In one sentence
Dependabot is GitHub's official bot that monitors your repository's dependencies.
When a vulnerability is found, it raises an alert and, when possible, automatically opens a fix PR. It also keeps stale dependencies regularly updated to newer versions.
Alerts vs Updates โ whatโs the difference?
Dependabot has 3 distinct features. Theyโre often confused, but they serve different purposes.
| Feature | What does it do? | Trigger | Output |
|---|---|---|---|
| ๐จ Security alerts | Notifies you of vulnerabilities in existing dependencies | When a new CVE is added to the GitHub Advisory Database | Security tab + email |
| ๐ง Security updates | Automatically opens a PR to fix the vulnerability | When an alert fires (automatically) | PR (bumps vulnerable dep to fixed version) |
| โฐ Version updates | Opens PRs to keep up with new versions regardless of vulnerability | Schedule defined in config file (daily / weekly) | PR (old โ latest) |
๐ Alerts = detection only; Updates = creates fix PRs. Security updates are layered on top of Alerts โ they wonโt run without Alerts enabled.
The role of the dependency graph
All of Dependabotโs decisions start from the dependency graph.
- ๐๏ธ Parses manifests and lock files โ reads dependency definitions from
package-lock.json,requirements.txt,go.mod,pom.xml,Gemfile.lock, and more - ๐ Resolves both direct and transitive dependencies โ even if you donโt directly depend on
lodash, itโs tracked if a dependency pulls it in - ๐ Cross-references the GitHub Advisory Database โ matches detected dependencies against published CVEs to identify vulnerabilities
- ๐ Supported ecosystems โ npm, pip, Maven, NuGet, Composer, Bundler, Go modules, Cargo, Gradle, Hex, Pub, Docker, GitHub Actions, and more
๐ The Advisory Database aggregates vulnerability data from GitHub, the community, and MITREโs CVE feeds.
Getting started (fastest path)
Step 1 โ Enable security alerts / updates
Repo โ Settings โ Code security
โ
Dependency graph
โ
Dependabot alerts
โ
Dependabot security updatesJust check three boxes. No config file needed โ it starts working immediately.
Step 2 โ Add .github/dependabot.yml if you want version updates
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"- ๐ฆ Specify the ecosystem with
package-ecosystem - ๐
interval:daily/weekly/monthly - ๐ท๏ธ Use
groupsto batch multiple packages into a single PR, orignoreto exclude specific packages
Step 3 โ Enable for the whole Org / Enterprise
From Org โ Settings โ Code security, use default settings to apply to all repositories at once.
Eligibility and pricing
| Feature | Public repo | Private repo (Personal / Free) | Private repo (Team / Enterprise) |
|---|---|---|---|
| Dependency graph | โ On by default | โ Free (opt-in) | โ Free |
| Dependabot alerts | โ Free | โ Free | โ Free |
| Dependabot security updates | โ Free | โ Free | โ Free |
| Dependabot version updates | โ Free | โ Free | โ Free |
๐ฐ Dependabot itself is completely free on every plan. No GitHub Advanced Security license required.
โ๏ธ Version update Dependabot jobs run on GitHub-hosted runners โ free for public repos; private repos consume the standard Actions free tier (pay-as-you-go when exceeded).