[EDI] Concepts article on Dependabot PRs (#59265)

isaacmbrown · sabrowning1 · Copilot · web-flow · commit 0793333ff03e · 2026-01-26T15:40:02.000Z
Co-authored-by: Sam Browning &lt;106113886+sabrowning1@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/content/code-security/concepts/supply-chain-security/about-dependabot-pull-requests.md b/content/code-security/concepts/supply-chain-security/about-dependabot-pull-requests.md
@@ -0,0 +1,42 @@
+---
+title: About Dependabot pull requests
+intro: 'Understand the frequency and customization options of pull requests for version and security updates.'
+shortTitle: Dependabot pull requests
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+contentType: concepts
+---
+
+## Pull requests for security updates
+
+If you've enabled security updates, pull requests for security updates are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency.
+
+Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository.
+
+When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates).
+
+{% data reusables.dependabot.automated-tests-note %}
+
+### Customizing pull requests for security updates
+
+You can customize how {% data variables.product.prodname_dependabot %} raises pull requests for security updates, so that they best fit your project's security priorities and processes. For example:
+* **Optimize {% data variables.product.prodname_dependabot %} pull requests to prioritize meaningful updates** by grouping multiple updates into a single pull request.
+* Apply custom labels to **integrate {% data variables.product.prodname_dependabot %}'s pull requests** into your existing workflows.
+
+Similar to version updates, customization options for security updates are defined in the `dependabot.yml` file. If you have already customized the `dependabot.yml` for version updates, then many of the configuration options that you have defined could automatically apply to security updates, too. However, there are a couple of important points to note:
+* {% data variables.product.prodname_dependabot_security_updates %} are **always triggered by a security advisory**, rather than running according to the `schedule` you have set in the `dependabot.yml` for version updates.
+* {% data variables.product.prodname_dependabot %} raises pull requests for security updates against the **default branch only**. If your configuration sets a value for `target-branch`, then the customization for that package ecosystem will only apply to version updates by default.
+
+For more information, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs).
+
+## Pull requests for version updates
+
+For version updates, you specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.
+
+{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).
+
+## Commands for {% data variables.product.prodname_dependabot %} pull requests
+
+{% data variables.product.prodname_dependabot %} responds to simple commands in comments. Each pull request contains details of the commands you can use to process the pull request (for example: to merge, squash, reopen, close, or rebase the pull request) under the "{% data variables.product.prodname_dependabot %} commands and options" section. The aim is to make it as easy as possible for you to triage these automatically generated pull requests. For more information, see [AUTOTITLE](/code-security/reference/supply-chain-security/dependabot-pull-request-comment-commands).
diff --git a/content/code-security/concepts/supply-chain-security/about-dependabot-security-updates.md b/content/code-security/concepts/supply-chain-security/about-dependabot-security-updates.md
@@ -65,14 +65,6 @@ If you enable _{% data variables.product.prodname_dependabot_security_updates %}
 
 {% data reusables.dependabot.dependabot-actions-support %}
 
-## About pull requests for security updates
-
-Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository.
-
-When you merge a pull request that contains a security update, the corresponding {% data variables.product.prodname_dependabot %} alert is marked as resolved for your repository. For more information about {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates).
-
-{% data reusables.dependabot.automated-tests-note %}
-
 ## About grouped security updates
 
 To further reduce the number of pull requests you may be seeing, you can enable grouped security updates to group sets of dependencies together (per package ecosystem). {% data variables.product.prodname_dependabot %} then raises a single pull request to update as many vulnerable dependencies as possible in the group to secure versions at the same time.
diff --git a/content/code-security/concepts/supply-chain-security/about-dependabot-version-updates.md b/content/code-security/concepts/supply-chain-security/about-dependabot-version-updates.md
@@ -62,16 +62,6 @@ For each action in the file, {% data variables.product.prodname_dependabot %} ch
 
 To enable this feature, see [AUTOTITLE](/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot).
 
-## Frequency of {% data variables.product.prodname_dependabot %} pull requests
-
-You specify how often to check each ecosystem for new versions in the configuration file: daily, weekly, or monthly.
-
-{% data reusables.dependabot.initial-updates %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates).
-
-If you've enabled security updates, you'll sometimes see extra pull requests for security updates. These are triggered by a {% data variables.product.prodname_dependabot %} alert for a dependency on your default branch. {% data variables.product.prodname_dependabot %} automatically raises a pull request to update the vulnerable dependency.
-
-{% data reusables.dependabot.version-updates-skip-scheduled-runs %}
-
 ## About automatic deactivation of {% data variables.product.prodname_dependabot_updates %}
 
 {% data reusables.dependabot.automatic-deactivation-link %}
diff --git a/content/code-security/concepts/supply-chain-security/index.md b/content/code-security/concepts/supply-chain-security/index.md
@@ -16,6 +16,7 @@ children:
   - about-dependabot-alerts
   - about-dependabot-security-updates
   - about-dependabot-version-updates
+  - about-dependabot-pull-requests
   - about-the-dependabot-yml-file
   - about-dependabot-auto-triage-rules
   - about-dependabot-on-github-actions-runners
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/customizing-dependabot-security-prs.md
@@ -19,20 +19,13 @@ redirect_from:
 contentType: how-tos
 ---
 
-## About customizing pull requests for security updates
-
-You can customize how {% data variables.product.prodname_dependabot %} raises pull requests for security updates, so that they best fit your project's security priorities and processes. For example:
-* **Optimize {% data variables.product.prodname_dependabot %} pull requests to prioritize meaningful updates** by grouping multiple updates into a single pull request.
-* Applying custom labels to **integrate {% data variables.product.prodname_dependabot %}'s pull requests** into your existing workflows.
-
-Similar to version updates, customization options for security updates are defined in the `dependabot.yml` file. If you have already customized the `dependabot.yml` for version updates, then many of the configuration options that you have defined could automatically apply to security updates, too. However, there's a couple of important points to note:
-* {% data variables.product.prodname_dependabot_security_updates %} are **always triggered by a security advisory**, rather than running according to the `schedule` you have set in the `dependabot.yml` for version updates.
-* {% data variables.product.prodname_dependabot %} raises pull requests for security updates against the **default branch only**. If your configuration sets a value for `target-branch`, then the customization for that package ecosystem will only apply to version updates by default.
+## Preparing to customize pull requests
 
 If you haven't yet configured a `dependabot.yml` file for your repository and you want to customize pull requests for security updates, you must first:
-* Check in a `dependabot.yml` file into the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates).
-* Set all the required keys. For more information, see [Required keys](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#required-keys).
-* If you want the customization for a package ecosystem to **only apply to security updates** (and exclude version updates), set the `open-pull-requests-limit` key to `0`.
+
+1. Check in a `dependabot.yml` file into the `.github` directory of your repository. For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates).
+1. Set all the required keys. For more information, see [Required keys](/code-security/dependabot/working-with-dependabot/dependabot-options-reference#required-keys).
+1. If you want the customization for a package ecosystem to **only apply to security updates** (and exclude version updates), set the `open-pull-requests-limit` key to `0`.
 
 You can then consider what your needs and priorities are for security updates, and apply a combination of the customization options outlined below.
 
