Dependabot Setup
Configure Dependabot for automated dependency updates with supply chain security protections.
Prerequisites
GitHub repository initialized
Your project must be a Git repository with a GitHub remote.
Verify with
git remote get-url originExpected: git@github.com:<user>/<repo>.git
Review the generated file before committing — adjust the target branch if your project uses a different branching strategy.
Prompt
Set up Dependabot for this project.
Requirements:
1. Detect the package ecosystem in use (check for package.json, go.mod, pyproject.toml, Cargo.toml, etc.)
2. Create .github/dependabot.yml with the following configuration for the detected ecosystem:
- Schedule: daily
- Target branch: staging (create the branch if it doesn't exist)
- Labels: ["dependencies"]
- Commit message prefix: "deps"
- Groups: separate patch-minor updates (pattern "*" for patch+minor) from major updates (pattern "*" for major)
- Cooldown: default-days 7 (supply chain security — wait for malicious releases to be detected)
3. Add a second entry for github-actions with the same configuration (schedule, target branch, labels, commit message prefix, cooldown)
4. If the GitHub user can be detected from git config or the remote URL, add them as an assignee on both entries
5. If the project uses @types/node, add an ignore rule for major updates (the major version should match the Node runtime version)