Dependabot Preview is scheduled for shutdown on August 3rd, 2021, which means that the Dependabot Preview REST API documented here will also be shut down. This repository has been archived to reflect that.
Please migrate to GitHub-native Dependabot before then in order to continue keeping your dependencies up to date.
Dependabot has a JSON API to make it easy to bulk-import projects. This API is also used by the Dependabot dashboard.
Please note that Dependabot cannot commit to maintaining backwards compatibility of this API. We will, however, update these docs whenever breaking changes are made (likely to be infrequently). We recommend you "watch" this repo to receive notifications of any changes.
Dependabot uses GitHub access tokens to authenticate users. To use the API:
- Create a GitHub personal access token
with
repopermissions (so the token can see private repos) - Add an
Authorization: Personal <token>header to all requests using this access token
We use the access token you provide to ensure you have sufficient GitHub permissions to undertake any actions you request through the Dependabot API.
GET https://api.dependabot.com/accounts
Returns all Dependabot accounts that the authenticated user has access to.
Example response
{
"data": [
{
"id": "27347476",
"type": "accounts",
"attributes": {
"github-id": 27347476,
"github-login": "dependabot",
"github-account-type": "org",
"access-granted-to-all-repos": true,
"current-installation-id": 25920,
"plan-name": "free",
"plan-number": 7,
"free-trial-end-date": null,
"automatically-rebase-prs": true,
"update-run-time": "05:00",
"create-merge-commits": false,
"weekly-update-run-day": "monday",
"limit-initial-update-runs": true,
"limit-open-pull-requests": true
}
},
{
"id": "1144873",
"type": "accounts",
"attributes": {
"github-id": 1144873,
"github-login": "greysteil",
"github-account-type": "user",
"access-granted-to-all-repos": true,
"current-installation-id": 132882,
"plan-name": "free",
"plan-number": 7,
"free-trial-end-date": null,
"automatically-rebase-prs": true,
"update-run-time": "02:15",
"create-merge-commits": true,
"weekly-update-run-day": "monday",
"limit-initial-update-runs": true,
"limit-open-pull-requests": true
}
}
]
}
GET https://api.dependabot.com/repos?account-id=27347476&account-type=org&installation-state=active
Returns active or inactive repos for the specified account.
- The
installation-stateparam must beactiveorinactive inactiverepos are paginated (100 repos per page)- Pass the
page=numparam to paginate the results (defaults topage=1) - The next page number is returned in the response:
response.meta.pages.next
- Pass the
Example response
{
"data": [
{
"id": "93163073",
"type": "repos",
"attributes": {
"github-id": 93163073,
"name": "dependabot-core",
"installation-state": "active",
"private": false,
"fork": false,
"github-url": "https://github.com/dependabot/dependabot-core",
"primary-language": "ruby",
"default-branch": "master",
"using-config-file":true
},
"relationships": {
"update-configs": {
"data": [
{
"id": "1332",
"type": "update-configs"
},
{
"id": "5061",
"type": "update-configs"
},
{
"id": "275",
"type": "update-configs"
},
{
"id": "879",
"type": "update-configs"
},
{
"id": "1672",
"type": "update-configs"
},
{
"id": "326",
"type": "update-configs"
},
{
"id": "3123",
"type": "update-configs"
}
]
},
"account": {
"data": {
"id": "27347476",
"type": "accounts"
}
}
}
},
{
"id": "131328855",
"type": "repos",
"attributes": {
"github-id": 131328855,
"name": "dependabot-script",
"installation-state": "active",
"private": false,
"fork": false,
"github-url": "https://github.com/dependabot/dependabot-script",
"primary-language": "ruby",
"default-branch": "master",
"using-config-file":true
},
"relationships": {
"update-configs": {
"data": [
{
"id": "4925",
"type": "update-configs"
}
]
},
"account": {
"data": {
"id": "27347476",
"type": "accounts"
}
}
}
}
],
"included": [
{
"id": "1332",
"type": "update-configs",
"attributes": {
"language": "javascript",
"package-manager": "npm_and_yarn",
"update-schedule": "live",
"directory": "/helpers/npm",
"automerge-rule-runtime-deps": "semver:patch",
"automerge-rule-development-deps": "semver:minor",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "93163073",
"type": "repos"
}
}
}
},
{
"id": "5061",
"type": "update-configs",
"attributes": {
"language": "java",
"package-manager": "gradle",
"update-schedule": "daily",
"directory": "/helpers/gradle",
"automerge-rule-runtime-deps": "never",
"automerge-rule-development-deps": "never",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "93163073",
"type": "repos"
}
}
}
},
{
"id": "275",
"type": "update-configs",
"attributes": {
"language": "php",
"package-manager": "composer",
"update-schedule": "live",
"directory": "/helpers/php",
"automerge-rule-runtime-deps": "semver:patch",
"automerge-rule-development-deps": "semver:patch",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "93163073",
"type": "repos"
}
}
}
},
{
"id": "879",
"type": "update-configs",
"attributes": {
"language": "javascript",
"package-manager": "npm_and_yarn",
"update-schedule": "live",
"directory": "/helpers/yarn",
"automerge-rule-runtime-deps": "semver:patch",
"automerge-rule-development-deps": "semver:minor",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "93163073",
"type": "repos"
}
}
}
},
{
"id": "1672",
"type": "update-configs",
"attributes": {
"language": "python",
"package-manager": "pip",
"update-schedule": "live",
"directory": "/helpers/python",
"automerge-rule-runtime-deps": "semver:patch",
"automerge-rule-development-deps": "semver:patch",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "93163073",
"type": "repos"
}
}
}
},
{
"id": "326",
"type": "update-configs",
"attributes": {
"language": "ruby",
"package-manager": "bundler",
"update-schedule": "live",
"directory": "/",
"automerge-rule-runtime-deps": "semver:patch",
"automerge-rule-development-deps": "semver:patch",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "93163073",
"type": "repos"
}
}
}
},
{
"id": "3123",
"type": "update-configs",
"attributes": {
"language": "elixir",
"package-manager": "hex",
"update-schedule": "live",
"directory": "/helpers/elixir",
"automerge-rule-runtime-deps": "semver:patch",
"automerge-rule-development-deps": "semver:patch",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "93163073",
"type": "repos"
}
}
}
},
{
"id": "4925",
"type": "update-configs",
"attributes": {
"language": "ruby",
"package-manager": "bundler",
"update-schedule": "daily",
"directory": "/",
"automerge-rule-runtime-deps": "never",
"automerge-rule-development-deps": "never",
"target-branch": null,
"lockfile-only": false,
"security-updates-only": false
},
"relationships": {
"repo": {
"data": {
"id": "131328855",
"type": "repos"
}
}
}
}
]
}
POST https://api.dependabot.com/update_configs
{
"repo-id": 93163073,
"package-manager": "bundler",
"update-schedule": "daily",
"directory": "/",
"account-id": "27347476",
"account-type": "org",
}
Creates an update config. The following parameters can be passed:
| Attribute | Default | Description |
|---|---|---|
repo-id |
None (required) | The GitHub ID of the repository |
account-id |
None (required) | The GitHub ID of the repository owner |
account-type |
None (required) | org or user |
directory |
None (required) | The directory of the dependency files. Normally / |
update-schedule |
None (required) | One of live, daily, weekly or monthly |
package-manager |
None (required) | One of bundler, composer, docker, maven, npm_and_yarn, elm, submodules, hex, cargo, gradle, nuget, dep, go_modules, pip, terraform, github_actions |
target-branch |
GitHub default | The branch to create PRs against |
lockfile-only |
false | Ignore updates that are out-of-range of the manifest file |
security-updates-only |
false | Only generate PRs for updates that fix a security vulnerability |
automerge-rule-development-deps |
never |
One of never, security:patch, semver:patch, semver:minor, in_range or all |
automerge-rule-runtime-deps |
never |
One of never, security:patch, semver:patch, semver:minor, in_range or all |
PATCH https://api.dependabot.com/update_configs/:id
{
"update-schedule": "live",
"target-branch": "dev",
"lockfile-only": true,
"security-updates-only": false,
"update-schedule": "daily",
"automerge-rule-development-deps": "semver:patch",
"automerge-rule-runtime-deps": "semver:minor"
}
Update an update config, for example, to change its update schedule.
DELETE https://api.dependabot.com/update_configs/:id
Delete an update config.
POST https://api.dependabot.com/release_notifications/private
{
"name": "your_dependency_name",
"version": "1.5.0",
"package-manager": "bundler"
}
Notifies Dependabot of a private dependency release. In response, Dependabot will check all of the repos that belong to an organization your access token has access to. If any use an outdated version of the dependency Dependabot will create update PRs for them.
Note that this API is not a substitute for Dependabot being able to access your registry. When notified of a new version Dependabot triggers update runs which will query your registry for the latest version.
The name attribute should be the name of the dependency. For Java dependencies
the name is constructed from the groupId and artifactId of the dependency,
joined by a : (for example: org.kohsuke:github-api).
This endpoint is useful to get immediate updates to private dependencies. However, if you release a new version of a private dependency but don't notify Dependabot then it will still pick it up the following morning.