dependabot

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Dependabot Configuration & Management

Dependabot配置与管理

Overview

概述

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

Dependabot Alerts — Notify when dependencies have known vulnerabilities (CVEs)
Dependabot Security Updates — Auto-create PRs to fix vulnerable dependencies
Dependabot Version Updates — Auto-create PRs to keep dependencies current

All configuration lives in a single file:

.github/dependabot.yml

on the default branch. GitHub does not support multiple

dependabot.yml

files per repository.

Dependabot是GitHub内置的依赖管理工具，具备三大核心功能：

Dependabot告警 — 当依赖存在已知漏洞（CVE）时发出通知
Dependabot安全更新 — 自动创建PR修复存在漏洞的依赖
Dependabot版本更新 — 自动创建PR以保持依赖为最新版本

所有配置都存储在默认分支的单个文件中：

.github/dependabot.yml

。GitHub不支持每个仓库存在多个

dependabot.yml

文件。

Configuration Workflow

配置流程

Follow this process when creating or optimizing a

dependabot.yml

创建或优化

dependabot.yml

时，请遵循以下流程：

Step 1: Detect All Ecosystems

步骤1：检测所有生态系统

Scan the repository for dependency manifests. Look for:

Ecosystem	YAML Value	Manifest Files
npm/pnpm/yarn	`npm`	`package.json` , `package-lock.json` , `pnpm-lock.yaml` , `yarn.lock`
pip/pipenv/poetry/uv	`pip`	`requirements.txt` , `Pipfile` , `pyproject.toml` , `setup.py`
Docker	`docker`	`Dockerfile`
Docker Compose	`docker-compose`	`docker-compose.yml`
GitHub Actions	`github-actions`	`.github/workflows/*.yml`
Go modules	`gomod`	`go.mod`
Bundler (Ruby)	`bundler`	`Gemfile`
Cargo (Rust)	`cargo`	`Cargo.toml`
Composer (PHP)	`composer`	`composer.json`
NuGet (.NET)	`nuget`	`*.csproj` , `packages.config`
.NET SDK	`dotnet-sdk`	`global.json`
Maven (Java)	`maven`	`pom.xml`
Gradle (Java)	`gradle`	`build.gradle`
Terraform	`terraform`	`*.tf`
OpenTofu	`opentofu`	`*.tf`
Helm	`helm`	`Chart.yaml`
Hex (Elixir)	`mix`	`mix.exs`
Swift	`swift`	`Package.swift`
Pub (Dart)	`pub`	`pubspec.yaml`
Bun	`bun`	`bun.lockb`
Dev Containers	`devcontainers`	`devcontainer.json`
Git Submodules	`gitsubmodule`	`.gitmodules`
Pre-commit	`pre-commit`	`.pre-commit-config.yaml`

Note: pnpm and yarn both use the

npm

ecosystem value.

扫描仓库以查找依赖清单。需关注：

生态系统	YAML值	清单文件
npm/pnpm/yarn	`npm`	`package.json` , `package-lock.json` , `pnpm-lock.yaml` , `yarn.lock`
pip/pipenv/poetry/uv	`pip`	`requirements.txt` , `Pipfile` , `pyproject.toml` , `setup.py`
Docker	`docker`	`Dockerfile`
Docker Compose	`docker-compose`	`docker-compose.yml`
GitHub Actions	`github-actions`	`.github/workflows/*.yml`
Go modules	`gomod`	`go.mod`
Bundler (Ruby)	`bundler`	`Gemfile`
Cargo (Rust)	`cargo`	`Cargo.toml`
Composer (PHP)	`composer`	`composer.json`
NuGet (.NET)	`nuget`	`*.csproj` , `packages.config`
.NET SDK	`dotnet-sdk`	`global.json`
Maven (Java)	`maven`	`pom.xml`
Gradle (Java)	`gradle`	`build.gradle`
Terraform	`terraform`	`*.tf`
OpenTofu	`opentofu`	`*.tf`
Helm	`helm`	`Chart.yaml`
Hex (Elixir)	`mix`	`mix.exs`
Swift	`swift`	`Package.swift`
Pub (Dart)	`pub`	`pubspec.yaml`
Bun	`bun`	`bun.lockb`
Dev Containers	`devcontainers`	`devcontainer.json`
Git Submodules	`gitsubmodule`	`.gitmodules`
Pre-commit	`pre-commit`	`.pre-commit-config.yaml`

注意：pnpm和yarn均使用

npm

作为生态系统值。

Step 2: Map Directory Locations

步骤2：映射目录位置

For each ecosystem, identify where manifests live. Use

directories

(plural) with glob patterns for monorepos:

yaml

directories:
  - "/"           # root
  - "/apps/*"     # all app subdirs
  - "/packages/*" # all package subdirs
  - "/lib-*"      # dirs starting with lib-
  - "**/*"        # recursive (all subdirs)

Important:

directory

(singular) does NOT support globs. Use

directories

(plural) for wildcards.

针对每个生态系统，确定清单文件的存储位置。对于单体仓库，使用

directories

（复数形式）和通配符模式：

yaml

directories:
  - "/"           # 根目录
  - "/apps/*"     # 所有应用子目录
  - "/packages/*" # 所有包子目录
  - "/lib-*"      # 以lib-开头的目录
  - "**/*"        # 递归（所有子目录）

重要提示：

directory

（单数形式）不支持通配符。如需使用通配符，请使用

directories

（复数形式）。

Step 3: Configure Each Ecosystem Entry

步骤3：配置每个生态系统条目

Every entry needs at minimum:

yaml

- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

每个条目至少需要包含以下内容：

yaml

- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

Step 4: Optimize with Grouping, Labels, and Scheduling

步骤4：通过分组、标签和调度进行优化

See sections below for each optimization technique.

请查看以下各节了解每种优化技术。

Monorepo Strategies

单体仓库策略

Glob Patterns for Workspace Coverage

工作区覆盖的通配符模式

For monorepos with many packages, use glob patterns to avoid listing each directory:

yaml

- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"

对于包含多个包的单体仓库，使用通配符模式避免逐个列出目录：

yaml

- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"

Cross-Directory Grouping

跨目录分组

Use

group-by: dependency-name

to create a single PR when the same dependency updates across multiple directories:

yaml

groups:
  monorepo-deps:
    group-by: dependency-name

This creates one PR per dependency across all specified directories, reducing CI costs and review burden.

Limitations:

All directories must use the same package ecosystem
Applies to version updates only
Incompatible version constraints create separate PRs

使用

group-by: dependency-name

在同一依赖在多个目录中更新时创建单个PR：

yaml

groups:
  monorepo-deps:
    group-by: dependency-name

这会针对所有指定目录中的同一依赖创建一个PR，减少CI成本和审核负担。

限制：

所有目录必须使用相同的包生态系统
仅适用于版本更新
不兼容的版本约束会创建单独的PR

Standalone Packages Outside Workspaces

工作区外的独立包

If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in

.github/

), create a separate ecosystem entry for it.

如果某个目录有自己的锁文件且不属于工作区（例如

.github/

中的脚本），请为其创建单独的生态系统条目。

Dependency Grouping

依赖分组

Reduce PR noise by grouping related dependencies into single PRs.

通过将相关依赖分组到单个PR中来减少PR数量。

By Dependency Type

按依赖类型分组

yaml

groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]

yaml

groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]

By Name Pattern

按名称模式分组

yaml

groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]

yaml

groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]

For Security Updates

针对安全更新分组

yaml

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Key behaviors:

Dependencies matching multiple groups go to the first match
```
applies-to
```
defaults to
```
version-updates
```
when absent
Ungrouped dependencies get individual PRs

yaml

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

关键行为：

匹配多个组的依赖会归到第一个匹配的组
若未指定
```
applies-to
```
，默认值为
```
version-updates
```
未分组的依赖会生成单独的PR

Multi-Ecosystem Groups

多生态系统分组

Combine updates across different package ecosystems into a single PR:

yaml

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"

The

patterns

key is required when using

multi-ecosystem-group

将不同包生态系统的更新合并到单个PR中：

yaml

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"

使用

multi-ecosystem-group

时必须指定

patterns

键。

PR Customization

PR自定义

Labels

Commit Messages

提交信息

yaml

commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # adds deps/deps-dev scope after prefix

yaml

commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # 在前缀后添加deps/deps-dev范围

Assignees and Milestones

指派人与里程碑

yaml

assignees: ["security-team-lead"]
milestone: 4  # numeric ID from milestone URL

yaml

assignees: ["security-team-lead"]
milestone: 4  # 里程碑URL中的数字ID

Branch Name Separator

分支名称分隔符

yaml

pull-request-branch-name:
  separator: "-"  # default is /

yaml

pull-request-branch-name:
  separator: "-"  # 默认值为/

Target Branch

目标分支

yaml

target-branch: "develop"  # PRs target this instead of default branch

Note: When

target-branch

is set, security updates still target the default branch; all ecosystem config only applies to version updates.

yaml

target-branch: "develop"  # PR将以此分支为目标，而非默认分支

注意：当设置

target-branch

后，安全更新仍会以默认分支为目标；所有生态系统配置仅适用于版本更新。

Schedule Optimization

调度优化

Intervals

间隔

Supported:

daily

weekly

monthly

quarterly

semiannually

yearly

cron

yaml

schedule:
  interval: "weekly"
  day: "monday"         # for weekly only
  time: "09:00"         # HH:MM format
  timezone: "America/New_York"

支持的间隔：

daily

、

weekly

、

monthly

、

quarterly

、

semiannually

、

yearly

、

cron

yaml

schedule:
  interval: "weekly"
  day: "monday"         # 仅适用于每周调度
  time: "09:00"         # HH:MM格式
  timezone: "America/New_York"

Cron Expressions

Cron表达式

yaml

schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # Every Monday at 9 AM

yaml

schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # 每周一上午9点

Cooldown Periods

冷却期

Delay updates for newly released versions to avoid early-adopter issues:

yaml

cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]

Cooldown applies to version updates only, not security updates.

延迟更新新版本，以避免早期采用者遇到问题：

yaml

cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]

冷却期仅适用于版本更新，不适用于安全更新。

Security Updates Configuration

安全更新配置

Enable via Repository Settings

通过仓库设置启用

Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.

设置 → 高级安全 → 启用Dependabot告警、安全更新和分组安全更新。

Group Security Updates in YAML

在YAML中分组安全更新

yaml

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

yaml

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Disable Version Updates (Security Only)

禁用版本更新（仅保留安全更新）

yaml

open-pull-requests-limit: 0  # disables version update PRs

yaml

open-pull-requests-limit: 0  # 禁用版本更新PR

Auto-Triage Rules

自动分类规则

GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.

GitHub预设会自动关闭对开发依赖的低影响告警。可根据严重性、包名称、CWE等配置自定义规则。在仓库设置 → 高级安全中进行配置。

PR Comment Commands

PR评论命令

Interact with Dependabot PRs using

@dependabot

comments.

Note: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (
gh pr merge
), or auto-merge instead.

Command	Effect
`@dependabot rebase`	Rebase the PR
`@dependabot recreate`	Recreate the PR from scratch
`@dependabot ignore this dependency`	Close and never update this dependency
`@dependabot ignore this major version`	Ignore this major version
`@dependabot ignore this minor version`	Ignore this minor version
`@dependabot ignore this patch version`	Ignore this patch version

For grouped PRs, additional commands:

```
@dependabot ignore DEPENDENCY_NAME
```
— ignore specific dependency in group
```
@dependabot unignore DEPENDENCY_NAME
```
— clear ignores, reopen with updates
```
@dependabot unignore *
```
— clear all ignores for all dependencies in group

@dependabot show DEPENDENCY_NAME ignore conditions

— display current ignores

For the complete command reference, see

references/pr-commands.md

使用

@dependabot

评论与Dependabot PR进行交互。

注意： 截至2026年1月，合并/关闭/重新打开命令已被弃用。请使用GitHub原生UI、CLI（
gh pr merge
）或自动合并功能。

命令	效果
`@dependabot rebase`	对PR执行变基操作
`@dependabot recreate`	从头重新创建PR
`@dependabot ignore this dependency`	关闭PR且不再更新该依赖
`@dependabot ignore this major version`	忽略该主版本
`@dependabot ignore this minor version`	忽略该次版本
`@dependabot ignore this patch version`	忽略该补丁版本

对于分组PR，还有以下额外命令：

```
@dependabot ignore DEPENDENCY_NAME
```
— 忽略组中的特定依赖
```
@dependabot unignore DEPENDENCY_NAME
```
— 清除忽略设置，重新打开包含更新的PR
```
@dependabot unignore *
```
— 清除组中所有依赖的忽略设置

@dependabot show DEPENDENCY_NAME ignore conditions

— 显示当前的忽略条件

完整命令参考请查看

references/pr-commands.md

。

Ignore and Allow Rules

忽略与允许规则

Ignore Specific Dependencies

忽略特定依赖

yaml

ignore:
  - dependency-name: "lodash"
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-patch"]
  - dependency-name: "express"
    versions: ["5.x"]

yaml

ignore:
  - dependency-name: "lodash"
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-patch"]
  - dependency-name: "express"
    versions: ["5.x"]

Allow Only Specific Types

仅允许特定类型

yaml

allow:
  - dependency-type: "production"
  - dependency-name: "express"

Rule: If a dependency matches both

allow

and

ignore

, it is ignored.

yaml

allow:
  - dependency-type: "production"
  - dependency-name: "express"

规则：如果某个依赖同时匹配

allow

和

ignore

规则，则该依赖会被忽略。

Exclude Paths

排除路径

yaml

exclude-paths:
  - "vendor/**"
  - "test/fixtures/**"

yaml

exclude-paths:
  - "vendor/**"
  - "test/fixtures/**"

Advanced Options

高级选项

Versioning Strategy

版本控制策略

Controls how Dependabot edits version constraints:

Value	Behavior
`auto`	Default — increase for apps, widen for libraries
`increase`	Always increase minimum version
`increase-if-necessary`	Only change if current range excludes new version
`lockfile-only`	Only update lockfiles, ignore manifests
`widen`	Widen range to include both old and new versions

控制Dependabot如何编辑版本约束：

值	行为
`auto`	默认值 — 针对应用程序提升版本，针对库放宽版本范围
`increase`	始终提升最低版本
`increase-if-necessary`	仅当当前版本范围不包含新版本时才进行更改
`lockfile-only`	仅更新锁文件，忽略清单文件
`widen`	放宽版本范围以同时包含旧版本和新版本

Rebase Strategy

变基策略

yaml

rebase-strategy: "disabled"  # stop auto-rebasing

Allow rebase over extra commits by including

[dependabot skip]

in commit messages.

yaml

rebase-strategy: "disabled"  # 停止自动变基

在提交信息中包含

[dependabot skip]

，允许在额外提交上执行变基操作。

Open PR Limit

打开PR数量限制

yaml

open-pull-requests-limit: 10  # default is 5 for version, 10 for security

Set to

to disable version updates entirely.

yaml

open-pull-requests-limit: 10  # 版本更新默认值为5，安全更新默认值为10

设置为

可完全禁用版本更新。

Private Registries

私有仓库

yaml

registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{secrets.NPM_TOKEN}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-private

yaml

registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{secrets.NPM_TOKEN}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-private

FAQ

常见问题

Can I have multiple
dependabot.yml
files? No. GitHub supports exactly one file at

.github/dependabot.yml

. Use multiple

updates

entries within that file for different ecosystems and directories.

Does Dependabot support pnpm? Yes. Use

package-ecosystem: "npm"

— Dependabot detects

pnpm-lock.yaml

automatically.

How do I reduce PR noise in a monorepo? Use

groups

to batch updates,

directories

with globs for coverage, and

group-by: dependency-name

for cross-directory grouping. Consider

monthly

quarterly

intervals for low-priority ecosystems.

How do I handle dependencies outside the workspace? Create a separate ecosystem entry with its own

directory

pointing to that location.

我可以拥有多个
dependabot.yml
文件吗？不可以。GitHub仅支持在

.github/dependabot.yml

路径下存在一个文件。可在该文件中使用多个

updates

条目来配置不同的生态系统和目录。

Dependabot支持pnpm吗？ 支持。使用

package-ecosystem: "npm"

— Dependabot会自动检测

pnpm-lock.yaml

文件。

如何减少单体仓库中的PR数量？ 使用

groups

批量处理更新，使用带通配符的

directories

覆盖所有目录，使用

group-by: dependency-name

进行跨目录分组。对于低优先级生态系统，可考虑使用

monthly

或

quarterly

的更新间隔。

如何处理工作区外的依赖？ 创建单独的生态系统条目，将其

directory

指向该位置。

Resources

资源

```
references/dependabot-yml-reference.md
```
— Complete YAML options reference
```
references/pr-commands.md
```
— Full PR comment commands reference
```
references/example-configs.md
```
— Real-world configuration examples

```
references/dependabot-yml-reference.md
```
— 完整YAML选项参考
```
references/pr-commands.md
```
— 完整PR评论命令参考
```
references/example-configs.md
```
— 真实场景配置示例