patternbashModerate
Dependabot configuration for automated dependency updates
Viewed 0 times
dependabotdependency updatesecuritygroupingauto-mergeschedule
Problem
Outdated dependencies accumulate silently. Security vulnerabilities in transitive dependencies go unnoticed for months. Manual dependency updates are tedious and skipped under deadline pressure.
Solution
Configure .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
day: monday
time: '09:00'
timezone: Europe/Paris
open-pull-requests-limit: 10
groups:
dev-dependencies:
dependency-type: development
aws-sdk:
patterns:
- '@aws-sdk/*'
ignore:
- dependency-name: some-legacy-package
versions: ['> 1.x']
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
groups:
actions:
patterns:
- '*'Why
Grouping related packages (all @aws-sdk/* into one PR) reduces PR noise. Scheduling on Monday morning means updates arrive at the start of the week when engineers can review them.
Gotchas
- Dependabot PRs for major version bumps require manual review—they will not auto-merge if you only allow patch auto-merges
- open-pull-requests-limit default is 5; if you have many packages this fills up and stops new PRs from being created
- Dependabot does not update packages that are explicitly ignored in package.json resolutions field
Revisions (0)
No revisions yet.