Managing pull requests for dependency updates

About Dependabot pull requests

Dependabot déclenche des demandes de tirage pour mettre à jour les dépendances. Selon la configuration de votre dépôt, Dependabot peut déclencher des demandes de tirage pour des mises à jour de version et/ou des mises à jour de sécurité. Vous gérez ces demandes de tirage comme toute demande de tirage, mais des commandes supplémentaires sont disponibles. Pour plus d’informations sur l’activation des mises à jour de dépendances Dependabot, consultez Configuring Dependabot security updates et Configuring Dependabot version updates.

When Dependabot raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository. In addition, where enough information is available, you'll see a compatibility score. This may also help you decide whether or not to merge the change. For information about this score, see À propos des mises à jour de sécurité Dependabot.

If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific assignees and labels. You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request. For more information, see Personnalisation des demandes de tirage de Dependabot pour répondre à vos processus and Configuring Dependabot security updates.

Viewing Dependabot pull requests

1. Sur GitHub, accédez à la page principale du référentiel.

2. Sous le nom de votre référentiel, cliquez sur Demandes de tirage.

   

3. Any pull requests for security or version updates are easy to identify.

   • The author is dependabot, the bot account used by Dependabot.
   • By default, they have the dependencies label.

Changing the rebase strategy for Dependabot pull requests

By default, Dependabot automatically rebases pull requests to resolve any conflicts. Si aucune demande de tirage n’a été fusionnée depuis 30 jours, Dependabot cesse de rebaser la demande de tirage. Vous pouvez toujours rebaser et fusionner manuellement la demande de tirage. If you'd prefer to handle merge conflicts manually, you can disable this using the rebase-strategy option. For details, see Référence des options Dependabot.

Allowing Dependabot to rebase and force push over extra commits

By default, Dependabot will stop rebasing a pull request once extra commits have been pushed to it. To allow Dependabot to force push over commits added to its branches, include any of the following strings: [dependabot skip] , [skip dependabot], [dependabot-skip], or [skip-dependabot], in either lower or uppercase, to the commit message.

Managing Dependabot pull requests with comment commands

Dependabot responds to simple commands in comments. Each pull request contains details of the commands you can use to process the pull request (for example: to merge, squash, reopen, close, or rebase the pull request) under the "Dependabot commands and options" section. The aim is to make it as easy as possible for you to triage these automatically generated pull requests.

You can use any of the following commands on a Dependabot pull request.

Command	Description
@dependabot cancel merge	Cancels a previously requested merge.
@dependabot close	Closes the pull request and prevents Dependabot from recreating that pull request. You can achieve the same result by closing the pull request manually.
@dependabot ignore this dependency	Closes the pull request and prevents Dependabot from creating any more pull requests for this dependency (unless you reopen the pull request or upgrade to the suggested version yourself).
@dependabot ignore this major version	Closes the pull request and prevents Dependabot from creating any more pull requests for this major version (unless you reopen the pull request or upgrade to this major version yourself).
@dependabot ignore this minor version	Closes the pull request and prevents Dependabot from creating any more pull requests for this minor version (unless you reopen the pull request or upgrade to this minor version yourself).
@dependabot ignore this patch version	Closes the pull request and prevents Dependabot from creating any more pull requests for this patch version (unless you reopen the pull request or upgrade to this patch version yourself).
@dependabot merge	Merges the pull request once your CI tests have passed.
@dependabot rebase	Rebases the pull request.
@dependabot recreate	Recreates the pull request, overwriting any edits that have been made to the pull request.
@dependabot reopen	Reopens the pull request if the pull request is closed.
@dependabot show DEPENDENCY_NAME ignore conditions	Retrieves information on the ignore conditions for the specified dependency, and comments on the pull request with a table that displays all ignore conditions for the dependency. For example, @dependabot show express ignore conditions would find all ignore conditions stored for the Express dependency, and comment on the pull request with that information.
@dependabot squash and merge	Squashes and merges the pull request once your CI tests have passed.

Dependabot will react with a "thumbs up" emoji to acknowledge the command, and may respond with a comment on the pull request. While Dependabot usually responds quickly, some commands may take several minutes to complete if Dependabot is busy processing other updates or commands.

If you run any of the commands for ignoring dependencies or versions, Dependabot stores the preferences for the repository centrally. While this is a quick solution, for repositories with more than one contributor it is better to explicitly define the dependencies and versions to ignore in the configuration file. This makes it easy for all contributors to see why a particular dependency isn't being updated automatically.

For more information, see Référence des options Dependabot.

Managing Dependabot pull requests for grouped updates with comment commands

In Dependabot pull requests for grouped version updates and security updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped updates.

Command	Description
@dependabot ignore DEPENDENCY_NAME	Closes the pull request and prevents Dependabot from updating this dependency.
@dependabot ignore DEPENDENCY_NAME major version	Closes the pull request and prevents Dependabot from updating this dependency's major version.
@dependabot ignore DEPENDENCY_NAME minor version	Closes the pull request and prevents Dependabot from updating this dependency's minor version.
@dependabot ignore DEPENDENCY_NAME patch version	Closes the pull request and prevents Dependabot from updating this dependency's patch version.
@dependabot unignore *	Closes the current pull request, clears all ignore conditions stored for all dependencies in the group, then opens a new pull request.
@dependabot unignore DEPENDENCY_NAME	Closes the current pull request, clears all ignore conditions stored for the dependency, then opens a new pull request that includes available updates for the specified dependency. For example, @dependabot unignore lodash would open a new pull request that includes updates for the Lodash dependency.
@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION	Closes the current pull request, clears the stored ignore condition, then opens a new pull request that includes available updates for the specified ignore condition. For example, @dependabot unignore express [< 1.9, > 1.8.0] would open a new pull request that includes updates for Express between versions 1.8.0 and 1.9.0.