tosbourn

Set Dependabot to run only specific dependency types

How to limit dependencies to one or more semantic versioning levels

We have a Ruby on Rails project that we are sunsetting and we want to tell Dependabot to only update minor versions of Gems as we don’t want to introduce any potential breaking changes to the project.

We can specify this in the Dependabot configuration file like so:

.github/dependabot.yml

version: 2

updates:
  - package-ecosystem: bundler
    directory: "/"
    schedule:
      interval: weekly
    open-pull-requests-limit: 10
    groups:
      security-updates:
        applies-to: security-updates
        patterns:
          - '*'
        update-types:
          - 'minor'
          - 'patch'
      version-updates:
        applies-to: version-updates
        patterns:
          - '*'
        update-types:
          - 'minor'
          - 'patch'

This will sit within the groups section.

  • security-updates: tells Dependabot the type of update
  • version-updates: tells Dependabot the type of update
  • patterns: specifies what Gems to apply this to, I have put '*' as I want it to apply to all of the Gems in the project but you could specify specific dependencies
  • update-types: these follow semantic versioning levels (major.minor.patch / 1.2.3), so you can specify whichever of these three are relevant to your project

For more information check out the Dependabot documentation for groups.

    Recent posts View all

    Rails

    Dealing with multiple languages with inflections

    How to have your site deal with multiple languages in inflections

    Apr 2026

    Threat Intelligence JavaScript

    Threat Intelligence Issue 5

    Issue 5 of our Threat Intelligence information

    Apr 2026