Dependabot version updates

You can use Dependabot to keep the packages you use updated to the latest versions.

¿Quién puede utilizar esta característica?

Dependabot version updates está disponible para los repositorios siguientes:

  • Todos los repositorios de GitHub

En este artículo

About Dependabot version updates

Dependabot takes the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on.

Cuando Dependabot genera solicitudes de incorporación de cambios, pueden ser para actualizaciones de seguridad o de versión:

  • Dependabot security updates son solicitudes de incorporación de cambios automatizadas que ayudan a actualizar las dependencias con vulnerabilidades conocidas.
  • Dependabot version updates son solicitudes de incorporación de cambios automatizadas que mantienen actualizadas las dependencias, incluso cuando no tienen ninguna vulnerabilidad. Para verificar el estado de las actualizaciones de versión, navega a la pestaña de perspectivas de tu repositorio, luego a la gráfica de dependencias, y luego al Dependabot.

You enable Dependabot version updates by checking a dependabot.yml configuration file into your repository.

Dependabot y todas las características relacionadas. Para más información, consulta Términos del cliente empresarial de GitHub.

Updates for packages

The dependabot.yml configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. Dependabot uses this information to check for outdated packages and applications. Dependabot determines if there is a new version of a dependency by looking at the semantic versioning (semver) of the dependency to decide whether it should update to that version. Para más información sobre los ecosistemas compatibles con los repositorios privados, consulta Ecosistemas y repositorios admitidos por Dependabot.

The dependabot.yml file can also be configured to tell Dependabot how to maintain your dependencies. For more information, see Acerca del archivo dependabot.yml.

For certain package managers, Dependabot version updates also supports vendoring. Vendored (or cached) dependencies are dependencies that are checked in to a specific directory in a repository rather than referenced in a manifest. Vendored dependencies are available at build time even if package servers are unavailable. Dependabot version updates can be configured to check vendored dependencies for new versions and update them if necessary.

When Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. For vendored dependencies, Dependabot raises a pull request to replace the outdated dependency with the new version directly. You check that your tests pass, review the changelog and release notes included in the pull request summary, and then merge it. For more information, see Configuración de las actualizaciones de versiones de Dependabot.

If you enable security updates, Dependabot also raises pull requests to update vulnerable dependencies. For more information, see Dependabot security updates.

Updates for actions

Actions are often updated with bug fixes and new features to make automated processes more reliable, faster, and safer. When you enable Dependabot version updates for GitHub Actions, Dependabot will help ensure that references to actions in a repository's workflow.yml file and reusable workflows used inside workflows are kept up to date.

For each action in the file, Dependabot checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version. If a more recent version of the action is available, Dependabot will send you a pull request that updates the reference in the workflow file to the latest version.

Dependabot also checks workflow files for uses of reusable workflows, and updates the Git reference for these called reusable workflows.

To enable this feature, see Mantener tus acciones actualizadas con el Dependabot.

About automatic deactivation of Dependabot updates

Cuando los mantenedores de un repositorio dejan de interactuar con las solicitudes de cambios de Dependabot, Dependabot pausa temporalmente sus actualizaciones y te informa de ello; consulta Ya no se generan actualizaciones de solicitudes de incorporación de cambios de actualización de Dependabot.

About notifications for Dependabot version updates

You can filter your notifications on GitHub to show notifications for pull requests created by Dependabot. For more information, see Administrar las notificaciones en tu bandeja de entrada.