Command Palette

Search for a command to run...

Dependabot logo
position in category
#2

Automated dependency update tool integrated into GitHub that creates pull requests to keep project dependencies current. Covers both security patches and general version bumps by checking manifest files against latest releases and opening PRs for review.

Part of GitHub's code security suite and native to every repository. Stands out by being built-in and free for all GitHub repositories, with no separate service to configure, unlike third-party tools such as Renovate. Supports both version updates and security updates with configurable schedules and grouping.

Key capabilities:

  • Version and security updates via configurable dependabot.yml
  • Multi-ecosystem support: npm, pip, Maven, Cargo, Bundler, Composer, Docker, Go modules, NuGet, Poetry, GitHub Actions, and more
  • Pull request grouping and cooldown periods to reduce noise
  • Vendored dependency updates for selected package managers
  • Automatic rebasing of PRs for 30 days to resolve conflicts

Development teams rely on it to keep production apps current with security patches without manual checking. Open source maintainers use it to surface outdated transitive dependencies and batch updates on a weekly or monthly schedule. CI/CD pipelines benefit from automated GitHub Actions workflow updates.

GitHub Repositories
5.9K
-8.8%
Trending down this week
Removed in 572 repos