Dependabot helps you keep your dependencies secure and up to date. It works with most popular languages - you can see full details of the languages we support here.

Each day:

  • Dependabot will scan your dependency files, looking for outdated requirements.
  • If any of your dependencies are out of date Dependabot will open pull requests to bump each one, including changelog links and release notes.
  • You check the linked changelog and release notes, and hit merge.

Dependabot is owned and maintained by GitHub. Dependabot Preview is a public beta for functionality that we are integrating directly into GitHub.

Great PRs that stay up-to-date

Dependabot pull requests include release notes, changelogs and commit links whenever they're available. They'll also automatically keep themselves conflict-free.

Compatibility scores for each update

Dependabot aggregates everyone's test results into a compatibility score, so you can be certain a dependency update is backwards compatible and bug-free.

Security advisories handled automatically

Dependabot monitors security advisories for Ruby, JavaScript, PHP, Java, .NET, Python, Elixir and Rust. We create PRs immediately in response to new advisories.

Simple getting started flow

We'll update five of your dependencies each day, until you're on the cutting edge. Request more PRs if you want, or close them to ignore a dependency until the next release.

Automatic merge options

Dependabot can be configured to automatically merge PRs if your tests pass on them, based on the size of the change (patch/minor/major) and the dependency type.

Dependabot is owned and maintained by GitHub.


Dependabot Preview is owned and operated by GitHub with separate terms of service, privacy policy, and support documentation.

