Add Dependabot to npm projects on GitHub

Jan 12 · 1 min read
Dependabot logo
Dependabot logo

Dependabot automates dependency updates for projects on GitHub. We’ll go over how to automate dependency updates for npm or Node.js projects.


Create .github/dependabot.yml:

Add the minimum (required) configuration:

Given the configuration, Dependabot will check on a daily interval for npm updates using the package manifest (package.json) located at the repository root (/).

For more options, check out “Configuration options for dependency updates”.


Let’s say webpack recently published version 5.0.0 and you’re on 4.0.0.

At 5am UTC, Dependabot will scan your package.json and open a pull request (PR) to merge branch dependabot/npm_and_yarn/webpack-5.0.0 to master.

The commit message will look like:

The PR description will contain webpack’s release notes, changelog, and/or commits.

JavaScript In Plain English

New JavaScript + Web Development articles every day.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store