Canarys | IT Services


Capabilities of Dependabot in GitHub with Azure Artifacts


In GitHub, while you can see a list of packages the organization level, the packages are installed to a specific repository. We can see here the instructions for pushing various package ecosystems to GitHub npm, NuGet, Maven, Docker. In case you are storing artifacts/packages in Azure Artifacts, Dependabot also supports private feeds, including Azure Artifacts. We can easily configure that in GitHub simply by providing required credentials from Azure Artifacts.

Configuration Dependabot in GitHub:

Firstly, we have to setup Dependabot secret, in the organization level or repository level under the dependabot section as show below & here


Add the below configuration in the .github/dependabot.yml


Shortly after committing the dependabot.yml file, we can confirm it works as there’s a new Pull Request from Dependabot with package residing in Azure Artifacts


We can also look at our Dependabot logs:


Even though you might have the schedule set to “daily”, Dependabot will run again if you push a change to the .github/dependabot.yml. You can also run it manually at any time by navigating to:

Insights    Dependency Graph     Dependabot     Check for updates

Pull request limit

  • By default, the limit is 5, so Dependabot will only create 5 pull requests for version updates.
  • If you check your pull requests, you might see you have more than 5, but some of those might be Dependabot Security Alerts, which don’t count to that limit.
  • You can also increase the limit by adding the below line in the config file.

                                      “open-pull-requests-limit: 15”


  • Maintaining your internally created packages up to date is made a lot easier by being able to use Dependabot with Azure Artifacts.
  • Automatically be informed when a new version of the package is available, and following a successful build and passing unit tests, you can accept and merge the Pull-Request.
  • If a team doesn’t want to use the updated version, they can simply close the Pull-Request and it won’t be re-opened until a new version of the package is released.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reach Us

With Canarys,
Let’s Plan. Grow. Strive. Succeed.