GitHub Community
Clarification on dependabot.yaml and code security settings #146660
-
Select Topic AreaQuestion BodyHello. Looking at docs and it is not clear to me if I need to enable dependabot updates and grouping in repo/org setting or I can simply just create
And this in repo configuration
Do I need to click |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
@piotrekkr it depends if you want Dependabot PRs that provide updates that resolve alerts (i.e. "security updates") or PRs that update your dependencies to the latest version (i.e. "version updates"). They are enabled separately. For security updates, check the box here and it'll work without dependabot.yml. For version updates, you must check in a dependabot.yml. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for reply. What happens when I have both, |
Beta Was this translation helpful? Give feedback.
-
|
Then you will get both security & version updates, and your configuration from the YAML will apply. For more information on how to set up the YAML to configure version and/or security updates, you can check out our docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file |
Beta Was this translation helpful? Give feedback.
@piotrekkr it depends if you want Dependabot PRs that provide updates that resolve alerts (i.e. "security updates") or PRs that update your dependencies to the latest version (i.e. "version updates"). They are enabled separately. For security updates, check the box here and it'll work without dependabot.yml. For version updates, you must check in a dependabot.yml.