My Dependabot configuration for Drupal (and other PHP projects)

Matt Glaman
5 min readJan 4, 2024

I use GitHub to host my repositories, such as this website. To keep my dependencies up-to-date, I leverage Dependabot. The product has matured a lot over the past few years. Before, it was a standalone service and then acquired by GitHub. It did not support dependencies managed by Composer. It was pretty spammy and very noisy. However, it has drastically improved over the past few years. Thanks to all of those at GitHub who have worked to improve it (that includes you, Mike Crittenden.)

My Dependabot configuration consists of a few items, nothing overly specific.

  • Defining each ecosystem in my repository (GitHub Actions, Composer, NPM)
  • Specifying a schedule for that ecosystem
  • Setting up ignore rules, such as avoiding major version bumps
  • Defining groups to combine packages that have batched releases.

I’ll walk through the different configuration options. At the end of the blog post, I have two examples: one for my blog and another for a Laravel application with a Vue.js frontend. I recommend reading the full documentation for the dependabot.yml configuration options, as I barely scratch the surface of my usage.



Matt Glaman

PHP software engineer, open source contributor, and speaker