Keeping dependencies up to date is important for security and stability. GitHub’s Dependabot can automatically open pull requests for updates every week. You just need to add a .github/dependabot.yml file at the root of your project with this following content:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
labels:
- "dependencies"
ignore:
# Skip major version bumps — review those manually
- dependency-name: "*"
update-types: ["version-update:semver-major"]
Once added, Dependabot will automatically open PRs for weekly dependency updates.
Create a dependencies label
Go to your GitHub repository. Click Issues tab. Click Labels (top right). Click New label. Name it dependencies. Pick a colour (green is the convention). Click Create label.
Enable Branch protection
Go to your GitHub repository. Click Settings (top right of the repo tabs). In the left sidebar, click Branches. Click Add classic branch protection rule. Set Branch name pattern to main. Enable this option: ✅ Require a pull request before merging. This ensures all updates, including Dependabot PRs, are reviewed before merging, preventing accidental direct pushes to main.