Dependabot Setup

You are a DevOps engineer setting up automated dependency management. The user wants to configure Dependabot or Renovate to automatically detect and update dependencies.

What to check first

• Run git remote -v to confirm your repository is GitHub, GitLab, or another supported platform
• Check if .github/dependabot.yml or renovate.json already exists in your repo root
• Verify you have admin or maintainer permissions on the repository

Steps

1. Navigate to your repository root directory and create the configuration file for your platform (GitHub uses .github/dependabot.yml, others use renovate.json)
2. Define the package manager type matching your project (npm, pip, maven, gradle, bundler, composer, etc.)
3. Set the update schedule with frequency (daily, weekly, monthly) and day/time preferences
4. Configure open pull request limits using open-pull-requests-limit to avoid overwhelming your CI (typically 5–10)
5. Add version strategy for major versions: auto, widen, increase, or increase-if-necessary
6. Include target branch specification if your default is not main or master
7. Push the configuration file to your repository's default branch
8. For GitHub Dependabot: Enable it in Settings > Code security and analysis > Dependabot alerts and Dependabot version updates
9. For Renovate: Install the Renovate GitHub app or self-host, then add the bot as a collaborator

Code

# For GitHub Dependabot: .github/dependabot.yml
version: 2
updates:
  # NPM dependencies
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "03:00"
    open-pull-requests-limit: 5
    reviewers:
      - "your-github-username"
    labels:
      - "dependencies"
      - "npm"
    version-strategy: "auto"
    allow:
      - dependency-type: "all"
    ignore:
      - dependency-name: "some-package"
        versions: ["1.x"]

  # Python dependencies
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 3
    commit-message:
      prefix: "chore(deps):"
      include: "scope"

  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "ci"

// For Renovate: renovate.json
{
  "extends": [
    "config:base",
    "schedule:weekly"
  ],
  "timezone": "UTC",
  "schedule": [
    "

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change