All skills
Skillintermediate

Dependabot: Automated Dependency Updates

[Dependabot](https://docs.github.com/en/code-security/dependabot) automatically creates pull requests to keep your dependencies up to date. GitHub hosts it natively—no external service required.

Claude Code Knowledge Pack7/10/2026

Overview

Dependabot: Automated Dependency Updates

Dependabot automatically creates pull requests to keep your dependencies up to date. GitHub hosts it natively—no external service required.

Why Use Dependabot?

  • Security: Automatically patches known vulnerabilities
  • Freshness: Keeps dependencies current without manual tracking
  • Visibility: PRs show changelogs and compatibility notes

Configuration

Copy templates/dependabot.yml to .github/dependabot.yml.

The template includes:

  • Weekly update schedule for pip and GitHub Actions
  • 7-day cooldown for supply chain protection
  • Grouping to reduce PR noise

Supply Chain Protection

The cooldown.default-days: 7 setting delays updates for newly published versions. This provides time for the community to detect compromised packages before they reach your project.

Why this matters:

  • Attackers sometimes publish malicious versions of legitimate packages
  • A 7-day delay allows time for detection and removal
  • Combined with weekly schedules, this balances security with freshness

Common Options

OptionDescription
intervaldaily, weekly, or monthly
cooldown.default-daysDays to wait before updating new releases
ignoreSkip specific dependencies or versions
groupsGroup related updates into single PRs
reviewersAuto-assign reviewers to PRs

See Also