Dependabot
Author or extend `.github/dependabot.yml` with correct ecosystems, schedules, registries, and grouping so dependency PRs stay manageable on a solo repo.
Overview
Dependabot is an agent skill most often used in Ship (also Operate) that documents every `.github/dependabot.yml` option so you can configure automated dependency updates correctly.
Install
npx skills add https://github.com/github/awesome-copilot --skill dependabotWhat is this skill?
- Complete `dependabot.yml` structure: version 2, updates entries, optional registries and multi-ecosystem groups
- Maps package managers to YAML `package-ecosystem` values and manifest files (npm, cargo, docker, bun, composer, etc.)
- Documents required keys: ecosystem, directory or directories, and schedule interval
- Supports private registry blocks and cross-ecosystem grouping for fewer noisy PR batches
- dependabot.yml version is always 2
Adoption & trust: 3.1k installs on skills.sh; 34.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need Dependabot on GitHub but the YAML options for ecosystems, directories, registries, and grouping are easy to misconfigure.
Who is it for?
Solo builders maintaining GitHub repos with multiple package managers or private registries who want structured, low-noise update PRs.
Skip if: Non-GitHub hosting, one-off manual `npm update` sessions with no automation, or teams wanting vulnerability-only policies without reading Dependabot version 2 schema.
When should I use this skill?
You are creating or editing `.github/dependabot.yml` and need ecosystem values, schedules, registries, or grouping syntax.
What do I get? / Deliverables
You produce a valid `dependabot.yml` matched to your manifests and schedules, ready for GitHub to open consistent dependency PRs.
- Valid dependabot.yml snippet or full file
- Ecosystem and directory mapping for each package manager in the repo
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Dependabot configuration is part of safe shipping—automated updates reduce vulnerable dependencies before and after launch. Dependency updates are a primary supply-chain control in ship/security alongside secret and patch hygiene.
Where it fits
Add cargo and npm update entries with weekly schedules before your first production tag.
Wire a private npm registry block so Dependabot can reach scoped packages in CI.
Introduce multi-ecosystem-groups to batch Docker and Composer bumps into a single PR rhythm.
How it compares
Reference skill for Dependabot YAML—not a replacement for Renovate config or for human review of major version bumps.
Common Questions / FAQ
Who is dependabot for?
Indie developers and small teams on GitHub who own CI and dependency hygiene and need accurate dependabot.yml without reading the entire GitHub docs tree.
When should I use dependabot?
Use it in Ship when adding or fixing Dependabot before release; in Operate when expanding monorepo paths, registries, or grouping after the product is live.
Is dependabot safe to install?
The skill only guides configuration text—review the Security Audits panel on this page and restrict registry tokens in GitHub secrets with least privilege.
SKILL.md
READMESKILL.md - Dependabot
# Dependabot YAML Options Reference Complete reference for all configuration options in `.github/dependabot.yml`. ## File Structure ```yaml version: 2 # Required, always 2 registries: # Optional: private registry access REGISTRY_NAME: type: "..." url: "..." multi-ecosystem-groups: # Optional: cross-ecosystem grouping GROUP_NAME: schedule: interval: "..." updates: # Required: list of ecosystem configurations - package-ecosystem: "..." # Required directory: "/" # Required (or directories) schedule: # Required interval: "..." ``` ## Required Keys ### `version` Always `2`. Must be at the top level. ### `package-ecosystem` Defines which package manager to monitor. One entry per ecosystem (can have multiple entries for the same ecosystem with different directories). | Package Manager | YAML Value | Manifest Files | |---|---|---| | Bazel | `bazel` | `MODULE.bazel`, `WORKSPACE` | | Bun | `bun` | `bun.lockb` | | Bundler (Ruby) | `bundler` | `Gemfile`, `Gemfile.lock` | | Cargo (Rust) | `cargo` | `Cargo.toml`, `Cargo.lock` | | Composer (PHP) | `composer` | `composer.json`, `composer.lock` | | Conda | `conda` | `environment.yml` | | Dev Containers | `devcontainers` | `devcontainer.json` | | Docker | `docker` | `Dockerfile` | | Docker Compose | `docker-compose` | `docker-compose.yml` | | .NET SDK | `dotnet-sdk` | `global.json` | | Elm | `elm` | `elm.json` | | Git Submodules | `gitsubmodule` | `.gitmodules` | | GitHub Actions | `github-actions` | `.github/workflows/*.yml` | | Go Modules | `gomod` | `go.mod`, `go.sum` | | Gradle | `gradle` | `build.gradle`, `build.gradle.kts` | | Helm | `helm` | `Chart.yaml` | | Hex (Elixir) | `mix` | `mix.exs`, `mix.lock` | | Julia | `julia` | `Project.toml`, `Manifest.toml` | | Maven | `maven` | `pom.xml` | | npm/pnpm/yarn | `npm` | `package.json`, lockfiles | | NuGet | `nuget` | `*.csproj`, `packages.config` | | OpenTofu | `opentofu` | `*.tf` | | pip/pipenv/poetry/uv | `pip` | `requirements.txt`, `Pipfile`, `pyproject.toml` | | Pre-commit | `pre-commit` | `.pre-commit-config.yaml` | | Pub (Dart/Flutter) | `pub` | `pubspec.yaml` | | Rust Toolchain | `rust-toolchain` | `rust-toolchain.toml` | | Swift | `swift` | `Package.swift` | | Terraform | `terraform` | `*.tf` | | uv | `uv` | `uv.lock`, `pyproject.toml` | | vcpkg | `vcpkg` | `vcpkg.json` | ### `directory` / `directories` Location of package manifests relative to repo root. - `directory` — single path (no glob support) - `directories` — list of paths (supports `*` and `**` globs) ```yaml # Single directory directory: "/" # Multiple directories with globs directories: - "/" - "/apps/*" - "/packages/*" ``` For GitHub Actions, use `/` — Dependabot automatically searches `.github/workflows/`. ### `schedule` How often to check for updates. | Parameter | Values | Notes | |---|---|---| | `interval` | `daily`, `weekly`, `monthly`, `quarterly`, `semiannually`, `yearly`, `cron` | Required | | `day` | `monday`–`sunday` | Weekly only | | `time` | `HH:MM` | UTC by default | | `timezone` | IANA timezone string | e.g., `America/New_York` | | `cronjob` | Cron expression | Required when interval is `cron` | ```yaml schedule: interval: "weekly" day: "tuesday" time: "09:00" timezone: "Europe/London" ``` ## Grouping Options ### `groups` Group dependencies into fewer PRs. | Parameter | Purpose | Values | |---|---|---| | `IDENTIFIER` | Group name (used in branch/PR title) | Letters, pipes, underscores, hyphens | | `applies-to` | Update type | `version-updates` (default), `security-updates` | | `dependency-type` | Filter by type | `development`, `production` | | `patterns` | Include matching names | List of strings with `*` wildcard | | `exclude-patterns` | Exclude matching names | List of strings with `*` wildcard | | `update-types` | SemVer filter | `major`, `minor`, `patch` | | `group-by` | Cross-directory