explaingit

dependabot/dependabot-core

5,585RubyAudience · developerComplexity · 4/5Setup · hard

TLDR

The core Ruby library powering GitHub's Dependabot service, which automatically scans your project for outdated packages across many ecosystems and opens pull requests with the changes needed to update them.

Mindmap

mindmap
  root((repo))
    What it does
      Scans outdated packages
      Opens update pull requests
      Fetches changelogs
    Ecosystems
      Ruby JavaScript Python
      Go Rust Java
      Docker Terraform
    Platforms
      GitHub Enterprise
      GitLab Azure DevOps
      Bitbucket AWS CodeCommit
    Development
      Docker dev environment
      Dry-run testing
      New ecosystem support
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run Dependabot on your own GitHub Enterprise, GitLab, or Azure DevOps server instead of using GitHub's hosted version.

USE CASE 2

Add automated dependency-update pull requests to projects using Python, JavaScript, Go, Rust, or over a dozen other ecosystems.

USE CASE 3

Contribute support for a new package manager ecosystem to Dependabot's open-source engine.

USE CASE 4

Set up Dependabot to update Docker files, Terraform configs, or Git submodules alongside application dependencies.

Tech stack

RubyDocker

Getting it running

Difficulty · hard Time to first run · 1h+

Requires Docker for the development environment and the separate Dependabot CLI to run against real repositories.

In plain English

Dependabot-Core is the engine behind Dependabot, the automated dependency updater built into GitHub. When you enable Dependabot on a repository, it scans your project files for outdated packages, figures out which new version works given all the other things your project depends on, and then opens a pull request with the necessary file changes. This repository is the Ruby library that performs all of that logic. The library supports a wide range of programming ecosystems: Ruby, JavaScript, Python, PHP, Dart, Elixir, Elm, Go, Rust, Java, Julia, and .NET. It can also update Docker files, Terraform and OpenTofu infrastructure files, Git submodules, and pre-commit hook versions. When it creates a PR, it automatically pulls in the changelogs, release notes, and commit history for the updated package so reviewers have context. Most developers interact with Dependabot through GitHub's hosted service, where you simply add a configuration file to your repository. But this codebase also allows you to run Dependabot yourself on other platforms, including GitHub Enterprise, GitLab, Azure DevOps, Bitbucket, and AWS CodeCommit. The recommended way to do that is through a separate open-source command-line tool called the Dependabot CLI, which generates dependency diffs that you can then wire up to create pull requests on your own. For people who want to work on the code itself, the README describes a Docker-based development environment that includes all required language runtimes and tools. There are instructions for writing dry-run tests against real repositories, debugging update logic, running the test suite, and contributing support for entirely new package ecosystems. The project is maintained by GitHub.

Copy-paste prompts

Prompt 1
Show me how to write a dependabot.yml config file for a Python project that auto-updates pip dependencies every week and groups minor and patch bumps into one PR.
Prompt 2
Write a GitHub Actions workflow that uses the Dependabot CLI to generate dependency diffs for a private GitLab repository and open a merge request automatically.
Prompt 3
Explain how dependabot-core resolves version conflicts when updating a package that has conflicting transitive dependencies in a Ruby project.
Prompt 4
Help me configure Dependabot to update both Docker base images and npm packages in the same repository on different schedules.
Prompt 5
Walk me through the Docker dev environment setup for dependabot-core so I can write a dry-run test against a real repository.
Open on GitHub → Explain another repo

← dependabot on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.