Skip to content
Latchkey

How to Use Allow and Ignore Rules in Dependabot

The ignore key skips specific dependencies or update types, and the allow key restricts Dependabot to only the dependencies you name.

Add ignore to skip a package, a version range, or an update type, and add allow to whitelist only certain dependencies. Both live under an updates entry in .github/dependabot.yml.

Steps

  • Use ignore with dependency-name and optional versions or update-types.
  • Use update-types: ["version-update:semver-major"] to hold a package on its current major.
  • Use allow to restrict Dependabot to a named set of dependencies.

Ignore and allow

.github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    ignore:
      - dependency-name: "aws-sdk"
        versions: ["3.x"]
      - dependency-name: "react"
        update-types: ["version-update:semver-major"]
    allow:
      - dependency-type: "production"

Gotchas

  • You can also add ignores from a PR by commenting @dependabot ignore this major version.
  • allow with dependency-type: "production" skips devDependencies entirely.
  • Ignoring an update type does not silence security updates for the same package.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →