| title | Configuring Dependabot security updates | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| intro | You can use {% data variables.product.prodname_dependabot_security_updates %} or manual pull requests to easily update vulnerable dependencies. | ||||||||
| shortTitle | Configure security updates | ||||||||
| permissions | {% data reusables.permissions.dependabot-yml-configure %} | ||||||||
| redirect_from |
|
||||||||
| versions |
|
||||||||
| contentType | how-tos | ||||||||
| category |
|
{% data reusables.dependabot.enterprise-enable-dependabot %}
You can enable or disable {% data variables.product.prodname_dependabot_security_updates %} for all qualifying repositories owned by your personal account or organization. For more information, see AUTOTITLE or AUTOTITLE.
You can also enable or disable {% data variables.product.prodname_dependabot_security_updates %} for an individual repository.
Enabling or disabling {% data variables.product.prodname_dependabot_security_updates %} for an individual repository
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %}
- To the right of "{% data variables.product.prodname_dependabot %} security updates," click Enable to enable the feature or Disable to disable it. {% ifversion fpt or ghec %}For public repositories, the button is disabled if the feature is always enabled.{% endif %}
Grouping {% data variables.product.prodname_dependabot_security_updates %} into a single pull request
In order to use grouped security updates, you must first enable the following features:
- Dependency graph. For more information, see AUTOTITLE.
- {% data variables.product.prodname_dependabot_alerts %}. For more information, see AUTOTITLE.
- {% data variables.product.prodname_dependabot_security_updates %}. For more information, see AUTOTITLE.
Note
When grouped security updates are first enabled, {% data variables.product.prodname_dependabot %} will immediately try to create grouped pull requests. You may notice {% data variables.product.prodname_dependabot %} closing old pull requests and opening new ones.
{% data reusables.dependabot.dependabot-grouped-security-updates-how-enable %} {% data reusables.dependabot.dependabot-grouped-security-updates-order %}
Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an individual repository
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %}
- Under "{% ifversion ghas-products %}{% data variables.product.prodname_dependabot %}{% else %}{% data variables.product.UI_advanced_security %}{% endif %}," to the right of "Grouped security updates," click Enable to enable the feature or Disable to disable it.
Enabling or disabling grouped {% data variables.product.prodname_dependabot_security_updates %} for an organization
{% ifversion security-configurations %} You can enable grouped {% data variables.product.prodname_dependabot_security_updates %} into a single pull request. For more information, see AUTOTITLE.
{% else %}
{% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} {% data reusables.organizations.security-and-analysis %}
- Under "{% data variables.product.UI_advanced_security %}," to the right of "Grouped security updates," click Disable all or Enable all.
- Optionally, to enable grouped {% data variables.product.prodname_dependabot_security_updates %} for new repositories in your organization, select Automatically enable for new repositories.
{% endif %}
You can override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} by adding a dependabot.yml file to your repository. With a dependabot.yml file, you can have more granular control of grouping, and override the default behavior of {% data variables.product.prodname_dependabot_security_updates %} settings.
Use the groups option with the applies-to: security-updates key to create sets of dependencies (per package manager), so that {% data variables.product.prodname_dependabot %} opens a single pull request to update multiple dependencies at the same time. You can define groups by package name (the patterns and exclude-patterns keys), dependency type (dependency-type key), and SemVer (the update-types key).
{% data reusables.dependabot.dependabot-version-updates-groups-match-first %}
If you only require security updates and want to exclude version updates, you can set open-pull-requests-limit to 0 in order to prevent version updates for a given package-ecosystem.
For more information about the configuration options available for security updates, see AUTOTITLE.
# Example configuration file that:
# - Has a private registry
# - Ignores lodash dependency
# - Disables version-updates
# - Defines a group by package name, for security updates for golang dependencies
version: 2
registries:
example:
type: npm-registry
url: https://example.com
token: {% raw %}${{secrets.NPM_TOKEN}}{% endraw %}
updates:
- package-ecosystem: "npm"
directory: "/src/npm-project"
schedule:
interval: "daily"
# For Lodash, ignore all updates
ignore:
- dependency-name: "lodash"
# Disable version updates for npm dependencies
open-pull-requests-limit: 0
registries:
- example
- package-ecosystem: "gomod"
directories:
- "**/*"
schedule:
interval: "weekly"
open-pull-requests-limit: 0
groups:
golang:
applies-to: security-updates
patterns:
- "golang.org*"Note
In order for {% data variables.product.prodname_dependabot %} to use this configuration for security updates, the directory must be the path to the manifest files (or directories must contain paths or glob patterns matching the manifest file locations), and you should not specify a target-branch.