Agent Skills by ALSEL
Anthropic ClaudeLLM・AI開発⭐ リポ 0品質スコア 50/100

Dependabot設定ガイド|依存更新を安全に自動化

GitHub Dependabotの設定・運用ガイド。dependabot.yml作成、PR管理、グループ更新・モノレポ・複数エコシステム、セキュリティ更新まで網羅。依存関係の更新を自動化したい開発者に。

description の原文を見る

>-

SKILL.md 本文

Dependabot Configuration & Management

Overview

Dependabot is GitHub's built-in dependency management tool with three core capabilities:

  1. Dependabot Alerts — Notify when dependencies have known vulnerabilities (CVEs)
  2. Dependabot Security Updates — Auto-create PRs to fix vulnerable dependencies
  3. Dependabot Version Updates — Auto-create PRs to keep dependencies current

All configuration lives in a single file: .github/dependabot.yml on the default branch. GitHub does not support multiple dependabot.yml files per repository.

Configuration Workflow

Follow this process when creating or optimizing a dependabot.yml:

Step 1: Detect All Ecosystems

Scan the repository for dependency manifests. Look for:

EcosystemYAML ValueManifest Files
npm/pnpm/yarnnpmpackage.json, package-lock.json, pnpm-lock.yaml, yarn.lock
pip/pipenv/poetry/uvpiprequirements.txt, Pipfile, pyproject.toml, setup.py
DockerdockerDockerfile
Docker Composedocker-composedocker-compose.yml
GitHub Actionsgithub-actions.github/workflows/*.yml
Go modulesgomodgo.mod
Bundler (Ruby)bundlerGemfile
Cargo (Rust)cargoCargo.toml
Composer (PHP)composercomposer.json
NuGet (.NET)nuget*.csproj, packages.config
.NET SDKdotnet-sdkglobal.json
Maven (Java)mavenpom.xml
Gradle (Java)gradlebuild.gradle
Terraformterraform*.tf
OpenTofuopentofu*.tf
HelmhelmChart.yaml
Hex (Elixir)mixmix.exs
SwiftswiftPackage.swift
Pub (Dart)pubpubspec.yaml
Bunbunbun.lockb
Dev Containersdevcontainersdevcontainer.json
Git Submodulesgitsubmodule.gitmodules
Pre-commitpre-commit.pre-commit-config.yaml

Note: pnpm and yarn both use the npm ecosystem value.

Step 2: Map Directory Locations

For each ecosystem, identify where manifests live. Use directories (plural) with glob patterns for monorepos:

directories:
  - "/"           # root
  - "/apps/*"     # all app subdirs
  - "/packages/*" # all package subdirs
  - "/lib-*"      # dirs starting with lib-
  - "**/*"        # recursive (all subdirs)

Important: directory (singular) does NOT support globs. Use directories (plural) for wildcards.

Step 3: Configure Each Ecosystem Entry

Every entry needs at minimum:

- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

Step 4: Optimize with Grouping, Labels, and Scheduling

See sections below for each optimization technique.

Monorepo Strategies

Glob Patterns for Workspace Coverage

For monorepos with many packages, use glob patterns to avoid listing each directory:

- package-ecosystem: "npm"
  directories:
    - "/"
    - "/apps/*"
    - "/packages/*"
    - "/services/*"
  schedule:
    interval: "weekly"

Cross-Directory Grouping

Use group-by: dependency-name to create a single PR when the same dependency updates across multiple directories:

groups:
  monorepo-deps:
    group-by: dependency-name

This creates one PR per dependency across all specified directories, reducing CI costs and review burden.

Limitations:

  • All directories must use the same package ecosystem
  • Applies to version updates only
  • Incompatible version constraints create separate PRs

Standalone Packages Outside Workspaces

If a directory has its own lockfile and is NOT part of the workspace (e.g., scripts in .github/), create a separate ecosystem entry for it.

Dependency Grouping

Reduce PR noise by grouping related dependencies into single PRs.

By Dependency Type

groups:
  dev-dependencies:
    dependency-type: "development"
    update-types: ["minor", "patch"]
  production-dependencies:
    dependency-type: "production"
    update-types: ["minor", "patch"]

By Name Pattern

groups:
  angular:
    patterns: ["@angular*"]
    update-types: ["minor", "patch"]
  testing:
    patterns: ["jest*", "@testing-library*", "ts-jest"]

For Security Updates

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Key behaviors:

  • Dependencies matching multiple groups go to the first match
  • applies-to defaults to version-updates when absent
  • Ungrouped dependencies get individual PRs

Multi-Ecosystem Groups

Combine updates across different package ecosystems into a single PR:

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: "weekly"
    labels: ["infrastructure", "dependencies"]

updates:
  - package-ecosystem: "docker"
    directory: "/"
    patterns: ["nginx", "redis"]
    multi-ecosystem-group: "infrastructure"

  - package-ecosystem: "terraform"
    directory: "/"
    patterns: ["aws*"]
    multi-ecosystem-group: "infrastructure"

The patterns key is required when using multi-ecosystem-group.

PR Customization

Labels

labels:
  - "dependencies"
  - "npm"

Set labels: [] to disable all labels including defaults. SemVer labels (major, minor, patch) are always applied if present in the repo.

Commit Messages

commit-message:
  prefix: "deps"
  prefix-development: "deps-dev"
  include: "scope"  # adds deps/deps-dev scope after prefix

Assignees and Milestones

assignees: ["security-team-lead"]
milestone: 4  # numeric ID from milestone URL

Branch Name Separator

pull-request-branch-name:
  separator: "-"  # default is /

Target Branch

target-branch: "develop"  # PRs target this instead of default branch

Note: When target-branch is set, security updates still target the default branch; all ecosystem config only applies to version updates.

Schedule Optimization

Intervals

Supported: daily, weekly, monthly, quarterly, semiannually, yearly, cron

schedule:
  interval: "weekly"
  day: "monday"         # for weekly only
  time: "09:00"         # HH:MM format
  timezone: "America/New_York"

Cron Expressions

schedule:
  interval: "cron"
  cronjob: "0 9 * * 1"  # Every Monday at 9 AM

Cooldown Periods

Delay updates for newly released versions to avoid early-adopter issues:

cooldown:
  default-days: 5
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3
  include: ["*"]
  exclude: ["critical-lib"]

Cooldown applies to version updates only, not security updates.

Security Updates Configuration

Enable via Repository Settings

Settings → Advanced Security → Enable Dependabot alerts, security updates, and grouped security updates.

Group Security Updates in YAML

groups:
  security-patches:
    applies-to: security-updates
    patterns: ["*"]
    update-types: ["patch", "minor"]

Disable Version Updates (Security Only)

open-pull-requests-limit: 0  # disables version update PRs

Auto-Triage Rules

GitHub presets auto-dismiss low-impact alerts for development dependencies. Custom rules can filter by severity, package name, CWE, and more. Configure in repository Settings → Advanced Security.

PR Comment Commands

Interact with Dependabot PRs using @dependabot comments.

Note: As of January 2026, merge/close/reopen commands have been deprecated. Use GitHub's native UI, CLI (gh pr merge), or auto-merge instead.

CommandEffect
@dependabot rebaseRebase the PR
@dependabot recreateRecreate the PR from scratch
@dependabot ignore this dependencyClose and never update this dependency
@dependabot ignore this major versionIgnore this major version
@dependabot ignore this minor versionIgnore this minor version
@dependabot ignore this patch versionIgnore this patch version

For grouped PRs, additional commands:

  • @dependabot ignore DEPENDENCY_NAME — ignore specific dependency in group
  • @dependabot unignore DEPENDENCY_NAME — clear ignores, reopen with updates
  • @dependabot unignore * — clear all ignores for all dependencies in group
  • @dependabot show DEPENDENCY_NAME ignore conditions — display current ignores

For the complete command reference, see references/pr-commands.md.

Ignore and Allow Rules

Ignore Specific Dependencies

ignore:
  - dependency-name: "lodash"
  - dependency-name: "@types/node"
    update-types: ["version-update:semver-patch"]
  - dependency-name: "express"
    versions: ["5.x"]

Allow Only Specific Types

allow:
  - dependency-type: "production"
  - dependency-name: "express"

Rule: If a dependency matches both allow and ignore, it is ignored.

Exclude Paths

exclude-paths:
  - "vendor/**"
  - "test/fixtures/**"

Advanced Options

Versioning Strategy

Controls how Dependabot edits version constraints:

ValueBehavior
autoDefault — increase for apps, widen for libraries
increaseAlways increase minimum version
increase-if-necessaryOnly change if current range excludes new version
lockfile-onlyOnly update lockfiles, ignore manifests
widenWiden range to include both old and new versions

Rebase Strategy

rebase-strategy: "disabled"  # stop auto-rebasing

Allow rebase over extra commits by including [dependabot skip] in commit messages.

Open PR Limit

open-pull-requests-limit: 10  # default is 5 for version, 10 for security

Set to 0 to disable version updates entirely.

Private Registries

registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{secrets.NPM_TOKEN}}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries:
      - npm-private

FAQ

Can I have multiple dependabot.yml files? No. GitHub supports exactly one file at .github/dependabot.yml. Use multiple updates entries within that file for different ecosystems and directories.

Does Dependabot support pnpm? Yes. Use package-ecosystem: "npm" — Dependabot detects pnpm-lock.yaml automatically.

How do I reduce PR noise in a monorepo? Use groups to batch updates, directories with globs for coverage, and group-by: dependency-name for cross-directory grouping. Consider monthly or quarterly intervals for low-priority ecosystems.

How do I handle dependencies outside the workspace? Create a separate ecosystem entry with its own directory pointing to that location.

Pre-Commit Dependency Scanning via AI Coding Agents

For scanning code changes for vulnerable dependencies inside an AI coding agent before committing, the GitHub MCP Server's dependabot toolset can check your dependency additions against the GitHub Advisory Database and return structured results with affected packages, severity, and recommended fixed versions. For more thorough post-commit checks, it can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.

Install the Advanced Security plugin which provides dedicated dependency scanning tools and the /dependency-scanning skill.

GitHub Copilot CLI (shell):

# Enable the dependabot toolset for the GitHub MCP Server
copilot --add-github-mcp-toolset dependabot

GitHub Copilot CLI (inside copilot):

> /plugin install advanced-security@copilot-plugins

Visual Studio Code:

  • Add "X-MCP-Toolsets": "dependabot" to your GitHub MCP Server headers, or pick Dependabot from the toolset selector in Copilot Chat
  • Install the advanced-security plugin, then use /dependency-scanning in Copilot Chat

Example prompt:

Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.

See: Advanced Security Plugin — Dependency Scanning Skill

Announced in Dependency scanning with GitHub MCP Server is in public preview (May 2026)

Resources

  • references/dependabot-yml-reference.md — Complete YAML options reference
  • references/pr-commands.md — Full PR comment commands reference
  • references/example-configs.md — Real-world configuration examples

ライセンス: MIT(寛容ライセンスのため全文を引用しています) · 原本リポジトリ

詳細情報

作者
github
リポジトリ
github/awesome-copilot
ライセンス
MIT
最終更新
不明

Source: https://github.com/github/awesome-copilot / ライセンス: MIT

関連スキル

OpenAILLM・AI開発⭐ リポ 6,054

agent-browser

AI エージェント向けのブラウザ自動化 CLI です。ウェブサイトとの対話が必要な場合に使用します。ページ遷移、フォーム入力、ボタンクリック、スクリーンショット取得、データ抽出、ウェブアプリのテスト、ブラウザ操作の自動化など、あらゆるブラウザタスクに対応できます。「ウェブサイトを開く」「フォームに記入する」「ボタンをクリックする」「スクリーンショットを取得する」「ページからデータを抽出する」「このウェブアプリをテストする」「サイトにログインする」「ブラウザ操作を自動化する」といった要求や、プログラマティックなウェブ操作が必要なタスクで起動します。

by JimmyLv
汎用LLM・AI開発⭐ リポ 1,982

anyskill

AnySkill — あなたのプライベート・スキルクラウド。GitHubを基盤としたリポジトリからエージェントスキルを管理、同期、動的にロードできます。自然言語でクラウドスキルを検索し、オンデマンドでプロンプトを自動ロード、カスタムスキルのアップロードと共有、スキルバンドルの一括インストールが可能です。OpenClaw、Antigravity、Claude Code、Cursorに対応しています。

by LeoYeAI
汎用LLM・AI開発⭐ リポ 1,982

engram

AIエージェント向けの永続的なメモリシステムです。バグ修正、意思決定、発見、設定変更の後はmem_saveを使用してください。ユーザーが「覚えている」「記憶している」と言及した場合、または以前のセッションと重複する作業を開始する際はmem_searchを使用します。セッション終了前にmem_session_summaryを使用して、コンテキストを保持してください。

by LeoYeAI
汎用LLM・AI開発⭐ リポ 21,584

skyvern

AI駆動のブラウザ自動化により、任意のウェブサイトを自動化できます。フォーム入力、データ抽出、ファイルダウンロード、ログイン、複数ステップのワークフロー実行など、ユーザーがウェブサイトと連携する必要があるときに使用します。Skyvernは、LLMとコンピュータビジョンを活用して、未知のサイトも自動操作可能です。Python SDK、TypeScript SDK、REST API、MCPサーバー、またはCLIを通じて統合できます。

by Skyvern-AI
汎用LLM・AI開発⭐ リポ 1,149

pinchbench

PinchBenchベンチマークを実行して、OpenClawエージェントの実世界タスクにおけるパフォーマンスを評価できます。モデルの機能テスト、モデル間の比較、ベンチマーク結果のリーダーボード提出、またはOpenClawのセットアップがカレンダー、メール、リサーチ、コーディング、複数ステップのワークフローにどの程度対応しているかを確認する際に使用します。

by pinchbench
汎用LLM・AI開発⭐ リポ 4,693

openui

OpenUIとOpenUI Langを使用してジェネレーティブUIアプリを構築できます。これらはLLM生成インターフェースのためのトークン効率的なオープン標準です。OpenUI、@openuidev、ジェネレーティブUI、LLMからのストリーミングUI、AI向けコンポーネントライブラリ、またはjson-render/A2UIの置き換えについて述べる際に使用します。スキャフォルディング、defineComponent、システムプロンプト、Renderer、およびOpenUI Lang出力のデバッグに対応しています。

by thesysdev
本サイトは GitHub 上で公開されているオープンソースの SKILL.md ファイルをクロール・インデックス化したものです。 各スキルの著作権は原作者に帰属します。掲載に問題がある場合は info@alsel.co.jp または /takedown フォームよりご連絡ください。
原作者: github · github/awesome-copilot · ライセンス: MIT