注意
站点管理员必须先为 你的 GitHub Enterprise Server 实例设置 Dependabot updates,然后你才能使用此功能。 有关详细信息,请参阅 为企业启用 Dependabot.
如果企业所有者在企业级别设置了策略,你可能无法启用或禁用 Dependabot updates。 有关详细信息,请参阅“强制实施企业的代码安全性和分析策略”。
About Dependabot pull requests
Dependabot 提出拉取请求,以更新依赖项。 Dependabot 可能会针对版本更新和/或安全更新提出拉取请求,具体取决于存储库的配置方式。 您可以按与任何其他拉取请求相同的方式管理这些拉取请求,但也有一些额外的可用命令。 有关启用 Dependabot 的信息,请参阅“Configuring Dependabot security updates”和“Configuring Dependabot version updates”。
When Dependabot raises a pull request, you're notified by your chosen method for the repository. Each pull request contains detailed information about the proposed change, taken from the package manager. These pull requests follow the normal checks and tests defined in your repository.
If you have many dependencies to manage, you may want to customize the configuration for each package manager so that pull requests have specific assignees and labels. You may also want to group sets of dependencies together, so that multiple dependencies are updated in a single pull request. For more information, see 自定义 Dependabot 拉取请求以适应你的流程 and Configuring Dependabot security updates.
注意
If you don't interact with Dependabot pull requests for a repository during a 90-day time period, Dependabot considers your repository as inactive, and will automatically pause Dependabot updates. For more information about inactivity criteria, see 关于 Dependabot 版本更新 and 关于 Dependabot 安全更新.
Viewing Dependabot pull requests
-
在 GitHub 上,导航到存储库的主页面。
-
在仓库名称下,单击 “Pull requests”****。
-
Any pull requests for security or version updates are easy to identify.
- The author is dependabot, the bot account used by Dependabot.
- By default, they have the
dependencieslabel.
Changing the rebase strategy for Dependabot pull requests
By default, Dependabot automatically rebases pull requests to resolve any conflicts. 如果拉取请求 30 天未合并,Dependabot 将停止对拉取请求进行变基。 你仍然可以手动对拉取请求进行变基与合并。 If you'd prefer to handle merge conflicts manually, you can disable this using the rebase-strategy option. For details, see Dependabot 选项参考.
Allowing Dependabot to rebase and force push over extra commits
By default, Dependabot will stop rebasing a pull request once extra commits have been pushed to it. To allow Dependabot to force push over commits added to its branches, include any of the following strings: [dependabot skip] , [skip dependabot], [dependabot-skip], or [skip-dependabot], in either lower or uppercase, to the commit message.
Managing Dependabot pull requests with comment commands
Dependabot responds to simple commands in comments. Each pull request contains details of the commands you can use to process the pull request (for example: to merge, squash, reopen, close, or rebase the pull request) under the "Dependabot commands and options" section. The aim is to make it as easy as possible for you to triage these automatically generated pull requests.
You can use any of the following commands on a Dependabot pull request.
| Command | Description |
|---|---|
@dependabot cancel merge | Cancels a previously requested merge. |
@dependabot close | Closes the pull request and prevents Dependabot from recreating that pull request. You can achieve the same result by closing the pull request manually. |
@dependabot ignore this dependency | Closes the pull request and prevents Dependabot from creating any more pull requests for this dependency (unless you reopen the pull request or upgrade to the suggested version yourself). |
@dependabot ignore this major version | Closes the pull request and prevents Dependabot from creating any more pull requests for this major version (unless you reopen the pull request or upgrade to this major version yourself). |
@dependabot ignore this minor version | Closes the pull request and prevents Dependabot from creating any more pull requests for this minor version (unless you reopen the pull request or upgrade to this minor version yourself). |
@dependabot ignore this patch version | Closes the pull request and prevents Dependabot from creating any more pull requests for this patch version (unless you reopen the pull request or upgrade to this patch version yourself). |
@dependabot merge | Merges the pull request once your CI tests have passed. |
@dependabot rebase | Rebases the pull request. |
@dependabot recreate | Recreates the pull request, overwriting any edits that have been made to the pull request. |
@dependabot reopen | Reopens the pull request if the pull request is closed. |
@dependabot show DEPENDENCY_NAME ignore conditions | Retrieves information on the ignore conditions for the specified dependency, and comments on the pull request with a table that displays all ignore conditions for the dependency. For example, @dependabot show express ignore conditions would find all ignore conditions stored for the Express dependency, and comment on the pull request with that information. |
@dependabot squash and merge | Squashes and merges the pull request once your CI tests have passed. |
Dependabot will react with a "thumbs up" emoji to acknowledge the command, and may respond with a comment on the pull request. While Dependabot usually responds quickly, some commands may take several minutes to complete if Dependabot is busy processing other updates or commands.
If you run any of the commands for ignoring dependencies or versions, Dependabot stores the preferences for the repository centrally. While this is a quick solution, for repositories with more than one contributor it is better to explicitly define the dependencies and versions to ignore in the configuration file. This makes it easy for all contributors to see why a particular dependency isn't being updated automatically.
For more information, see Dependabot 选项参考.
Managing Dependabot pull requests for grouped updates with comment commands
In Dependabot pull requests for grouped version updates and security updates, you can use comment commands to ignore and un-ignore updates for specific dependencies and versions. You can use any of the following commands to manage ignore conditions for grouped updates.
| Command | Description |
|---|---|
@dependabot ignore DEPENDENCY_NAME | Closes the pull request and prevents Dependabot from updating this dependency. |
@dependabot ignore DEPENDENCY_NAME major version | Closes the pull request and prevents Dependabot from updating this dependency's major version. |
@dependabot ignore DEPENDENCY_NAME minor version | Closes the pull request and prevents Dependabot from updating this dependency's minor version. |
@dependabot ignore DEPENDENCY_NAME patch version | Closes the pull request and prevents Dependabot from updating this dependency's patch version. |
@dependabot unignore * | Closes the current pull request, clears all ignore conditions stored for all dependencies in the group, then opens a new pull request. |
@dependabot unignore DEPENDENCY_NAME | Closes the current pull request, clears all ignore conditions stored for the dependency, then opens a new pull request that includes available updates for the specified dependency. For example, @dependabot unignore lodash would open a new pull request that includes updates for the Lodash dependency. |
@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION | Closes the current pull request, clears the stored ignore condition, then opens a new pull request that includes available updates for the specified ignore condition. For example, @dependabot unignore express [< 1.9, > 1.8.0] would open a new pull request that includes updates for Express between versions 1.8.0 and 1.9.0. |
提示
When you want to un-ignore a specific ignore condition, use the @dependabot show DEPENDENCY_NAME ignore conditions command to quickly check what ignore conditions a dependency currently has.