Dependabot 配置与管理指南：GitHub 依赖管理工具详解

dependabot by github/awesome-copilot

330 周安装量

26,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/github/awesome-copilot --skill dependabot

开发自动化开发运维

🇨🇳中文介绍

Dependabot 配置与管理

概述

Dependabot 是 GitHub 内置的依赖管理工具，具备三项核心功能：

Dependabot 警报 — 当依赖项存在已知漏洞（CVE）时发出通知
Dependabot 安全更新 — 自动创建 PR 以修复存在漏洞的依赖项
Dependabot 版本更新 — 自动创建 PR 以保持依赖项处于最新状态

所有配置都位于单个文件中：默认分支上的 .github/dependabot.yml。GitHub 不支持每个仓库存在多个 dependabot.yml 文件。

配置流程

创建或优化 dependabot.yml 时，请遵循以下流程：

步骤 1：检测所有生态系统

扫描仓库以查找依赖清单文件。寻找：

生态系统	YAML 值	清单文件
npm/pnpm/yarn	`npm`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 2：映射目录位置

对于每个生态系统，识别清单文件所在位置。对于单体仓库，使用带通配符模式的 directories（复数形式）：

directories:
  - "/"           # 根目录
  - "/apps/*"     # 所有应用子目录
  - "/packages/*" # 所有包子目录
  - "/lib-*"      # 以 lib- 开头的目录
  - "**/*"        # 递归（所有子目录）

重要：directory（单数形式）不支持通配符。使用 directories（复数形式）进行通配符匹配。

步骤 3：配置每个生态系统条目

每个条目至少需要：

- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

步骤 4：使用分组、标签和计划进行优化

请参阅以下各节了解每种优化技术。

用于工作区覆盖的通配符模式

对于包含许多包的单体仓库，使用通配符模式以避免列出每个目录：

- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"

使用 group-by: dependency-name，当同一依赖项在多个目录中更新时，创建一个单独的 PR：

groups:
  monorepo-deps:
    group-by: dependency-name

这会在所有指定目录中为每个依赖项创建一个 PR，从而降低 CI 成本和审查负担。

所有目录必须使用相同的包生态系统
仅适用于版本更新
不兼容的版本约束会创建单独的 PR

工作区外的独立包

如果一个目录有自己的锁文件且不属于工作区的一部分（例如，.github/ 中的脚本），请为其创建一个单独的生态系统条目。

通过将相关依赖项分组到单个 PR 中来减少 PR 噪音。

按依赖项类型分组

groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]

按名称模式分组

groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

匹配多个组的依赖项将进入第一个匹配的组
当 applies-to 缺失时，默认为 version-updates
未分组的依赖项会获得单独的 PR

多生态系统分组

将不同包生态系统的更新合并到单个 PR 中：

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"

使用 multi-ecosystem-group 时，patterns 键是必需的。

labels:
  - "dependencies"
  - "npm"

设置 labels: [] 以禁用所有标签，包括默认标签。如果仓库中存在 SemVer 标签（major、minor、patch），则始终会应用它们。

commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # 在前缀后添加 deps/deps-dev 作用域

负责人和里程碑

assignees: ["security-team-lead"]
milestone: 4  # 来自里程碑 URL 的数字 ID

分支名称分隔符

pull-request-branch-name:
  separator: "-"  # 默认为 /

target-branch: "develop"  # PR 以此为目标，而非默认分支

注意：设置 target-branch 后，安全更新仍以默认分支为目标；所有生态系统配置仅适用于版本更新。

支持：daily、weekly、monthly、quarterly、semiannually、yearly、cron

schedule:
  interval: "weekly"
  day: "monday"         # 仅用于 weekly
  time: "09:00"         # HH:MM 格式
  timezone: "America/New_York"

schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # 每周一上午 9 点

延迟新发布版本的更新，以避免早期采用者问题：

cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]

冷却期仅适用于版本更新，不适用于安全更新。

通过仓库设置启用

设置 → 高级安全性 → 启用 Dependabot 警报、安全更新和分组安全更新。

在 YAML 中分组安全更新

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

禁用版本更新（仅安全更新）

open-pull-requests-limit: 0  # 禁用版本更新 PR

GitHub 预设会自动忽略开发依赖项的低影响警报。自定义规则可以根据严重性、包名称、CWE 等进行筛选。在仓库设置 → 高级安全性中配置。

使用 @dependabot 评论与 Dependabot PR 交互。

注意： 截至 2026 年 1 月，合并/关闭/重新打开命令已被弃用。请使用 GitHub 原生 UI、CLI（gh pr merge）或自动合并功能。

命令	效果
`@dependabot rebase`	变基 PR
`@dependabot recreate`	从头开始重新创建 PR
`@dependabot ignore this dependency`	关闭并永不更新此依赖项
`@dependabot ignore this major version`	忽略此主版本
`@dependabot ignore this minor version`	忽略此次版本
`@dependabot ignore this patch version`	忽略此补丁版本

对于分组的 PR，还有以下附加命令：

@dependabot ignore DEPENDENCY_NAME — 忽略组中的特定依赖项
@dependabot unignore DEPENDENCY_NAME — 清除忽略，重新打开并包含更新
@dependabot unignore * — 清除组中所有依赖项的所有忽略
@dependabot show DEPENDENCY_NAME ignore conditions — 显示当前的忽略条件

完整的命令参考，请参阅 references/pr-commands.md。

忽略和允许规则

忽略特定依赖项

ignore:
  - dependency-name: "lodash"
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-patch"]
  - dependency-name: "express"
    versions: ["5.x"]

仅允许特定类型

allow:
  - dependency-type: "production"
  - dependency-name: "express"

规则：如果一个依赖项同时匹配 allow 和 ignore，则它将被忽略。

exclude-paths:
  - "vendor/**"
  - "test/fixtures/**"

控制 Dependabot 如何编辑版本约束：

值	行为
`auto`	默认 — 对于应用增加版本，对于库放宽范围
`increase`	始终增加最低版本
`increase-if-necessary`	仅当当前范围排除新版本时才更改
`lockfile-only`	仅更新锁文件，忽略清单文件
`widen`	放宽范围以同时包含旧版本和新版本

rebase-strategy: "disabled"  # 停止自动变基

通过在提交消息中包含 [dependabot skip] 来允许对额外提交进行变基。

open-pull-requests-limit: 10  # 默认为版本更新 5，安全更新 10

设置为 0 以完全禁用版本更新。

registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{secrets.NPM_TOKEN}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-private

我可以有多个 dependabot.yml 文件吗？ 不可以。GitHub 仅支持在 .github/dependabot.yml 处有一个文件。请在该文件中使用多个 updates 条目来处理不同的生态系统和目录。

Dependabot 支持 pnpm 吗？ 是的。使用 package-ecosystem: "npm" — Dependabot 会自动检测 pnpm-lock.yaml。

如何减少单体仓库中的 PR 噪音？ 使用 groups 进行批量更新，使用带通配符的 directories 进行覆盖，并使用 group-by: dependency-name 进行跨目录分组。对于低优先级生态系统，考虑使用 monthly 或 quarterly 间隔。

如何处理工作区外的依赖项？ 创建一个单独的生态系统条目，其 directory 指向该位置。

references/dependabot-yml-reference.md — 完整的 YAML 选项参考
references/pr-commands.md — 完整的 PR 评论命令参考
references/example-configs.md — 真实世界配置示例

🇺🇸English

Dependabot Configuration & Management

Overview

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

Dependabot Alerts — Notify when dependencies have known vulnerabilities (CVEs)
Dependabot Security Updates — Auto-create PRs to fix vulnerable dependencies
Dependabot Version Updates — Auto-create PRs to keep dependencies current

All configuration lives in a single file : .github/dependabot.yml on the default branch. GitHub does not support multiple dependabot.yml files per repository.

Configuration Workflow

Follow this process when creating or optimizing a dependabot.yml:

Step 1: Detect All Ecosystems

Scan the repository for dependency manifests. Look for:

Ecosystem	YAML Value	Manifest Files
npm/pnpm/yarn	`npm`	`package.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`
pip/pipenv/poetry/uv	`pip`	`requirements.txt`, `Pipfile`, `pyproject.toml`, `setup.py`

Note: pnpm and yarn both use the npm ecosystem value.

Step 2: Map Directory Locations

For each ecosystem, identify where manifests live. Use directories (plural) with glob patterns for monorepos:

directories:
  - "/"           # root
  - "/apps/*"     # all app subdirs
  - "/packages/*" # all package subdirs
  - "/lib-*"      # dirs starting with lib-
  - "**/*"        # recursive (all subdirs)

Important: directory (singular) does NOT support globs. Use directories (plural) for wildcards.

Step 3: Configure Each Ecosystem Entry

Every entry needs at minimum:

- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

Step 4: Optimize with Grouping, Labels, and Scheduling

See sections below for each optimization technique.

Monorepo Strategies

Glob Patterns for Workspace Coverage

For monorepos with many packages, use glob patterns to avoid listing each directory:

- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"

Cross-Directory Grouping

Use group-by: dependency-name to create a single PR when the same dependency updates across multiple directories:

groups:
  monorepo-deps:
    group-by: dependency-name

This creates one PR per dependency across all specified directories, reducing CI costs and review burden.

Limitations:

All directories must use the same package ecosystem
Applies to version updates only
Incompatible version constraints create separate PRs

Standalone Packages Outside Workspaces

If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in .github/), create a separate ecosystem entry for it.

Dependency Grouping

Reduce PR noise by grouping related dependencies into single PRs.

By Dependency Type

groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]

By Name Pattern

groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]

For Security Updates

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Key behaviors:

Dependencies matching multiple groups go to the first match
applies-to defaults to version-updates when absent
Ungrouped dependencies get individual PRs

Multi-Ecosystem Groups

Combine updates across different package ecosystems into a single PR:

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"

The patterns key is required when using multi-ecosystem-group.

PR Customization

Labels

labels:
  - "dependencies"
  - "npm"

Set labels: [] to disable all labels including defaults. SemVer labels (major, minor, patch) are always applied if present in the repo.

Commit Messages

commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # adds deps/deps-dev scope after prefix

Assignees and Milestones

assignees: ["security-team-lead"]
milestone: 4  # numeric ID from milestone URL

Branch Name Separator

pull-request-branch-name:
  separator: "-"  # default is /

Target Branch

target-branch: "develop"  # PRs target this instead of default branch

Note: When target-branch is set, security updates still target the default branch; all ecosystem config only applies to version updates.

Schedule Optimization

Intervals

Supported: daily, weekly, monthly, quarterly, semiannually, yearly, cron

schedule:
  interval: "weekly"
  day: "monday"         # for weekly only
  time: "09:00"         # HH:MM format
  timezone: "America/New_York"

Cron Expressions

schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # Every Monday at 9 AM

Cooldown Periods

Delay updates for newly released versions to avoid early-adopter issues:

cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]

Cooldown applies to version updates only, not security updates.

Security Updates Configuration

Enable via Repository Settings

Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.

Group Security Updates in YAML

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Disable Version Updates (Security Only)

open-pull-requests-limit: 0  # disables version update PRs

Auto-Triage Rules

GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.

PR Comment Commands

Interact with Dependabot PRs using @dependabot comments.

Note: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (gh pr merge), or auto-merge instead.

Command	Effect
`@dependabot rebase`	Rebase the PR
`@dependabot recreate`	Recreate the PR from scratch
`@dependabot ignore this dependency`	Close and never update this dependency
`@dependabot ignore this major version`	Ignore this major version
`@dependabot ignore this minor version`	Ignore this minor version
`@dependabot ignore this patch version`

For grouped PRs, additional commands:

@dependabot ignore DEPENDENCY_NAME — ignore specific dependency in group
@dependabot unignore DEPENDENCY_NAME — clear ignores, reopen with updates
@dependabot unignore * — clear all ignores for all dependencies in group
@dependabot show DEPENDENCY_NAME ignore conditions — display current ignores

For the complete command reference, see references/pr-commands.md.

Ignore and Allow Rules

Ignore Specific Dependencies

ignore:
  - dependency-name: "lodash"
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-patch"]
  - dependency-name: "express"
    versions: ["5.x"]

Allow Only Specific Types

allow:
  - dependency-type: "production"
  - dependency-name: "express"

Rule: If a dependency matches both allow and ignore, it is ignored.

Exclude Paths

exclude-paths:
  - "vendor/**"
  - "test/fixtures/**"

Advanced Options

Versioning Strategy

Controls how Dependabot edits version constraints:

Value	Behavior
`auto`	Default — increase for apps, widen for libraries
`increase`	Always increase minimum version
`increase-if-necessary`	Only change if current range excludes new version
`lockfile-only`	Only update lockfiles, ignore manifests
`widen`	Widen range to include both old and new versions

Rebase Strategy

rebase-strategy: "disabled"  # stop auto-rebasing

Allow rebase over extra commits by including [dependabot skip] in commit messages.

Open PR Limit

open-pull-requests-limit: 10  # default is 5 for version, 10 for security

Set to 0 to disable version updates entirely.

Private Registries

registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{secrets.NPM_TOKEN}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-private

FAQ

Can I have multipledependabot.yml files? No. GitHub supports exactly one file at .github/dependabot.yml. Use multiple updates entries within that file for different ecosystems and directories.

Does Dependabot support pnpm? Yes. Use package-ecosystem: "npm" — Dependabot detects pnpm-lock.yaml automatically.

How do I reduce PR noise in a monorepo? Use groups to batch updates, directories with globs for coverage, and group-by: dependency-name for cross-directory grouping. Consider monthly or quarterly intervals for low-priority ecosystems.

How do I handle dependencies outside the workspace? Create a separate ecosystem entry with its own directory pointing to that location.

Resources

references/dependabot-yml-reference.md — Complete YAML options reference
references/pr-commands.md — Full PR comment commands reference
references/example-configs.md — Real-world configuration examples

Weekly Installs

330

Repository

github/awesome-copilot

GitHub Stars

26.9K

First Seen

7 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

codex309

gemini-cli308

opencode304

cursor301

github-copilot300

amp299

agent-browser 浏览器自动化工具 - Vercel Labs 命令行网页操作与测试

140,500 周安装