Dependabot and GitHub

Enabling Dependabot

To set it up for a given project, you need to go into GitHub, access a given project’s repository, click on the Settings tab for the repository, then, go into the nested Security & analysis page using the left-side navigation.

There, you will see an option for Dependabot alerts.

Enable that.

Enabling Dependabot Security Updates & the Dependency Graph

In the same place we enabled Dependabot, there are options named Dependabot security updates and Dependency graph.

Enable those too (the latter is enabled by default for public repositories).

Enabling Dependabot’s Automated Dependency Upgrades

Oh yeah, you best believe we are at the best part now!

At the top navigation for your repository, next to the Security tab you clicked earlier, is a tab for Insights.

Click that.

Then, in the left-side navigation, look for Dependency graph.

Click that as well.

Now, you should see three tabs, the last of which should contain Dependabot (and maybe a Beta callout).

Click that tab.

There will be a prompt letting you know that you need to create a configuration file in order for Dependabot to begin creating pulling requests on your behalf to upgrade dependencies as new versions are released.

It should have a prominent button that says Create config file.

You guessed it! Click that.

It will open a new file editor that seeks to create a GitHub configuration directory in your project, in which it will be creating a file named dependabot.yml. This file will already have some template text in it, including instructions on how to configure it for your project.

Follow those instructions.

And that is it! Congratulations, your project will be so much more maintainable and modern!