Skip to content
Latchkey

How to Assign Reviewers to Dependency Update PRs

Both bots let you attach reviewers and assignees to every update PR so the right team is pulled in without manual triage.

In Dependabot use the reviewers and assignees keys under an updates entry. In Renovate use reviewers and assignees (or team syntax) in renovate.json, optionally scoped by packageRules.

Dependabot

.github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    reviewers:
      - "my-org/frontend-team"
    assignees:
      - "octocat"
    labels:
      - "dependencies"

Renovate

renovate.json
{
  "extends": ["config:recommended"],
  "reviewers": ["team:frontend"],
  "assignees": ["octocat"],
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "reviewers": ["team:leads"]
    }
  ]
}

Gotchas

  • Renovate references teams as team:slug; Dependabot uses the org/team form.
  • A required reviewer combined with automerge means the PR still needs approval, which can defeat unattended merges; scope reviewers to majors only.
  • Assignees are notified but do not block the merge; reviewers can, via branch protection.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →