Run any Skill in Manus with one click

dependabot

Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot. For pre-commit dependency vulnerability scanning in AI coding agents via the GitHub MCP Server, this skill references the Advanced Security plugin (`advanced-security@copilot-plugins`). Use this skill when an agent needs to scan dependencies for known vulnerabilities before committing.

Run Skill in Manus

Stars35,142

Forks4,335

UpdatedJune 15, 2026 at 00:56

Source

github

github/awesome-copilot

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

File Explorer

4 files

SKILL.md

readonly

More from this repository

same repository

setup-my-iq

github/awesome-copilot

Create, set up, or update the personal context portfolio: structured markdown files describing who you are, how you work, your teams, and your tool/ADO configuration. Runs the interview workflow for first-time setup and targeted edits for updates. Trigger this skill when the user asks to: set up their context, create or update their context portfolio, "create my IQ", "set up my IQ", edit their profile, add/remove a stakeholder, update ADO config, change team info, update pillars, or set up any plugin configuration. Trigger when another skill fails to find context (missing files or TODO markers) and needs context populated. Also trigger when the user mentions a context change in passing (e.g., "my manager changed", "we added someone to the team") to offer a context file update. Do NOT trigger for read-only questions like "who's on my team?" or "what's my ADO config?". Those are answered directly from the context files referenced in the loaded custom instructions; no skill is needed.

2026-06-1635.1k

harness-engineering

github/awesome-copilot

Adopt repository-level harness engineering for coding agents. Use when a user wants to prevent repeated AI coding-agent mistakes by turning failures into durable instructions, drift checks, regression tests, failure memory, and adoption reports tailored to the target repository.

2026-06-1635.1k

github-actions-hardening

github/awesome-copilot

Security hardening reviewer for GitHub Actions workflow files (.github/workflows/*.yml). Reasons about the Actions threat model that pattern matchers and general code linters miss — untrusted-input script injection, privileged triggers running fork code, mutable action references, and over-scoped tokens. Use this skill when asked to review, audit, harden, or secure a GitHub Actions workflow, when writing a new workflow, or for any request like "is this workflow safe?", "review my CI for security issues", "why is pull_request_target dangerous here?", "pin my actions", or "lock down GITHUB_TOKEN permissions". Covers script injection via ${{ }} interpolation, pull_request_target / workflow_run privilege escalation, SHA-pinning of third-party actions, least-privilege permissions, GITHUB_ENV/GITHUB_OUTPUT injection, secret exposure, OIDC over long-lived credentials, and self-hosted runner exposure on public repositories.

2026-06-1635.1k

x-twitter-scraper

github/awesome-copilot

Build GitHub Copilot workflows with Xquik X API SDKs, REST endpoints, MCP tools, signed webhooks, tweet search, user lookup, follower exports, media actions, and agent automation.

2026-06-1635.1k

lsp-setup

github/awesome-copilot

Enable code intelligence (go-to-definition, find-references, hover, type info) for any programming language by installing and configuring an LSP server for Copilot CLI. Detects the OS, installs the right server, and generates the JSON configuration (user-level or repo-level). Use when you need deeper code understanding and no LSP server is configured, or when the user asks to set up, install, or configure an LSP server.

2026-06-1535.1k

react-container-presentation-component

github/awesome-copilot

Create a React component using the Container/Presentation pattern in src/components by asking for the component name and type (ui or features), then scaffold files that follow this repository's TypeScript, Storybook, and SCSS conventions. Use when the user explicitly asks for a Container/Presentation-based component or runs /react-container-presentation-component.

2026-06-1535.1k

name

dependabot

description

Dependabot Configuration & Management

Overview

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

Dependabot Alerts — Notify when dependencies have known vulnerabilities (CVEs)
Dependabot Security Updates — Auto-create PRs to fix vulnerable dependencies
Dependabot Version Updates — Auto-create PRs to keep dependencies current

All configuration lives in a single file: .github/dependabot.yml on the default branch. GitHub does not support multiple dependabot.yml files per repository.

Configuration Workflow

Follow this process when creating or optimizing a dependabot.yml:

Step 1: Detect All Ecosystems

Scan the repository for dependency manifests. Look for:

Ecosystem	YAML Value	Manifest Files
npm/pnpm/yarn	`npm`	`package.json`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`
pip/pipenv/poetry	`pip`	`requirements.txt`, `Pipfile`, `pyproject.toml`, `setup.py`
uv	`uv`	`pyproject.toml`, `uv.lock`
Docker	`docker`	`Dockerfile`
Docker Compose	`docker-compose`	`docker-compose.yml`
GitHub Actions	`github-actions`	`.github/workflows/*.yml`
Go modules	`gomod`	`go.mod`
Bundler (Ruby)	`bundler`	`Gemfile`
Cargo (Rust)	`cargo`	`Cargo.toml`
Composer (PHP)	`composer`	`composer.json`
NuGet (.NET)	`nuget`	`*.csproj`, `packages.config`
.NET SDK	`dotnet-sdk`	`global.json`
Maven (Java)	`maven`	`pom.xml`
Gradle (Java)	`gradle`	`build.gradle`
Terraform	`terraform`	`*.tf`
OpenTofu	`opentofu`	`*.tf`
Helm	`helm`	`Chart.yaml`
Hex (Elixir)	`mix`	`mix.exs`
Swift	`swift`	`Package.swift`
Pub (Dart)	`pub`	`pubspec.yaml`
Bun	`bun`	`bun.lockb`
Dev Containers	`devcontainers`	`devcontainer.json`
Git Submodules	`gitsubmodule`	`.gitmodules`
Pre-commit	`pre-commit`	`.pre-commit-config.yaml`

Notes:

pnpm and yarn both use the npm ecosystem value.
Prefer uv ecosystem value when uv.lock is present; otherwise use pip.

Step 2: Map Directory Locations

For each ecosystem, identify where manifests live. Use directories (plural) with glob patterns for monorepos:

directories:
  - "/"           # root
  - "/apps/*"     # all app subdirs
  - "/packages/*" # all package subdirs
  - "/lib-*"      # dirs starting with lib-
  - "**/*"        # recursive (all subdirs)

Important: directory (singular) does NOT support globs. Use directories (plural) for wildcards.

Step 3: Configure Each Ecosystem Entry

Every entry needs at minimum:

- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

Step 4: Optimize with Grouping, Labels, and Scheduling

See sections below for each optimization technique.

Monorepo Strategies

Glob Patterns for Workspace Coverage

For monorepos with many packages, use glob patterns to avoid listing each directory:

- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"

Cross-Directory Grouping

Use group-by: dependency-name to create a single PR when the same dependency updates across multiple directories:

groups:
  monorepo-deps:
    group-by: dependency-name

This creates one PR per dependency across all specified directories, reducing CI costs and review burden.

Limitations:

All directories must use the same package ecosystem
Applies to version updates only
Incompatible version constraints create separate PRs

Standalone Packages Outside Workspaces

If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in .github/), create a separate ecosystem entry for it.

Dependency Grouping

Reduce PR noise by grouping related dependencies into single PRs.

By Dependency Type

groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]

By Name Pattern

groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]

For Security Updates

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Key behaviors:

Dependencies matching multiple groups go to the first match
applies-to defaults to version-updates when absent
Ungrouped dependencies get individual PRs

Multi-Ecosystem Groups

Combine updates across different package ecosystems into a single PR:

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"

The patterns key is required when using multi-ecosystem-group.

PR Customization

Labels

labels:
  - "dependencies"
  - "npm"

Set labels: [] to disable all labels including defaults. SemVer labels (major, minor, patch) are always applied if present in the repo.

Commit Messages

commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # adds deps/deps-dev scope after prefix

Assignees and Milestones

assignees: ["security-team-lead"]
milestone: 4  # numeric ID from milestone URL

Branch Name Separator

pull-request-branch-name:
  separator: "-"  # default is /

Target Branch

target-branch: "develop"  # PRs target this instead of default branch

Note: When target-branch is set, security updates still target the default branch; all ecosystem config only applies to version updates.

Schedule Optimization

Intervals

Supported: daily, weekly, monthly, quarterly, semiannually, yearly, cron

schedule:
  interval: "weekly"
  day: "monday"         # for weekly only
  time: "09:00"         # HH:MM format
  timezone: "America/New_York"

Cron Expressions

schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # Every Monday at 9 AM

Cooldown Periods

Delay updates for newly released versions to avoid early-adopter issues:

cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]

Cooldown applies to version updates only, not security updates.

Security Updates Configuration

Enable via Repository Settings

Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.

Group Security Updates in YAML

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Disable Version Updates (Security Only)

open-pull-requests-limit: 0  # disables version update PRs

Auto-Triage Rules

GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.

PR Comment Commands

Interact with Dependabot PRs using @dependabot comments.

Note: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (gh pr merge), or auto-merge instead.

Command	Effect
`@dependabot rebase`	Rebase the PR
`@dependabot recreate`	Recreate the PR from scratch
`@dependabot ignore this dependency`	Close and never update this dependency
`@dependabot ignore this major version`	Ignore this major version
`@dependabot ignore this minor version`	Ignore this minor version
`@dependabot ignore this patch version`	Ignore this patch version

For grouped PRs, additional commands:

@dependabot ignore DEPENDENCY_NAME — ignore specific dependency in group
@dependabot unignore DEPENDENCY_NAME — clear ignores, reopen with updates
@dependabot unignore * — clear all ignores for all dependencies in group
@dependabot show DEPENDENCY_NAME ignore conditions — display current ignores

For the complete command reference, see references/pr-commands.md.

Ignore and Allow Rules

Ignore Specific Dependencies

ignore:
  - dependency-name: "lodash"
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-patch"]
  - dependency-name: "express"
    versions: ["5.x"]

Allow Only Specific Types

allow:
  - dependency-type: "production"
  - dependency-name: "express"

Rule: If a dependency matches both allow and ignore, it is ignored.

Exclude Paths

exclude-paths:
  - "vendor/**"
  - "test/fixtures/**"

Advanced Options

Versioning Strategy

Controls how Dependabot edits version constraints:

Value	Behavior
`auto`	Default — increase for apps, widen for libraries
`increase`	Always increase minimum version
`increase-if-necessary`	Only change if current range excludes new version
`lockfile-only`	Only update lockfiles, ignore manifests
`widen`	Widen range to include both old and new versions

Rebase Strategy

rebase-strategy: "disabled"  # stop auto-rebasing

Allow rebase over extra commits by including [dependabot skip] in commit messages.

Open PR Limit

open-pull-requests-limit: 10  # default is 5 for version, 10 for security

Set to 0 to disable version updates entirely.

Private Registries

registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{secrets.NPM_TOKEN}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-private

FAQ

Can I have multiple dependabot.yml files? No. GitHub supports exactly one file at .github/dependabot.yml. Use multiple updates entries within that file for different ecosystems and directories.

Does Dependabot support pnpm? Yes. Use package-ecosystem: "npm" — Dependabot detects pnpm-lock.yaml automatically.

How do I reduce PR noise in a monorepo? Use groups to batch updates, directories with globs for coverage, and group-by: dependency-name for cross-directory grouping. Consider monthly or quarterly intervals for low-priority ecosystems.

How do I handle dependencies outside the workspace? Create a separate ecosystem entry with its own directory pointing to that location.

Pre-Commit Dependency Scanning via AI Coding Agents

For scanning code changes for vulnerable dependencies inside an AI coding agent before committing, the GitHub MCP Server's dependabot toolset can check your dependency additions against the GitHub Advisory Database and return structured results with affected packages, severity, and recommended fixed versions. For more thorough post-commit checks, it can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.

Install the Advanced Security plugin which provides dedicated dependency scanning tools and the /dependency-scanning skill.

GitHub Copilot CLI (shell):

# Enable the dependabot toolset for the GitHub MCP Server
copilot --add-github-mcp-toolset dependabot

GitHub Copilot CLI (inside copilot):

> /plugin install advanced-security@copilot-plugins

Visual Studio Code:

Add "X-MCP-Toolsets": "dependabot" to your GitHub MCP Server headers, or pick Dependabot from the toolset selector in Copilot Chat
Install the advanced-security plugin, then use /dependency-scanning in Copilot Chat

Example prompt:

Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.

See: Advanced Security Plugin — Dependency Scanning Skill

Announced in Dependency scanning with GitHub MCP Server is in public preview (May 2026)

Resources

references/dependabot-yml-reference.md — Complete YAML options reference
references/pr-commands.md — Full PR comment commands reference
references/example-configs.md — Real-world configuration examples