dependabot

작성자: github

Dependabot은 GitHub에 내장된 의존성 관리 도구로, 세 가지 핵심 기능을 제공합니다.

npx skills add https://github.com/github/awesome-copilot --skill dependabot

Dependabot Configuration & Management

Overview

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

  1. Dependabot Alerts — Notify when dependencies have known vulnerabilities (CVEs)
  2. Dependabot Security Updates — Auto-create PRs to fix vulnerable dependencies
  3. Dependabot Version Updates — Auto-create PRs to keep dependencies current

All configuration lives in a single file: .github/dependabot.yml on the default branch. GitHub does not support multiple dependabot.yml files per repository.

Configuration Workflow

Follow this process when creating or optimizing a dependabot.yml:

Step 1: Detect All Ecosystems

Scan the repository for dependency manifests. Look for:

EcosystemYAML ValueManifest Files
npm/pnpm/yarnnpmpackage.json, package-lock.json, pnpm-lock.yaml, yarn.lock
pip/pipenv/poetrypiprequirements.txt, Pipfile, pyproject.toml, setup.py
uvuvpyproject.toml, uv.lock
DockerdockerDockerfile
Docker Composedocker-composedocker-compose.yml
GitHub Actionsgithub-actions.github/workflows/*.yml
Go modulesgomodgo.mod
Bundler (Ruby)bundlerGemfile
Cargo (Rust)cargoCargo.toml
Composer (PHP)composercomposer.json
NuGet (.NET)nuget*.csproj, packages.config
.NET SDKdotnet-sdkglobal.json
Maven (Java)mavenpom.xml
Gradle (Java)gradlebuild.gradle
Terraformterraform*.tf
OpenTofuopentofu*.tf
HelmhelmChart.yaml
Hex (Elixir)mixmix.exs
SwiftswiftPackage.swift
Pub (Dart)pubpubspec.yaml
Bunbunbun.lockb
Dev Containersdevcontainersdevcontainer.json
Git Submodulesgitsubmodule.gitmodules
Pre-commitpre-commit.pre-commit-config.yaml

Notes:

  • pnpm and yarn both use the npm ecosystem value.
  • Prefer uv ecosystem value when uv.lock is present; otherwise use pip.

Step 2: Map Directory Locations

For each ecosystem, identify where manifests live. Use directories (plural) with glob patterns for monorepos:

directories:
  - "/"           # root
  - "/apps/*"     # all app subdirs
  - "/packages/*" # all package subdirs
  - "/lib-*"      # dirs starting with lib-
  - "**/*"        # recursive (all subdirs)

Important: directory (singular) does NOT support globs. Use directories (plural) for wildcards.

Step 3: Configure Each Ecosystem Entry

Every entry needs at minimum:

- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

Step 4: Optimize with Grouping, Labels, and Scheduling

See sections below for each optimization technique.

Monorepo Strategies

Glob Patterns for Workspace Coverage

For monorepos with many packages, use glob patterns to avoid listing each directory:

- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"

Cross-Directory Grouping

Use group-by: dependency-name to create a single PR when the same dependency updates across multiple directories:

groups:
  monorepo-deps:
    group-by: dependency-name

This creates one PR per dependency across all specified directories, reducing CI costs and review burden.

Limitations:

  • All directories must use the same package ecosystem
  • Applies to version updates only
  • Incompatible version constraints create separate PRs

Standalone Packages Outside Workspaces

If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in .github/), create a separate ecosystem entry for it.

Dependency Grouping

Reduce PR noise by grouping related dependencies into single PRs.

By Dependency Type

groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]

By Name Pattern

groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]

For Security Updates

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Key behaviors:

  • Dependencies matching multiple groups go to the first match
  • applies-to defaults to version-updates when absent
  • Ungrouped dependencies get individual PRs

Multi-Ecosystem Groups

Combine updates across different package ecosystems into a single PR:

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"

The patterns key is required when using multi-ecosystem-group.

PR Customization

Labels

labels:
  - "dependencies"
  - "npm"

Set labels: [] to disable all labels including defaults. SemVer labels (major, minor, patch) are always applied if present in the repo.

Commit Messages

commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # adds deps/deps-dev scope after prefix

Assignees and Milestones

assignees: ["security-team-lead"]
milestone: 4  # numeric ID from milestone URL

Branch Name Separator

pull-request-branch-name:
  separator: "-"  # default is /

Target Branch

target-branch: "develop"  # PRs target this instead of default branch

Note: When target-branch is set, security updates still target the default branch; all ecosystem config only applies to version updates.

Schedule Optimization

Intervals

Supported: daily, weekly, monthly, quarterly, semiannually, yearly, cron

schedule:
  interval: "weekly"
  day: "monday"         # for weekly only
  time: "09:00"         # HH:MM format
  timezone: "America/New_York"

Cron Expressions

schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # Every Monday at 9 AM

Cooldown Periods

Delay updates for newly released versions to avoid early-adopter issues:

cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]

Cooldown applies to version updates only, not security updates.

Security Updates Configuration

Enable via Repository Settings

Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.

Group Security Updates in YAML

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Disable Version Updates (Security Only)

open-pull-requests-limit: 0  # disables version update PRs

Auto-Triage Rules

GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.

PR Comment Commands

Interact with Dependabot PRs using @dependabot comments.

Note: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (gh pr merge), or auto-merge instead.

CommandEffect
@dependabot rebaseRebase the PR
@dependabot recreateRecreate the PR from scratch
@dependabot ignore this dependencyClose and never update this dependency
@dependabot ignore this major versionIgnore this major version
@dependabot ignore this minor versionIgnore this minor version
@dependabot ignore this patch versionIgnore this patch version

For grouped PRs, additional commands:

  • @dependabot ignore DEPENDENCY_NAME — ignore specific dependency in group
  • @dependabot unignore DEPENDENCY_NAME — clear ignores, reopen with updates
  • @dependabot unignore * — clear all ignores for all dependencies in group
  • @dependabot show DEPENDENCY_NAME ignore conditions — display current ignores

For the complete command reference, see references/pr-commands.md.

Ignore and Allow Rules

Ignore Specific Dependencies

ignore:
  - dependency-name: "lodash"
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-patch"]
  - dependency-name: "express"
    versions: ["5.x"]

Allow Only Specific Types

allow:
  - dependency-type: "production"
  - dependency-name: "express"

Rule: If a dependency matches both allow and ignore, it is ignored.

Exclude Paths

exclude-paths:
  - "vendor/**"
  - "test/fixtures/**"

Advanced Options

Versioning Strategy

Controls how Dependabot edits version constraints:

ValueBehavior
autoDefault — increase for apps, widen for libraries
increaseAlways increase minimum version
increase-if-necessaryOnly change if current range excludes new version
lockfile-onlyOnly update lockfiles, ignore manifests
widenWiden range to include both old and new versions

Rebase Strategy

rebase-strategy: "disabled"  # stop auto-rebasing

Allow rebase over extra commits by including [dependabot skip] in commit messages.

Open PR Limit

open-pull-requests-limit: 10  # default is 5 for version, 10 for security

Set to 0 to disable version updates entirely.

Private Registries

registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{secrets.NPM_TOKEN}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-private

FAQ

Can I have multiple dependabot.yml files? No. GitHub supports exactly one file at .github/dependabot.yml. Use multiple updates entries within that file for different ecosystems and directories.

Does Dependabot support pnpm? Yes. Use package-ecosystem: "npm" — Dependabot detects pnpm-lock.yaml automatically.

How do I reduce PR noise in a monorepo? Use groups to batch updates, directories with globs for coverage, and group-by: dependency-name for cross-directory grouping. Consider monthly or quarterly intervals for low-priority ecosystems.

How do I handle dependencies outside the workspace? Create a separate ecosystem entry with its own directory pointing to that location.

Pre-Commit Dependency Scanning via AI Coding Agents

For scanning code changes for vulnerable dependencies inside an AI coding agent before committing, the GitHub MCP Server's dependabot toolset can check your dependency additions against the GitHub Advisory Database and return structured results with affected packages, severity, and recommended fixed versions. For more thorough post-commit checks, it can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.

Install the Advanced Security plugin which provides dedicated dependency scanning tools and the /dependency-scanning skill.

GitHub Copilot CLI (shell):

# Enable the dependabot toolset for the GitHub MCP Server
copilot --add-github-mcp-toolset dependabot

GitHub Copilot CLI (inside copilot):

> /plugin install advanced-security@copilot-plugins

Visual Studio Code:

  • Add "X-MCP-Toolsets": "dependabot" to your GitHub MCP Server headers, or pick Dependabot from the toolset selector in Copilot Chat
  • Install the advanced-security plugin, then use /dependency-scanning in Copilot Chat

Example prompt:

Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.

See: Advanced Security Plugin — Dependency Scanning Skill

Announced in Dependency scanning with GitHub MCP Server is in public preview (May 2026)

Resources

  • references/dependabot-yml-reference.md — Complete YAML options reference
  • references/pr-commands.md — Full PR comment commands reference
  • references/example-configs.md — Real-world configuration examples

github의 다른 스킬

console-rendering
github
Go에서 struct 태그 기반 콘솔 렌더링 시스템 사용 지침
official
acquire-codebase-knowledge
github
사용자가 기존 코드베이스에 대한 매핑, 문서화, 또는 온보딩을 명시적으로 요청할 때 이 스킬을 사용하세요. "이 코드베이스를 매핑해줘", "문서화해줘"와 같은 프롬프트에서 트리거됩니다.
official
acreadiness-assess
github
현재 리포
official
acreadiness-generate-instructions
github
AgentRC 명령어를 통해 맞춤형 AI 에이전트 지침 파일을 생성합니다. .github/copilot-instructions.md 파일을 생성합니다(기본값, VS Code의 Copilot에 권장됨).
official
acreadiness-policy
github
사용자가 AgentRC 정책을 선택, 작성 또는 적용할 수 있도록 지원합니다. 정책은 관련 없는 검사를 비활성화하고, 영향/수준을 재정의하며, 설정을 통해 준비 상태 점수를 사용자 지정합니다.
official
add-educational-comments
github
코드 파일에 교육용 주석을 추가하여 효과적인 학습 자료로 변환합니다. 설명의 깊이와 어조를 세 가지 설정 가능한 지식 수준(초급, 중급, 고급)에 맞게 조정합니다. 파일이 제공되지 않으면 자동으로 요청하며, 빠른 선택을 위해 번호 목록 매칭을 제공합니다. 교육용 주석만을 사용하여 파일을 최대 125%까지 확장합니다(엄격한 제한: 새 줄 400개, 1,000줄 초과 파일의 경우 300개). 파일 인코딩, 들여쓰기 스타일, 구문 정확성 등을 유지합니다.
official
adobe-illustrator-scripting
github
Adobe Illustrator 자동화 스크립트를 ExtendScript(JavaScript/JSX)로 작성, 디버깅 및 최적화합니다. 스크립트를 생성하거나 수정하여 조작할 때 사용합니다.
official
agent-governance
github
선언적 정책, 의도 분류, AI 에이전트 도구 접근 및 행동 제어를 위한 감사 추적. 구성 가능한 거버넌스 정책은 허용/차단된 도구, 콘텐츠 필터, 속도 제한, 승인 요구 사항을 정의하며, 코드가 아닌 구성으로 저장됨. 의미론적 의도 분류는 패턴 기반 신호를 사용하여 도구 실행 전에 위험한 프롬프트(데이터 유출, 권한 상승, 프롬프트 인젝션)를 탐지함. 도구 수준 거버넌스 데코레이터는 함수에서 정책을 적용함...
official