What is Dependabot?
Dependabot is GitHub's native tool for updating dependencies. It creates automatic PRs when new versions are available and alerts about security vulnerabilities.
Configuration
Create .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
Supported ecosystems
npm, pip, Docker, Gradle, Maven, NuGet, Cargo, Go modules, Bundler, Terraform, GitHub Actions, and more.
Dependabot alerts
When GitHub detects a vulnerability in a dependency, Dependabot generates an alert with severity, description, and advisory link. Includes a button to create a PR with the update.
Advantages over Renovate
- Native GitHub integration, zero configuration.
- Automatic security alerts.
- Ideal for small teams wanting security without complex setup.
Limitations
Less configurable than Renovate. No custom schedules or complex grouping rules.
Want automated security? At Vynta we configure Dependabot for your repository.