| title | intro | redirect_from | versions | type | topics | shortTitle | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Managing pull requests for dependency updates |
You manage pull requests raised by {% data variables.product.prodname_dependabot %} in much the same way as other pull requests, but there are some extra options. |
|
|
how_to |
|
Manage Dependabot PRs |
{% data reusables.dependabot.enterprise-enable-dependabot %}
{% data reusables.dependabot.pull-request-introduction %}
When {% data variables.product.prodname_dependabot %} raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. {% ifversion fpt or ghec %}In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see "AUTOTITLE."{% endif %}
If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific reviewers, assignees, and labels. {% ifversion dependabot-version-updates-groups %} You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request.{% endif %} For more information, see "AUTOTITLE{% ifversion dependabot-grouped-security-updates-config %}" and "AUTOTITLE."{% else %}" and "AUTOTITLE."{% endif %}
{% ifversion dependabot-updates-paused %}
{% note %}
Note: If you don't interact with {% data variables.product.prodname_dependabot %} pull requests for a repository during a 90-day time period, {% data variables.product.prodname_dependabot %} considers your repository as inactive, and will automatically pause {% data variables.product.prodname_dependabot_updates %}. For more information about inactivity criteria, see "AUTOTITLE" and "AUTOTITLE."
{% endnote %}
{% endif %}
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-pr %}
- Any pull requests for security or version updates are easy to identify.
- The author is {% ifversion fpt or ghec %}dependabot{% else %}dependabot{% endif %}, the bot account used by {% data variables.product.prodname_dependabot %}.
- By default, they have the
dependencieslabel.
By default, {% data variables.product.prodname_dependabot %} automatically rebases pull requests to resolve any conflicts. {% ifversion dependabot-updates-rebase-30-days-cutoff %}{% data reusables.dependabot.pull-requests-30-days-cutoff %}{% endif %} If you'd prefer to handle merge conflicts manually, you can disable this using the rebase-strategy option. For details, see "AUTOTITLE."
Allowing {% data variables.product.prodname_dependabot %} to rebase and force push over extra commits
By default, {% data variables.product.prodname_dependabot %} will stop rebasing a pull request once extra commits have been pushed to it. To allow {% data variables.product.prodname_dependabot %} to force push over commits added to its branches, include any of the following strings: [dependabot skip] , [skip dependabot], [dependabot-skip], or [skip-dependabot], in either lower or uppercase, to the commit message.
{% data variables.product.prodname_dependabot %} responds to simple commands in comments. Each pull request contains details of the commands you can use to process the pull request (for example: to merge, squash, reopen, close, or rebase the pull request) under the "{% data variables.product.prodname_dependabot %} commands and options" section. The aim is to make it as easy as possible for you to triage these automatically generated pull requests.
You can use any of the following commands on a {% data variables.product.prodname_dependabot %} pull request.
@dependabot cancel mergecancels a previously requested merge.@dependabot closecloses the pull request and prevents {% data variables.product.prodname_dependabot %} from recreating that pull request. You can achieve the same result by closing the pull request manually.@dependabot ignore this dependencycloses the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this dependency (unless you reopen the pull request or upgrade to the suggested version of the dependency yourself).@dependabot ignore this major versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this major version (unless you reopen the pull request or upgrade to this major version yourself).@dependabot ignore this minor versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this minor version (unless you reopen the pull request or upgrade to this minor version yourself).@dependabot ignore this patch versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from creating any more pull requests for this patch version (unless you reopen the pull request or upgrade to this patch version yourself).@dependabot mergemerges the pull request once your CI tests have passed.@dependabot rebaserebases the pull request.@dependabot recreaterecreates the pull request, overwriting any edits that have been made to the pull request.@dependabot reopenreopens the pull request if the pull request is closed.{% ifversion dependabot-version-updates-groups %}@dependabot show DEPENDENCY_NAME ignore conditionsretrieves information on the ignore conditions for the specified dependency, and comments on the pull request with a table that displays all ignore conditions for the dependency. For example,@dependabot show express ignore conditionswould find allignoreconditions stored for the Express dependency, and comment on the pull request with that information.{% endif %}@dependabot squash and mergesquashes and merges the pull request once your CI tests have passed.
{% data variables.product.prodname_dependabot %} will react with a "thumbs up" emoji to acknowledge the command, and may respond with a comment on the pull request. While {% data variables.product.prodname_dependabot %} usually responds quickly, some commands may take several minutes to complete if {% data variables.product.prodname_dependabot %} is busy processing other updates or commands.
If you run any of the commands for ignoring dependencies or versions, {% data variables.product.prodname_dependabot %} stores the preferences for the repository centrally. While this is a quick solution, for repositories with more than one contributor it is better to explicitly define the dependencies and versions to ignore in the configuration file. This makes it easy for all contributors to see why a particular dependency isn't being updated automatically.
For more information, see "AUTOTITLE."
{% ifversion dependabot-grouped-security-updates-config %}
Managing {% data variables.product.prodname_dependabot %} pull requests for grouped updates with comment commands
In {% data variables.product.prodname_dependabot %} pull requests for grouped version updates and security updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped updates.
@dependabot ignore DEPENDENCY_NAMEcloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency.@dependabot ignore DEPENDENCY_NAME major versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's major version.@dependabot ignore DEPENDENCY_NAME minor versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's minor version.@dependabot ignore DEPENDENCY_NAME patch versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's patch version.@dependabot unignore *closes the current pull request, clears allignoreconditions stored for all dependencies in the group, then opens a new pull request.@dependabot unignore DEPENDENCY_NAMEcloses the current pull request, clears allignoreconditions stored for the dependency, then opens a new pull request that includes available updates for the specified dependency. For example,@dependabot unignore lodashwould open a new pull request that includes updates for the Lodash dependency.@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITIONcloses the current pull request, clears the storedignorecondition, then opens a new pull request that includes available updates for the specified ignore condition. For example,@dependabot unignore express [< 1.9, > 1.8.0]would open a new pull request that includes updates for Express between versions 1.8.0 and 1.9.0.
{% note %}
Tip: When you want to un-ignore a specific ignore condition, use the @dependabot show DEPENDENCY_NAME ignore conditions command to quickly check what ignore conditions a dependency currently has.
{% endnote %}
{% elsif dependabot-version-updates-groups %}
Managing {% data variables.product.prodname_dependabot %} pull requests for grouped version updates with comment commands
In {% data variables.product.prodname_dependabot %} pull requests for grouped version updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped version updates.
{% note %}
Note: The following comment commands do not work for grouped {% data variables.product.prodname_dependabot_security_updates %}.
{% endnote %}
@dependabot ignore DEPENDENCY_NAMEcloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency.@dependabot ignore DEPENDENCY_NAME major versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's major version.@dependabot ignore DEPENDENCY_NAME minor versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's minor version.@dependabot ignore DEPENDENCY_NAME patch versioncloses the pull request and prevents {% data variables.product.prodname_dependabot %} from updating this dependency's patch version.@dependabot unignore *closes the current pull request, clears allignoreconditions stored for all dependencies in the group, then opens a new pull request.@dependabot unignore DEPENDENCY_NAMEcloses the current pull request, clears allignoreconditions stored for the dependency, then opens a new pull request that includes available version updates for the specified dependency. For example,@dependabot unignore lodashwould open a new pull request that includes version updates for the Lodash dependency.@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITIONcloses the current pull request, clears the storedignorecondition, then opens a new pull request that includes available version updates for the specified ignore condition. For example,@dependabot unignore express [< 1.9, > 1.8.0]would open a new pull request that includes version updates for Express between versions 1.8.0 and 1.9.0.
{% note %}
Tip: When you want to un-ignore a specific ignore condition, use the @dependabot show DEPENDENCY_NAME ignore conditions command to quickly check what ignore conditions a dependency currently has.
{% endnote %} {% endif %}