Dependabot Config Generator

Generate a .github/dependabot.yml to keep dependencies up to date automatically. Tick the package ecosystems your repo uses — npm, pip, Docker, GitHub Actions, Go, Maven, Composer, Bundler, Cargo — set the update schedule and how many open pull requests to allow, and optionally group minor and patch updates together. Copy the file into .github/ and Dependabot starts raising PRs. Generated in your browser.

.github/dependabot.yml

How to use the Dependabot Config Generator

Tick every ecosystem present in your repository — each becomes a separate updates entry with the correct package-ecosystem value, so a repo with a package.json and a Dockerfile gets both npm and Docker monitoring. Set the schedule (weekly is a sensible default that avoids PR noise), the directory the manifests live in (use / for the repo root), and a cap on simultaneously open PRs. The file regenerates live; save it as .github/dependabot.yml and commit it.

Leave grouping on to bundle minor and patch bumps into a single pull request per ecosystem instead of one PR per package — this dramatically reduces the volume Dependabot creates while still surfacing major updates individually so you can review breaking changes carefully. Add reviewers if you want specific people requested automatically. Once committed, Dependabot validates the file (you can see errors in the Insights → Dependency graph → Dependabot tab) and begins opening update PRs on the schedule you chose.

What Dependabot version updates do

Dependabot is GitHub's built-in dependency updater. Its version updates feature watches your dependency manifests and lockfiles and opens pull requests when newer versions are released, so your dependencies do not silently drift years out of date. It is configured entirely through one file, .github/dependabot.yml, and runs on GitHub's infrastructure with no service to host or token to manage.

The configuration centres on a list of updates entries, one per ecosystem and directory. Each entry names a package-ecosystemnpm, pip, docker, github-actions, gomod, maven, composer, bundler, cargo, and more — the directory where its manifest lives, and a schedule that controls how often Dependabot checks. Additional keys tune behaviour: open-pull-requests-limit caps how many PRs can be open at once, reviewers and labels route them, and groups combine related updates so you do not drown in one-package-per-PR noise.

Keeping the github-actions ecosystem updated deserves special mention: pinned action versions in your workflows are dependencies too, and out-of-date or unpinned actions are a real supply-chain risk. Adding that entry lets Dependabot bump action versions alongside your application dependencies. Note that version updates are separate from Dependabot's security updates, which are enabled in repository settings and fire whenever an advisory affects a dependency regardless of this file — the two work together, with this configuration controlling routine upgrades and the security feature handling urgent vulnerabilities.

Common use cases

  • New repositories. Turn on automated dependency PRs from day one with the right ecosystems.
  • Reducing PR noise. Add grouping to a repo where Dependabot opens too many separate PRs.
  • Supply-chain hygiene. Keep pinned GitHub Actions and base images current, not just app packages.
  • Polyglot repos. Configure several ecosystems — npm, Docker, Actions — in one file.

Frequently asked questions

Where does the file go and what is it named?
Exactly .github/dependabot.yml in the default branch of your repository. GitHub reads it from there; a file elsewhere or with a different name is ignored. After committing, check the Dependabot section under Insights to confirm it parsed without errors.

What is the difference from Dependabot security updates?
This file configures version updates — routine upgrades on a schedule. Security updates are a separate feature toggled in repository settings that opens PRs whenever a known vulnerability affects a dependency, independent of this file. Most teams enable both: security updates for urgent fixes, version updates for staying current.

How do groups reduce pull request volume?
Without grouping, Dependabot opens one PR per outdated package, which can be dozens at once. A group rule bundles updates that match it — commonly all minor and patch bumps for an ecosystem — into a single PR, so you review one combined change instead of many. Major updates are usually left separate so breaking changes get individual attention.

Should I monitor the github-actions ecosystem?
Yes. The actions referenced in your workflows are dependencies with their own versions and vulnerabilities. Adding a github-actions entry lets Dependabot keep them current and pinned, closing a commonly overlooked supply-chain gap. Its directory is always / because workflows live in .github/workflows.

Will Dependabot update transitive dependencies?
For ecosystems with lockfiles, Dependabot updates the lockfile and can bump transitive dependencies when resolving a direct update or a security fix, but routine version updates primarily target your declared direct dependencies. Security updates are more aggressive about reaching vulnerable transitive packages.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: