{"meta":{"title":"Managing dependency updates","intro":"Copilot Chat can help you get set up with Dependabot to streamline dependency updates.","product":"GitHub Copilot","breadcrumbs":[{"href":"/en/copilot","title":"GitHub Copilot"},{"href":"/en/copilot/tutorials","title":"Tutorials"},{"href":"/en/copilot/tutorials/copilot-cookbook","title":"GitHub Copilot Cookbook"},{"href":"/en/copilot/tutorials/copilot-cookbook/analyze-security","title":"Analyze security"},{"href":"/en/copilot/tutorials/copilot-cookbook/analyze-security/manage-dependency-updates","title":"Manage dependency updates"}],"documentType":"article"},"body":"# Managing dependency updates\n\nCopilot Chat can help you get set up with Dependabot to streamline dependency updates.\n\n## Automate dependency updates\n\n### Example scenario\n\nLet's say your project depends on numerous libraries and packages. Vulnerable or outdated dependencies create security risks that can affect your project and others that rely on it.\n\nCopilot Chat can help you get set up with Dependabot security and version updates, so that your dependencies always remain on the most secure, and up-to-date versions. See [About Dependabot security updates](/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) and [About Dependabot version updates](/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).\n\nBefore you begin, ensure that Dependabot is fully enabled under your repository's \"Settings.\"\n\n1. Under your \"Code security\" settings, ensure **Dependabot alerts** and **Dependabot security updates** are both set to \"Enabled.\"\n2. Create and commit an empty `.github/dependabot.yml` file to the repository.\n\n### Example prompt\n\nMake sure your repository is attached to the prompt for context.\n\n```copilot copy\nAnalyze the codebase and project structure of this repository. Detect all package managers and package ecosystems in use, including their respective locations (e.g., npm, yarn, pip, maven, gradle, composer, github-actions, etc.).\n\nFor each detected ecosystem, create a configuration entry in a single, top-level .github/dependabot.yml file that enables security and version updates on a reasonable schedule. Use the recommended best practices for each ecosystem. Clearly specify the directory for each ecosystem detected. If multiple ecosystems or multiple directories are present, include them all in the configuration.\n\nIn the output, include any notes on the configuration or best practices, as well as next steps that include how to commit the dependabot.yml file to the repository via the GitHub web browser and how to check that Dependabot version updates and Dependabot security updates are enabled.\n```\n\n### Example output\n\nCopilot Chat analyzes your repository and writes the contents of the `dependabot.yml` configuration file for you, which tells Dependabot which dependencies it needs to scan for.\n\n```yaml\nversion: 2\nupdates:\n  # Python (pip)\n  - package-ecosystem: \"pip\"\n    directory: \"/\"                     # Location of requirements.txt\n    schedule:\n      interval: \"weekly\"               # Weekly updates are a good balance for libraries\n      day: \"sunday\"\n      time: \"06:00\"\n      timezone: \"UTC\"\n    open-pull-requests-limit: 5\n    allow:\n      - dependency-type: \"all\"\n    commit-message:\n      prefix: \"pip\"\n    labels:\n      - \"dependencies\"\n      - \"python\"\n    ignore:\n      - dependency-name: \"pip\"         # Ignore pip self-updates\n\n  # GitHub Actions\n  - package-ecosystem: \"github-actions\"\n    directory: \"/\"                     # Looks for workflow files under .github/workflows/\n    schedule:\n      interval: \"weekly\"\n      day: \"sunday\"\n      time: \"06:00\"\n      timezone: \"UTC\"\n    open-pull-requests-limit: 5\n    commit-message:\n      prefix: \"actions\"\n    labels:\n      - \"dependencies\"\n      - \"github-actions\"\n```\n\nOnce you've committed the `dependabot.yml` file to your repository, Dependabot will begin to open pull requests against your repository, whenever a vulnerable or outdated dependency is detected.\n\n## Customize dependency management\n\n### Example scenario\n\nLet's say your team has been using the basic Dependabot configuration for a few months, and you're getting lots of dependency update pull requests. However, you're finding that:\n\n* Pull requests are sitting un-reviewed because no one is automatically assigned.\n* You want pull requests to be automatically added to your team's project board via a label.\n* Your CI is getting overwhelmed with too many concurrent dependency pull requests.\n* You're getting updates for development dependencies that don't affect production.\n\nYou want to customize your Dependabot configuration to better fit your team's workflow, such as automatically assigning pull requests to the right team members, adding labels to add pull requests to project board, limiting the number of open pull requests, and focusing only on production dependencies.\n\nCopilot Chat can write an updated `dependabot.yml` that better suits your team's needs.\n\n### Example prompt\n\n```copilot copy\nI want to customize my pull requests for Dependabot security and version updates, so that:\n\n* Pull requests are automatically assigned to the team \"octocat-reviewers.\"\n* The label \"security-management\" is automatically added to every pull request.\n* The number of open Dependabot PRs is limited.\n* Development dependencies are ignored.\n\nDraft an update to the dependabot.yml file in my repository that specifies these customization options.\n```\n\n> \\[!TIP]\n>\n> * There are many customization options to explore. For more information, see [Customizing pull requests for Dependabot security updates](/en/code-security/dependabot/dependabot-security-updates/customizing-dependabot-security-prs) and [Customizing Dependabot pull requests to fit your processes](/en/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs).\n> * You can specify different customizations per package ecosystem.\n\n### Example output\n\n```yaml\nversion: 2\nupdates:\n  # Python (pip)\n  - package-ecosystem: \"pip\"\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n      day: \"sunday\"\n      time: \"06:00\"\n      timezone: \"UTC\"\n    open-pull-requests-limit: 5\n    allow:\n      - dependency-type: \"production\"     # Ignore development dependencies\n    assignees:\n      - \"octocat-reviewers\"               # Assign PRs to the team\n    labels:\n      - \"dependencies\"\n      - \"security-management\"             # Custom label for all PRs\n      - \"python\"\n    commit-message:\n      prefix: \"pip\"\n    ignore:\n      - dependency-name: \"pip\"\n```"}