GitHub Dependabot — YAML Config
A production-ready Dependabot configuration that keeps your npm packages and GitHub Actions action versions up to date automatically — with PR grouping to reduce noise and a major-version ignore rule to prevent surprise breaking changes.
Overview
Dependabot is GitHub's built-in automated dependency update service. When enabled, it periodically
checks your project's dependency manifests (such as package.json and workflow files),
identifies outdated packages, and opens pull requests with the version bumps — complete with release
notes and changelogs where available.
This config defines two update blocks: one for npm packages (checking weekly, grouping prod and dev dependencies into separate PRs, ignoring major-version bumps) and one for GitHub Actions (checking monthly, keeping action pins up to date with fewer PRs). Separating them by ecosystem lets you apply different schedules and policies to each type of dependency.
.github/dependabot.yml — not inside
.github/workflows/. It is not a workflow file and does not use the same YAML schema.
The top-level key is version: 2 (an integer, not a string), and the structure is a list
under updates.
Full YAML Copy-paste ready
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
production-dependencies:
dependency-type: "production"
development-dependencies:
dependency-type: "development"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 5
Key sections explained
package-ecosystem — what Dependabot watches
The package-ecosystem key tells Dependabot which dependency system to scan. Common values include:
"npm"— Node.js (package.json/package-lock.json/yarn.lock)"pip"— Python (requirements.txt,Pipfile,pyproject.toml)"gomod"— Go (go.mod)"docker"— DockerfileFROMinstructions"github-actions"—uses:references in workflow files"terraform"— Terraform provider and module versions"bundler"— Ruby (Gemfile)"maven"— Java (pom.xml)
Each ecosystem requires a separate entry in the updates list. You can have as many entries
as needed — one per ecosystem, or multiple entries for the same ecosystem targeting different directories
(e.g., separate npm entries for a monorepo's /frontend and /backend
directories).
groups — batching dependency PRs
Without grouping, Dependabot opens one PR per outdated dependency, which can flood your PR queue with
dozens of small updates per week. The groups key batches related dependencies into a single PR.
This config creates two groups: one for production dependencies (dependency-type: "production"
— packages listed under dependencies in package.json) and one for development
dependencies (dependency-type: "development" — packages under devDependencies).
This separation is useful because production dependency updates typically warrant more careful review
than dev tooling updates.
You can also group by pattern. For example, to batch all @types/* packages together:
groups:
typescript-types:
patterns:
- "@types/*"
ignore — blocking major-version updates
The ignore block suppresses specific update types. Here, the wildcard
dependency-name: "*" combined with
update-types: ["version-update:semver-major"] tells Dependabot to silently skip all
major-version bumps for every npm package. Dependabot will still open PRs for minor and patch updates
— it only skips the ones that are most likely to contain breaking changes.
This is a safe default for teams that want automation without surprise API breaks. When you're ready to upgrade a package to its next major version, do so manually (or remove the ignore rule temporarily).
update-types values are version-update:semver-major,
version-update:semver-minor, and version-update:semver-patch. You can combine
them in the list to ignore multiple update levels.
github-actions ecosystem entry
The second entry in updates watches your .github/workflows/ directory for
outdated uses: references. When you use an action like actions/checkout@v4,
Dependabot will open a PR when v5 is released. For action pins to a full commit SHA
(which is a security best practice), Dependabot will update the SHA to match the latest tagged release.
Monthly is a reasonable schedule for action updates since action releases are less frequent than npm
package releases. The open-pull-requests-limit: 5 cap prevents a backlog of action-update
PRs if you haven't merged them for a while.
Tips & variations
Set a custom schedule day and time
By default, weekly updates run on Monday. You can specify a day and time zone to control exactly when Dependabot opens PRs — useful for aligning with your team's review cadence:
schedule:
interval: "weekly"
day: "tuesday"
time: "09:00"
timezone: "Europe/London"
Auto-assign reviewers and labels
Add reviewers and labels to Dependabot PRs so they're routed to the right
person and filtered in your PR list:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
reviewers:
- "your-github-username"
labels:
- "dependencies"
- "automated"
Add Python or Go ecosystems
For a full-stack project, add additional entries for each ecosystem. Each entry is independent and can have its own schedule, limits, and ignore rules:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 3
Pair with a CI workflow for auto-merge
To fully automate patch-version dependency updates, combine Dependabot with a GitHub Actions workflow
that auto-merges Dependabot PRs when CI passes. Use the
dependabot/fetch-metadata action to check the update type and only auto-merge patches.
This reduces maintenance burden significantly for low-risk updates.