SYSTEM Cited by 1 source
Dependabot¶
Dependabot is a GitHub-native bot (docs.github.com/.../dependabot) that opens pull requests against a repository to update dependencies — for security patches, version bumps, or lockfile refreshes. It runs on a configurable schedule, understands most major language ecosystems (npm, pip, Maven, Gradle, Cargo, Bundler, Go modules, Docker, GitHub Actions, etc.), and plugs into GitHub's security-advisory feed to flag known-vulnerable versions.
Originally a standalone product (Dependabot Inc.), it was acquired by GitHub in 2019 and integrated into the platform as a free feature.
Three sub-services¶
- Dependabot version updates — scheduled PRs bumping dependencies to latest versions.
- Dependabot security updates — PRs triggered specifically by CVE advisories affecting the repo's dependency graph.
- Dependabot alerts — passive notifications when a vulnerability affects the repo (no automatic PR).
Positioning vs fleet-wide SBOM corpus¶
Zalando names Dependabot (alongside
scala-steward, maven-versions-plugin,
gradle-versions-plugin) as the per-repo tactical layer
that the SBOM-corpus strategic layer complements:
"Some teams use tools like dependabot, scala-steward that create pull requests in repositories when new library versions are available… Playing the catch-up game and getting some visibility through incoming pull requests or changes is far from great, though and we can do better here." (Source: sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game)
The framing isn't that Dependabot is wrong — it's that Dependabot alone can't answer fleet-wide questions ("which of our 1,000 repos use log4j 2.14?"). The complement is the SBOM data lake that aggregates across repos, while Dependabot (or equivalent) does the per-repo update mechanic.
Cross-wiki instance¶
Also referenced in patterns/dependency-update-discipline as an anti-pattern when used naively ("Auto-bump-everything. Dependabot opening PRs on every minor release, auto-merged on green CI without human classification. Works until a 'destabilising update' slips through because your CI didn't exercise the relevant path.").
Seen in¶
- sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game — Zalando names Dependabot as the per-repo tactical tool their SBOM-corpus approach complements.
- sources/2025-02-26-flyio-taming-a-voracious-rust-proxy — implicit: the Fly.io dependency-update-discipline post argues against naive Dependabot-style auto-bumping.
Related¶
- patterns/dependency-update-discipline — the tactical pattern Dependabot embodies.
- patterns/vulnerability-fleet-sweep-via-sbom-query — the fleet-wide complement that routes "which repos need the bump" to Dependabot (or equivalent).
- concepts/sbom-software-bill-of-materials — the substrate that enables fleet-wide coordination of per-repo updates.
- systems/scala-steward — Scala-specific sibling tool.