How to Use Allow and Ignore Rules in Dependabot
The ignore key skips specific dependencies or update types, and the allow key restricts Dependabot to only the dependencies you name.
Add ignore to skip a package, a version range, or an update type, and add allow to whitelist only certain dependencies. Both live under an updates entry in .github/dependabot.yml.
Steps
- Use
ignorewithdependency-nameand optionalversionsorupdate-types. - Use
update-types: ["version-update:semver-major"]to hold a package on its current major. - Use
allowto restrict Dependabot to a named set of dependencies.
Ignore and allow
.github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
ignore:
- dependency-name: "aws-sdk"
versions: ["3.x"]
- dependency-name: "react"
update-types: ["version-update:semver-major"]
allow:
- dependency-type: "production"Gotchas
- You can also add ignores from a PR by commenting
@dependabot ignore this major version. allowwithdependency-type: "production"skips devDependencies entirely.- Ignoring an update type does not silence security updates for the same package.
Related guides
How to Tell Dependabot Security Updates From Version UpdatesUnderstand the difference between Dependabot security updates (driven by advisories, on by default) and versi…
How to Rebase and Recreate Dependabot PRsKeep Dependabot PRs up to date with the base branch using rebase-strategy and the @dependabot rebase command,…