Goodbye Dependabot Preview, hello Dependabot!

Image of Mike McDonald

Dependabot Preview已经帮助超过30000组织保持ir packages updated with more than seven million pull requests merged since it launched. As a result of that success, the Dependabot team joined GitHub in May 2019 and started building an updated version of Dependabot directly into GitHub. Now, we’re taking the next step, migrating customers from Dependabot Preview and onto the GitHub-native Dependabot.

As of today, the Dependabot Preview app and Dependabot.com no longer accept new customers, and will be shut down on August 3rd, 2021. To keep getting pull requests that update your packages, upgrade to GitHub Dependabot by merging the “Upgrade to GitHub-native Dependabot” pull request in your repository by August 3rd. After this date, any open pull requests from the Dependabot Preview bot will remain open, but the bot itself will no longer work on your GitHub accounts and organizations.

GIF showing how to merge Dependabot pull request to upgrade to GitHub-native Dependabot

In GitHub Dependabot, most configuration is done via the configuration file. This file is very similar to the Dependabot Preview configuration file, but we’ve made a few changes and improvements that will be automatically included in the update pull request. You can see the update logs that used to be on the dependabot.com dashboard by going to your repository’sInsightspage, clicking theDependency graphtab on the left, and then clickingDependabot.

GIF showing how to navigate to the Dependency graph tab to see update logs

Saying goodbye to a few features

With therecent launch of private registry support, almost all Dependabot Preview features are now available in GitHub Dependabot. However, some features will not be available in GitHub Dependabot:

  • Live updates: We hope to bring these back in the future. For now, you can run GitHub Dependabot daily to catch new packages within one day of release.
  • PHP environment variable registries: These features have not been added, but we are investigating if there are other solutions. For now, you can use GitHub Actions to fetch dependencies from these registries.
  • Auto-merge: We always recommend verifying your dependencies before merging them; therefore, auto-merge will not be supported for the foreseeable future. For those of you who have vetted your dependencies, or are only using internal dependencies, we recommend adding third-party auto-merge apps, or setting up GitHub Actions to merge.

Keeping dependencies updated is a crucial part of securing your software supply chain—whether you’re working on an open source project or a large enterprise. We’ve got lots of exciting features on the roadmap, including more ecosystem updates, improved notifications, and Dependabot support for GitHub Enterprise Server.

If you have any questions or need help migrating, please contactGitHub Support.

Learn more about Dependabotin our documentation, orvisit our public roadmapto see what’s next for Dependabot.