Articles

Automate Dependency Updates with GitHub Dependabot (2026)

April 18, 2026 4 min read

Dependabot is a GitHub feature that automatically creates pull requests to update your project’s dependencies.

Let’s see it in action. Imagine you have a Python project with a requirements.txt file:

flask==2.0.1
requests==2.26.0

And you’ve configured Dependabot. A week later, a security vulnerability is found in flask version 2.0.1. Dependabot will detect this and open a pull request like this:

Title: Bump Flask from 2.0.1 to 2.0.2

Body:

This PR updates the Flask dependency to version 2.0.2.

The following dependency was updated:
- Flask: from 2.0.1 to 2.0.2

This change was automatically generated by Dependabot.

The commit within the PR would look like this:

Bump Flask from 2.0.1 to 2.0.2

Updates flask requirement from 2.0.1 to 2.0.2

And your requirements.txt would be modified in the PR to:

flask==2.0.2
requests==2.26.0

Dependabot isn’t magic; it’s a sophisticated automation tool that reads your project’s dependency manifest files (like requirements.txt, package.json, pom.xml, etc.) and checks against vulnerability databases and the latest available versions.

The core problem Dependabot solves is the burden of manual dependency management. Keeping track of which libraries your project uses, checking for updates, testing those updates, and then merging them is time-consuming and error-prone. This manual process often leads to developers falling behind on updates, leaving their projects vulnerable to security exploits or missing out on performance improvements and new features.

Here’s how it works internally:

  1. Configuration: You enable Dependabot by adding a dependabot.yml file to your .github directory. This file tells Dependabot which languages and ecosystems to monitor, how often to check, and how to group updates.

    # .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "pip" # Ecosystem to update
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly" # How often to check
    open-pull-requests-limit: 10 # Max open PRs for this ecosystem
    ignore:
      - dependency-name: "django" # Ignore updates for specific dependencies
        versions: ["3.0.*", "3.1.*"]

  2. Scanning: Dependabot periodically scans your repository, looking at the specified package-ecosystem directories. It parses your dependency files.

  3. Checking for Updates: For each dependency, Dependabot queries the relevant package registry (PyPI for pip, npm for Node.js, Maven Central for Java, etc.) to see if newer versions are available. It also checks against security advisories (like those from GitHub’s Advisory Database or OSV).

  4. Creating Pull Requests: If an update is found (either a new version or a security fix), Dependabot creates a new branch, commits the updated dependency file to that branch, and opens a pull request against your main or master branch.

  5. Review and Merge: You then review the PR, run your CI checks, and merge it. Dependabot can even be configured to automatically merge minor and patch updates if your CI checks pass.

The exact levers you control are primarily within the dependabot.yml file. You can specify:

  • package-ecosystem: The package manager (e.g., pip, npm, maven, gradle, composer, cargo, bundler).
  • directory: The root directory where your manifest files are located. For monorepos, you might have multiple entries for different subdirectories.
  • schedule: When Dependabot should check. interval: "daily", weekly, monthly, or specific time and day.
  • open-pull-requests-limit: To prevent an overwhelming number of PRs, you can limit how many Dependabot PRs are open for a given ecosystem at any time.
  • ignore: You can tell Dependabot to ignore updates for specific dependencies or versions. This is crucial for critical dependencies where you want to control updates manually or for older versions you’re not ready to upgrade from.
  • target-branch: The branch Dependabot should open PRs against (defaults to your repository’s default branch).
  • reviewers, assignees, milestone: You can automatically assign reviewers, assignees, or add PRs to a milestone.
  • commit-message, title: Customize the commit message and PR title.

One of the most powerful, yet often overlooked, aspects of Dependabot is its ability to automatically rebase and update its own pull requests. When you have a Dependabot PR open and a new commit is made to your main branch, Dependabot will automatically rebase its PR onto the latest main. This means if you have multiple updates pending and your main branch moves forward, Dependabot will ensure its PRs are always based on the most recent code, drastically reducing merge conflicts when you eventually go to merge them. This rebasing happens in the background and is a key reason why Dependabot PRs often have fewer conflicts than manual updates.

The next thing you’ll likely want to configure is Dependabot’s security vulnerability alerts, which are a separate but related feature that flags potential risks in your dependencies.

Want structured learning?

Take the full Github course →