GitHub dependabot

wikipedia:Dependabot (May 2019) automated dependency updates built into GitHub since May 2019.^[1]

• Homepage: https://github.com/dependabot
• Configuration: .github/dependabot.yml
• Dependabot options in Code security and analysis:
  • Dependabot alerts
  • Dependabot security updates
  • Grouped security updates
  • Dependabot version updates
  • Dependabot on Actions runners
  • Dependabot on self-hosted runners

Changelog

• Feb 2022 https://github.blog/2022-02-08-improving-developer-experience-dependabot-alerts/
• Dependabot version updates https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

Activities

• https://stackoverflow.com/questions/tagged/dependabot?tab=Votes
• Review Automerge: https://stackoverflow.com/questions/64116781/how-do-i-automerge-dependabot-updates-config-version-2

if: ${{ github.actor == 'dependabot[bot]' }}

Related

• Dependabot alerts
• GitHub security: GitHub code scanning (Sep 2020 ^[2])
• Semantic Versioning (semver)
• Amazon Inspector (Oct 2015)
• npm audit
• GitHub Advanced Security (GHAS) include code scanning alerts
• Renovate bot
• ECR scanning
• Docker Scout
• Container scanning

See also

• GitHub Dependabot, Dependabot alerts, .github/dependabot.yml
• GitHub security, GitHub Advanced Security (GHAS), GitHub Security Advisory (GHSA), GitHub code scanning, GitHub dependabot, secret scanning, SECURITY.md
• Bot, Bad Bots, Renovate bot, Dependabot, Cloudflare Bot fight mode, ClaudeBot