"I enabled Dependabot, but no PR comes at all," "vulnerability alerts appear but no fix PR is created," "a red error keeps appearing on a private registry" — the most common Dependabot consultation is this kind of "doesn't work." Most causes aren't a malfunction but a misunderstanding of configuration, or insufficient isolation.
This article systematizes troubleshooting to reach the cause from the symptom, as a topic of the Dependabot production-operations guide. It's written as a checklist you can confirm in order at hand.
Rules for this article: error names, behavior, and commands are based on the GitHub official documentation (as of June 2026). In particular, the @dependabot comment commands changed on January 27, 2026, so info from old articles is dangerous (below). Always confirm the latest in the official troubleshooting before production operation.
0. First, isolate: which of the "three pillars" is stopped
Dependabot is a collective name for three separate features. Identifying which one isn't working first narrows the cause at once.
症状:新しいバージョンのPRが来ない
→ version updates の問題(.github/dependabot.yml が要る)
症状:脆弱性アラートは出るが修正PRが来ない
→ security updates の問題(パッチの有無・前提条件)
症状:脆弱性アラート自体が出ない
→ alerts / 依存グラフ の問題(設定トグル)
Decide which of these three branches you're in, then proceed to the corresponding chapter.
1. "No PR for a new version comes" (version updates)
1.1 First check .github/dependabot.yml
Version updates don't work without the config file. Check the following in order.
- File path:
.github/dependabot.ymlat the repository root (not.github/workflows/). - YAML indentation: no tabs, 2 spaces. Are
version: 2andupdates:present. - The
package-ecosystemvalue: a correct identifier likenpm/pip/gomod/docker/github-actions.nodeandyarnare wrong (npm/yarn/pnpm are allnpm). directory: does it point to the directory with the manifest (root is/).
1.2 "Pull request limit reached"
The official PR-count limit is version updates = 5 / security updates = 10. When the limit is reached, no new PRs are created.
- Fix: merge or close existing Dependabot PRs to free up slots.
- If review can't keep up, bundle PRs with
groupsand automate patch/minor with auto-merge. Raisingopen-pull-requests-limitis a symptomatic treatment, not a root-cause fix for the noise.
1.3 Other "doesn't come" causes
| Cause | Confirm/fix |
|---|---|
Stopped by ignore | Is there an ignore condition on that dependency? Confirm with @dependabot show <name> ignore conditions (below) |
target-branch is another branch | Is it watching a non-default branch? PRs are created against that branch |
Waiting for schedule | With weekly/monthly, nothing comes until the next run. Confirm with a manual trigger (§5) |
| Already latest | If the dependency is already latest, nothing happens (normal) |
| Lockfile not committed | .gitignore'ing package-lock.json, etc., can prevent resolution |
2. "Vulnerabilities don't get fixed" (security updates / alerts)
2.1 "Cannot update X to a non-vulnerable version"
The most frequent message in security updates. It means "the vulnerability is identified, but it can't be upgraded to a safe version without breaking other dependencies."
- Cause: no fixed version yet, or a version-constraint conflict with another package in the dependency graph.
- Fix: enabling version updates to keep dependencies fresh routinely raises the probability of resolving a vulnerability with a simple upgrade when it counts (the official recommendation). The more pickled the dependency, the more you stall on an urgent vulnerability fix.
2.2 No alert appears at all
| Check item | Fix |
|---|---|
| Is the dependency graph enabled | Turn on Dependency graph in Settings → Advanced Security |
| Are Dependabot alerts enabled | Turn on Dependabot alerts in the same settings |
| Are security updates enabled | Turn on Dependabot security updates in the same settings |
| Is the lockfile committed | Security updates target only dependencies listed in a manifest or lockfile |
| Is it a supported ecosystem | Unsupported languages/managers aren't detected |
The operations design for vulnerability response (SLA, auto-triage, grouped security updates) is detailed in the alerts/security-updates guide.
3. Parsing/resolution errors (dependency files)
3.1 "Dependabot can't resolve your LANGUAGE dependency files"
An error of not being able to resolve the dependency files.
- Cause: a referenced dependency (a local path reference, an unreachable URL, a manifest in another repository, etc.) can't be accessed.
- Fix: confirm all referenced targets are in accessible locations. If referencing a private repo, an organization-level allowance of private-repository access may be needed.
3.2 "the dependency file is not parseable / not found"
- Cause: a syntax error in the manifest/lockfile, or the file isn't in the expected location (a
directorymistake). - Fix: run the package manager locally to confirm the manifest resolves correctly (
npm install/pip install/go mod tidy, etc.). Re-check thedirectorypath.
4. Private-registry errors (four categories)
Errors around internal registries are classified by the official docs into four codes. The cause is known from the symptom, so it's fast to remember.
| Error (code) | Meaning | Main fix |
|---|---|---|
private_source_not_reachable | Can't reach the registry | Network reachability. For a private network not reachable from GitHub-hosted, a self-hosted runner |
private_source_authentication_failure | Authentication failed | Check the registries definition and Dependabot secrets (≠ Actions secrets). Token expired, insufficient scope |
private_source_timed_out | The registry response timed out | Registry load, network delay. Retry, check the route |
private_source_certificate_failure | Can't verify the certificate | Self-signed/internal CA. Check the certificate-chain setting |
How to build the configuration (per-type authentication of registries, OIDC, self-hosted runners) is comprehensively covered in the private-registry authentication guide.
5. How to read logs and the manual trigger (consult the primary source)
Before guessing, look at the primary source.
- Open the repository's Insights → Dependency graph → Dependabot tab.
- Confirm each ecosystem's Last checked (last run) and status.
- If it failed, open the job log and search for the above error strings.
You can also trigger manually to reproduce/confirm immediately.
- Version updates: click "Check for updates" in the Dependabot tab.
- Security updates: click "Create Dependabot security update" on the relevant alert screen.
When "I changed a setting but can't tell if it worked," manual trigger → job log is the shortest verification loop.
6. @dependabot comment commands (mind the January 2026 change)
You can give instructions to an open PR via a comment. This changed on January 27, 2026 — copying old articles grabs commands that don't work, so be careful.
6.1 The update-behavior control commands that "remain"
These control Dependabot's update behavior and remain valid since there's no replacement in GitHub's standard UI.
@dependabot rebase # PR を rebase する
@dependabot recreate # PR を作り直す(手編集は破棄)
@dependabot ignore this dependency # この依存の今後のPRを止める
@dependabot ignore this major version # この major を無視
@dependabot ignore this minor version # この minor を無視
@dependabot ignore this patch version # この patch を無視
@dependabot unignore <dependency> # ignore を解除
@dependabot show <dependency> ignore conditions # 現在の ignore 条件を表示
Increasing
ignorevia comments piles up implicit ignore conditions not written independabot.yml. It's a breeding ground for "updates somehow don't come," so take inventory withshow ... ignore conditionsand state permanent rules on thedependabot.ymlside (ignore-pickling countermeasure).
6.2 The deprecated PR-lifecycle commands (2026-01-27)
The PR-lifecycle operations @dependabot merge / squash and merge / cancel merge / close / reopen, etc., were deprecated. GitHub recommends doing them with the standard PR features.
| What you want to do | The way going forward |
|---|---|
| Merge | GitHub's Merge button / gh pr merge / auto-merge workflow |
| Close / reopen | GitHub's standard UI / gh pr close · gh pr reopen / REST API |
An example using the gh CLI:
gh pr merge <PR番号> --squash # マージ(自動化は auto-merge ワークフローで)
gh pr close <PR番号> # クローズ
6.3 Other tips
- To skip a force-push (don't let Dependabot overwrite your edits): include
[dependabot skip](or[skip dependabot]/[dependabot-skip]/[skip-dependabot]) in the commit message. - The 30-day rule: for a PR not merged within 30 days, Dependabot stops auto-rebasing. Manually rebase/recreate an old PR.
7. A checklist to prevent stalls
- The path/indentation/
package-ecosystem/directoryof.github/dependabot.ymlare correct - The manifest and lockfile are committed (not
.gitignore'd) - alerts / security updates / dependency graph are all ON
- On reaching
open-pull-requests-limit, cycle slots with groups and auto-merge - Private registries with registries + Dependabot secrets + a self-hosted runner
- Periodically inventory the
ignoreincreased via comments (show ... ignore conditions) - Unify PR operations to the standard UI /
ghCLI / auto-merge (don't use deprecated commands)
8. FAQ
Q. I placed dependabot.yml but no PR comes.
A. Confirm the path (.github/dependabot.yml), indentation, package-ecosystem, and directory, and manually run "Check for updates" in the Dependabot tab to see the job log. If it's already latest, nothing happening is normal.
Q. I'm told "Cannot update X to a non-vulnerable version." A. There's no fixed version or the dependencies conflict. Enabling version updates to keep dependencies fresh resolves it more easily. If it can't be fixed, record the decision on a mitigation or library replacement.
Q. I get an authentication error on a private registry.
A. If private_source_authentication_failure, check the registries definition and Dependabot secrets (separate from Actions secrets). Token expiry and insufficient scope are classics.
Q. @dependabot merge stopped working.
A. The PR-lifecycle commands were deprecated on January 27, 2026. For merge, use GitHub's Merge button / gh pr merge / the auto-merge workflow.
Q. Where can I see the logs? A. Insights → Dependency graph → Dependabot tab. Last checked and each job's log are the primary sources.