependabot handles rebasing of PRs on conflicts. By default, Dependabot automatically rebases open PRs.
Allow package managers to execute external code hooks during updates (supported by bundler, mix, and pip). By default, external code execution is disabled.
Names of private registries to use for this update block, or "*" for all.
Define exactly which dependencies to maintain. When specified, only matching dependencies receive updates.
Name of the dependency to allow updates for. Supports wildcard * patterns.
Only allow updates for dependencies of a specific usage type.
Define dependencies to skip for this update block. Overrides defaults to ignore specific dependencies or versions.
Name of the dependency to ignore. Supports wildcard * patterns.
Specific versions or version ranges to ignore (e.g. "> 2.0.0").
Ignore specific semantic version update types.
Group multiple dependency updates into a single aggregated pull request.
Whether this group applies to version updates or security updates.
Limit the group to development or production dependencies.
Name patterns to include matching dependencies in the group (supports wildcards, max 150).
Name patterns to explicitly omit from the group (supports wildcards, max 150).
Limit the group to specific semantic versioning levels.
Minimum package age requirement before Dependabot creates a PR for a new release.
Default cooldown period in days.
Cooldown period for major version updates.
Cooldown period for minor version updates.
Cooldown period for patch version updates.
Specific dependencies to apply cooldown to (supports wildcards, max 150).
Specific dependencies that bypass the cooldown (supports wildcards, max 150).
Define private registries and their access credentials.
The type of the private registry.
The URL of the private registry.
Username for authentication.
Password or secret reference (e.g. ${{secrets.MY_SECRET}}).
Token for authentication (alternative to password).
Access key for authentication (used by hex-organization).
Organization name (for Hex organization registries).
1