Dependabot

Dependabot support for uv just went GA 🎉🎉🎉

🎼🎼🎼 Maestro Dependabot proudly presents…Docker Compose support in GA! github.blog/changelog/2025…

Do you use the bun package manager and dependabot? If so, you might want to try the experimental support for bun in dependabot. Add `enable-beta-ecosystems: true` to your `dependabot.yml` and add the `npm` package ecosystem. You can see an example below. Let me know if you try this!

🚀 @github Dependabot can now use the power of @GitHubCopilot to fix breaking changes introduced by Dependabot updates! To learn more and join the waitlist, check out the blog: github.blog/changelog/2024… #dependabot #copilot #autofix #appsec #ghas #security #GitHubUniverse

🚀@github can now leverage @MSFTCopilot to auto-magically fix your code if there are any breaking changes introduced by a @dependabot update. only supports #typescript for now but this will be huge github.blog/changelog/2024… #appsec #cybersecurity #githubuniverse2024

@rxgx dependabot-core is open source with an MIT license! github.blog/changelog/2024…

Is Dependabot open source after their acquisition? I've only been able to get renovate to work on GitLab.

@rsaxena_rajat Yes, target-branch will work for Version Updates.

@dependabot I believe the above is only for Version Updates, and not security vulnerability patches? Correct?

Hi @dependabot ! I would like to receive alerts and PRs for dependency related vulnerabilities on a branch different from the default one in a repo. Is there any configuration that can help? Thanks !

@bcomnes Dependabot on standard GitHub-hosted runners (the default) does not count towards GitHub Actions minutes – meaning that using Dependabot continues to be free for everyone 😀

Seeing dependabot logs in the actions tab now. Are they charging run time on those now? Or just surfacing logs more consistently.

Dependabot migration to GitHub Actions for Enterprise Cloud and Free, Pro, and Teams accounts with Actions enabled github.blog/changelog/2024…

@forstmeier don’t hate the player hate the weekly openssh CVE game

@stavepan @gyurisc @github I am the best! 👑

@amoerie Just wait until you try this command: "@dependabot i love you!"

It's such a nice little gesture when @dependabot gives a thumbs up after you give it a command, wonderful design

@CodingIvan nothing 😀

@amoerie 👍

Are you passionate about multidirectory configuration in the dependabot.yml? What do you think should happen when directories overlap? Let us know in the poll! github.com/dependabot/dep…

Five years ago today, we were at GitHub Satellite Berlin announcing that GitHub acquired @dependabot . In the time since, Dependabot has helped secure the software supply chain for millions of developers across the world by creating automatic fixes for vulnerable dependencies.

I just found out you can group @dependabot updates 🤯 No more "25 open pull requests". Just put these lines into your dependabot.yml:

Really excited to have had the support of the rest of the Dependabot PM team to get this change over the line! It was a long time coming. github.blog/changelog/2024…

You can now run Dependabot as a GitHub Actions workflow! 🌟 Read more about the benefits this unlocks, including self-hosted runner support. github.blog/2024-05-02-dep…