| Package manager | YAML value | Supported versions | Version updates | Security updates | Private repositories | Private registries | Vendoring |
|---|---|---|---|---|---|---|---|
| {% ifversion dependabot-bazel-support %} | |||||||
| Bazel | bazel |
v7, v8, v9 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% endif %} | |||||||
| {% ifversion dependabot-bun-support %} | |||||||
| Bun | bun |
>=v1.1.39 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% endif %} | |||||||
| Bundler | bundler |
{% ifversion ghes < 3.15 %}v1, {% endif %}v2 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| Cargo | cargo |
v1 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| Composer | composer |
{% ifversion dependabot-updates-composerv1-closing-down %}v2{% else %}v1, v2{% endif %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% ifversion dependabot-conda-support %} | |||||||
| Conda | conda |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% endif %} | |||||||
| Dev containers | devcontainers |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| Docker | docker |
v1 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
| {% ifversion dependabot-docker-compose-support %} | |||||||
| Docker Compose | docker-compose |
v2, v3 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
| {% endif %} | |||||||
| {% ifversion dependabot-dotnet-sdk %} | |||||||
| .NET SDK | dotnet-sdk |
>=.NET Core 3.1 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable | Not applicable | Not applicable |
| {% endif %} | |||||||
| Helm Charts | helm |
{% ifversion dependabot-helm-support %}v3{% else %}Not supported{% endif %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | Not applicable |
| Hex | mix |
v1 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% ifversion dependabot-julia-support %} | |||||||
| Julia | julia |
>=v1.10 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% endif %} | |||||||
| elm-package | elm |
v0.19 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| git submodule | gitsubmodule |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
| {% data variables.product.prodname_actions %} | github-actions |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
| Go modules | gomod |
v1 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} |
| Gradle | gradle |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| Maven | maven |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% ifversion dependabot-nix-support %} | |||||||
| Nix | nix |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable | Not applicable |
| {% endif %} | |||||||
| npm | npm |
v7, v8, v9, v10, v11 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| NuGet | nuget |
{% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% ifversion dependabot-opentofu-support %} | |||||||
| OpenTofu | opentofu |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable |
| {% endif %} | |||||||
| pip | pip |
24.2 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| pipenv | pip |
<= 2024.4.1 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| pip-compile | pip |
7.5.3 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% ifversion dependabot-updates-pnpmv9-support %}pnpm{% else %}pnpm{% endif %} | npm |
v7, v8, v9, v10 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} {% ifversion dependabot-updates-pnpmv9-support %}{% else %}(v7 and v8 only){% endif %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| poetry | pip |
2.2.1 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% ifversion dependabot-pre-commit-support %} | |||||||
| pre-commit | pre-commit |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% endif %} | |||||||
| pub | pub |
v2 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| {% ifversion dependabot-rust-toolchain-support %} | |||||||
| Rust toolchain | rust-toolchain |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable | Not applicable |
| {% endif %} | |||||||
| Swift | swift |
v5 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} (git only) | {% octicon "x" aria-label="Not supported" %} |
| Terraform | terraform |
>= 0.13, <= 1.13.x | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
| {% ifversion dependabot-uv-security-support %} | |||||||
| uv | uv |
v0 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
| {% elsif dependabot-uv-support %} | |||||||
| uv | uv |
v0 | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
| {% endif %} | |||||||
| {% ifversion dependabot-vcpkg-support %} | |||||||
| vcpkg | vcpkg |
Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable |
| {% endif %} | |||||||
| yarn | npm |
v1, v2, v3, v4 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
Tip
For package managers such as pipenv and poetry, you need to use the pip YAML value. For example, if you use poetry to manage your Python dependencies and want {% data variables.product.prodname_dependabot %} to monitor your dependency manifest file for new versions, use package-ecosystem: "pip" in your dependabot.yml file.
For further information about ecosystem support for {% data variables.product.prodname_dependabot_security_updates %}, see also AUTOTITLE.
{% ifversion dependabot-bun-support %}
{% data variables.product.prodname_dependabot %} supports the current default text-based bun.lock file, but not the legacy binary bun.lockb file. The bun.lock file is supported in version 1.1.39 and above. For more information, see Lockfile in the Bun documentation.
{% endif %}
Private registry support includes cargo registries, so you can use {% data variables.product.prodname_dependabot %} to keep your Rust dependencies up-to-date. For more information, see AUTOTITLE.
{% ifversion dependabot-conda-support %}
{% data variables.product.prodname_dependabot %} support for Conda does not include private registries, vendoring, or lock file updates.
{% endif %}
You can use devcontainers as a package-ecosystem in your dependabot.yml file to update Features in your devcontainer.json configuration files. For more information about this support, and for configuration file examples, see General Availability of {% data variables.product.prodname_dependabot %} Integration in the Development Containers documentation.
Dev containers are used in several tools and services, including {% data variables.product.prodname_codespaces %}. For more information about Features and the supported services, see Features and Supporting tools and services in the Development Containers documentation, respectively.
This updater ensures Features are pinned to the latest major version in the associated devcontainer.json file. If a dev container has a lockfile, that file will also be updated. For more information about lockfile specifications, see Lockfiles in the devcontainers/spec repository.
Features in any valid dev container location will be updated in a single pull request. For more information about the dev container specification, see Specification in the Development Containers documentation.
{% data variables.product.prodname_dependabot %} can add metadata from Docker images to pull requests for version updates. The metadata includes release notes, changelogs and the commit history. Repository administrators can use the metadata to quickly evaluate the stability risk of the dependency update.
In order for {% data variables.product.prodname_dependabot %} to fetch Docker metadata, maintainers of Docker images must add the org.opencontainers.image.source label to their Dockerfile, and include the URL of the source repository. Additionally, maintainers must tag the repository with the same tags as the published Docker images. For an example, see the dependabot-fixtures/docker-with-source repository. For more information on Docker labels, see Extension image labels and BUILDX_GIT_LABELS in the Docker documentation.
{% data variables.product.prodname_dependabot %} can update Docker image tags in Kubernetes manifests. Add an entry to the Docker package-ecosystem element of your dependabot.yml file for each directory containing a Kubernetes manifest which references Docker image tags. Kubernetes manifests can be Kubernetes Deployment YAML files or Helm charts. For information about configuring your dependabot.yml file for docker, see "package-ecosystem" in AUTOTITLE.
{% data variables.product.prodname_dependabot %} supports both public and private Docker registries. For a list of the supported registries, see "docker-registry" in AUTOTITLE.
{% data variables.product.prodname_dependabot %} parses Docker image tags for Semantic Versioning (SemVer). If {% data variables.product.prodname_dependabot %} detects a tag with a pre-release, then it will only suggest an update to the latest version with a matching pre-release, and it will not suggest a newer version that use a different pre-release label. For more information, see the dependabot-docker README.md file in the dependabot/dependabot-core repository.
{% ifversion dependabot-docker-compose-support %}
{% data variables.product.prodname_dependabot %} supports Docker Compose in a similar way to Docker. For more information, see Docker.
{% endif %}
{% data variables.product.prodname_dependabot %} supports version updates for {% data variables.product.prodname_actions %} with the following caveats.
{% data reusables.actions.dependabot-version-updates-actions-caveats %}
For more information about using {% data variables.product.prodname_dependabot_version_updates %} with {% data variables.product.prodname_actions %}, see AUTOTITLE.
{% data variables.product.prodname_dependabot %} supports updates to the following files without needing to run Gradle:
build.gradle,build.gradle.kts(for Kotlin projects)gradle/libs.versions.toml(for projects using a standard Gradle version catalog)gradle.lockfile(for projects using Gradle dependency locking)- Files included via the
applydeclaration that havedependenciesin the filename. Note thatapplydoes not supportapply to, recursion, or advanced syntaxes (for example, Kotlin'sapplywithmapOf, filenames defined by property).
To update the Gradle Wrapper, {% data variables.product.prodname_dependabot %} runs Gradle and updates:
gradle/wrapper/gradle-wrapper.propertiesgradlewgradlew.batgradle/wrapper/gradle-wrapper.jar
{% data variables.product.prodname_dependabot %} uses information from the pom.xml file of dependencies to add links to release information in update pull requests. If the information is omitted from the pom.xml file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see AUTOTITLE.
For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see AUTOTITLE.
Note
- When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert.
- {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file.
{% data variables.product.prodname_dependabot %} supports using a username and password for registries. For more information, see AUTOTITLE.
The helm-registry type only supports HTTP Basic Auth and does not support OCI-compliant registries. If you need to access an OCI-compliant registry for Helm charts, configure a docker-registry instead. For more information, see AUTOTITLE.
When configuring {% data variables.product.prodname_dependabot %} for Helm charts, it will also automatically update the Docker images referenced within those charts, ensuring that both the chart versions and their contained images stay up to date.
{% data variables.product.prodname_dependabot %} doesn't run Maven but supports updates to pom.xml files.
{% data variables.product.prodname_dependabot %} uses information from the pom.xml file of dependencies to add links to release information in update pull requests. If the information is omitted from the pom.xml file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see AUTOTITLE.
{% ifversion dependabot-nix-support %}
{% data variables.product.prodname_dependabot %} monitors your flake.lock file and opens pull requests when newer commits are available upstream for your flake inputs. {% data variables.product.github %}, GitLab, SourceHut, and plain Git inputs are all supported. Updating pinned refs inside flake.nix itself (for example, changing github:cachix/devenv/v0.5 to a newer tag) is not supported.
{% data variables.product.prodname_dependabot %} does not currently support private repositories for the nix ecosystem.
{% endif %}
{% data variables.product.prodname_dependabot %} doesn't run the NuGet CLI but does support most features up until version 6.8.0.
{% data variables.product.prodname_dependabot %} supports updates to any .txt file.
In addition, {% data variables.product.prodname_dependabot %} supports updates to pyproject.toml files if they follow the PEP 621 standard.
{% ifversion dependabot-updates-pnpmv9-support %}
{% else %}
pnpm is supported for {% data variables.product.prodname_dependabot_version_updates %} (on v7, v8, v9, v10) and {% data variables.product.prodname_dependabot_security_updates %} (on v7 and v8 only). {% endif %}
The PEP 621 project section isn't currently supported for poetry.
{% ifversion dependabot-pre-commit-support %}
{% data variables.product.prodname_dependabot %} can update hook revisions in .pre-commit-config.yaml files. When a hook pins a specific commit SHA, {% data variables.product.prodname_dependabot %} resolves the latest matching tag and updates the rev value accordingly.
You can use a # frozen: comment after the rev value to pin a hook to a particular version or version prefix. {% data variables.product.prodname_dependabot %} uses this comment to determine whether an update is needed and which tag to resolve.
| Scenario | Behavior |
|---|---|
rev: <sha> # frozen: 7.3.0 and 7.3.0 is the latest version |
No update. The dependency is already current. |
rev: <sha> # frozen: 7.3.0 and 8.0.0 has been released |
Updated to the SHA for the 8.0.0 tag. The comment is updated to # frozen: 8.0.0. |
rev: <sha> # frozen: v1 and v1.43.5 is the latest v1.x release |
Updated to the SHA for the v1.43.5 tag. The comment is updated to # frozen: v1.43.5. |
rev: <sha> with no # frozen: comment |
Updated to the HEAD SHA of the default branch. |
In addition to updating hook revisions, {% data variables.product.prodname_dependabot %} can update additional_dependencies for hooks that use the following languages: Python, Node, Go, Rust, Ruby and Dart.
Private registry support uses git registries. You can configure access for private git repositories by specifying a git registry in your dependabot.yml file. For more information, see AUTOTITLE.
Note
Private registries are not supported for additional_dependencies.
{% endif %}
{% ifversion dependabot-rust-toolchain-support %}
{% data variables.product.prodname_dependabot %} supports automatic updates for Rust toolchain versions defined in rust-toolchain.toml and rust-toolchain files.
Supported update patterns {% data variables.product.prodname_dependabot %} can update:
- Versioned toolchains such as
channel = "1.xx.yy"andchannel = "1.xx". - Dated toolchains such as
channel = "nightly-YYYY-MM-DD"andchannel = "beta-YYYY-MM-DD".
{% endif %}
Private registry support applies to git registries only. Swift registries are not supported. Non-declarative manifests are not supported. For more information on non-declarative manifests, see Editing Non-Declarative Manifests in the Swift Evolution documentation.
Terraform support includes:
- Modules hosted on Terraform Registry or a publicly reachable Git repository.
- Terraform providers.
- Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your
dependabot.ymlfile. For more information, seegit.
{% ifversion dependabot-vcpkg-support %}
vcpkg support includes updating the builtin-baseline commit SHA from the vcpkg ports repository in your vcpkg.json manifest file. For more information visit the microsoft/vcpkg repository on {% data variables.product.prodname_dotcom_the_website %} and see What is manifest mode? in the Microsoft documentation.
{% endif %}
Dependabot supports vendored dependencies for v2 onwards.
{% ifversion dependabot-community-ecosystems %}
{% data reusables.dependabot.community-maintained-intro %} {% ifversion dependabot-julia-support %}
- Julia - Maintained by the Julia community{% endif %}{% ifversion dependabot-julia-support %}
- OpenTofu - Maintained by the OpenTofu community{% endif %}
- Pub - Maintained by The Dart Community
{% ifversion dependabot-julia-support %}
{% data variables.product.prodname_dependabot %} supports Julia projects that include Project.toml/Manifest.toml files. {% data variables.product.prodname_dependabot %} uses Julia's package manager to resolve and update dependencies.
{% endif %}
{% ifversion dependabot-opentofu-support %}
{% data variables.product.prodname_dependabot %} supports updating OpenTofu modules and providers in .tf and .tofu configuration files, including terragrunt.hcl files. If the .terraform.lock.hcl lockfile for provider checksums is present, {% data variables.product.prodname_dependabot %} will also update it.
{% endif %}
{% endif %}
{% data variables.product.prodname_dependabot %} won't perform an update for pub when the version that it tries to update to is ignored, even if an earlier version is available.
You can use {% data variables.product.prodname_dependabot %} to keep Dart dependencies up-to-date if you use private hosted pub repositories. For information about allowing {% data variables.product.prodname_dependabot %} to access private {% data variables.product.prodname_dotcom %} dependencies, see [Allowing {% data variables.product.prodname_dependabot %} to access private dependencies](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private{% ifversion ghec or ghes %}-or-internal{% endif %}-dependencies).