Skip to content
Latchkey

Dependabot: dependabot.yml Configuration Reference

Dependabot is configured by a YAML file, not a workflow, and opens dependency-update PRs for you.

Place .github/dependabot.yml to tell Dependabot which package ecosystems to watch, how often, and how to group updates. It also keeps your GitHub Actions versions current.

Key fields

  • package-ecosystem: npm, pip, docker, github-actions, and more.
  • directory: where the manifest lives.
  • schedule.interval: daily, weekly, or monthly.
  • groups: bundle related updates into one PR.
  • ignore: skip specific dependencies or versions.
  • open-pull-requests-limit: cap concurrent update PRs.

Example config

.github/dependabot.yml
version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
    groups:
      minor-and-patch:
        update-types: [minor, patch]
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

Keep actions pinned and fresh

The github-actions ecosystem updates the action versions in your workflows, which pairs well with pinning actions to SHAs.

Key takeaways

  • dependabot.yml is config, not a workflow file.
  • Add the github-actions ecosystem to update action versions.
  • Use groups to cut PR noise from many small bumps.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →