# Complete troubleshooting for when Dependabot doesn't work / no PRs come: isolating causes and fixing by error

> Dependabot doesn't create PRs, doesn't fix vulnerabilities, or errors on a private registry — a practical guide to isolating and fixing common stalls by cause. Faithful to the official documentation (as of June 2026), it explains, with copy-paste confirmation steps: the typical causes of 'no PRs come,' Cannot update to a non-vulnerable version, private_source_* errors, how to read logs, and the latest spec of the @dependabot comment commands that changed in January 2026.

- Published: 2026-06-28
- Author: 友田 陽大
- Tags: Dependabot, トラブルシューティング, GitHub Actions, DevSecOps, 依存関係管理, サプライチェーンセキュリティ
- URL: https://tomodahinata.com/en/blog/dependabot-troubleshooting-not-creating-pull-requests-errors-guide
- Category: Dependabot & dependency automation
- Pillar guide: https://tomodahinata.com/en/blog/dependabot-production-guide

## Key points

- 90% of 'no PRs come' is a misunderstanding of configuration. Version updates require .github/dependabot.yml — check the path/indentation/ecosystem; reaching open-pull-requests-limit (version=5/security=10), ignore, and target-branch settings are also typical causes.
- The representative of 'vulnerabilities don't get fixed' is Cannot update X to a non-vulnerable version = no patch or a dependency conflict. Enabling version updates to keep dependencies fresh resolves it more easily. .gitignore'ing the lockfile is also a classic miss.
- Private-registry errors are four kinds (private_source_not_reachable / authentication_failure / timed_out / certificate_failure). Isolate with the registries definition, Dependabot secrets, and a self-hosted runner.
- Check status in Insights → Dependency graph → Dependabot tab. Last checked and the job log are the primary sources. Manual trigger is also from here.
- On January 27, 2026, @dependabot's PR-lifecycle commands (merge / close / reopen, etc.) were deprecated. Merge/close go to GitHub's standard UI, gh CLI, or REST API. What remains is rebase / recreate / ignore / unignore / show ignore conditions.

---

"I enabled Dependabot, but **no PR comes at all**," "vulnerability alerts appear but **no fix PR is created**," "a **red error** keeps appearing on a private registry" — the most common Dependabot consultation is this kind of **"doesn't work."** Most causes aren't a malfunction but **a misunderstanding of configuration, or insufficient isolation.**

This article systematizes troubleshooting to **reach the cause from the symptom**, as a topic of the [Dependabot production-operations guide](/blog/dependabot-production-guide). It's written as a **checklist** you can confirm in order at hand.

> **Rules for this article**: error names, behavior, and commands are based on the **GitHub official documentation (as of June 2026).** In particular, **the @dependabot comment commands changed on January 27, 2026**, so info from old articles is dangerous (below). Always confirm the latest in the [official troubleshooting](https://docs.github.com/en/code-security/dependabot/troubleshooting-dependabot) before production operation.

---

## 0. First, isolate: which of the "three pillars" is stopped

Dependabot is [a collective name for three separate features](/blog/dependabot-production-guide#0-最重要dependabot-は3本柱である). Identifying **which one isn't working** first narrows the cause at once.

```text
症状：新しいバージョンのPRが来ない
  → version updates の問題（.github/dependabot.yml が要る）

症状：脆弱性アラートは出るが修正PRが来ない
  → security updates の問題（パッチの有無・前提条件）

症状：脆弱性アラート自体が出ない
  → alerts / 依存グラフ の問題（設定トグル）
```

Decide which of these three branches you're in, then proceed to the corresponding chapter.

---

## 1. "No PR for a new version comes" (version updates)

### 1.1 First check `.github/dependabot.yml`

Version updates **don't work without the config file.** Check the following in order.

- **File path**: **`.github/dependabot.yml`** at the repository root (not `.github/workflows/`).
- **YAML indentation**: no tabs, 2 spaces. Are `version: 2` and `updates:` present.
- **The `package-ecosystem` value**: a [correct identifier](/blog/dependabot-yml-configuration-complete-guide#1-package-ecosystem対応エコシステム) like `npm` / `pip` / `gomod` / `docker` / `github-actions`. `node` and `yarn` are wrong (npm/yarn/pnpm are all `npm`).
- **`directory`**: does it point to the directory with the manifest (root is `/`).

### 1.2 "Pull request limit reached"

The official PR-count limit is **version updates = 5 / security updates = 10.** When the limit is reached, no new PRs are created.

- **Fix**: **merge or close** existing Dependabot PRs to free up slots.
- If review can't keep up, [bundle PRs with `groups`](/blog/dependabot-yml-configuration-complete-guide#4-groups複数の更新を1つのprにまとめる) and [automate patch/minor with auto-merge](/blog/dependabot-auto-merge-github-actions-automation-guide). Raising `open-pull-requests-limit` is a symptomatic treatment, not a root-cause fix for the noise.

### 1.3 Other "doesn't come" causes

| Cause | Confirm/fix |
| --- | --- |
| Stopped by `ignore` | Is there an `ignore` condition on that dependency? Confirm with `@dependabot show <name> ignore conditions` (below) |
| `target-branch` is another branch | Is it watching a non-default branch? PRs are created against that branch |
| Waiting for `schedule` | With `weekly`/`monthly`, nothing comes until the next run. Confirm with a manual trigger (§5) |
| Already latest | If the dependency is already latest, nothing happens (normal) |
| Lockfile not committed | `.gitignore`'ing `package-lock.json`, etc., can prevent resolution |

---

## 2. "Vulnerabilities don't get fixed" (security updates / alerts)

### 2.1 "Cannot update X to a non-vulnerable version"

The most frequent message in security updates. It means **"the vulnerability is identified, but it can't be upgraded to a safe version without breaking other dependencies."**

- **Cause**: no fixed version yet, or a **version-constraint conflict** with another package in the dependency graph.
- **Fix**: [**enabling version updates**](/blog/dependabot-yml-configuration-complete-guide) to keep dependencies fresh routinely **raises the probability of resolving a vulnerability with a simple upgrade** when it counts (the official recommendation). The more pickled the dependency, the more you stall on an urgent vulnerability fix.

### 2.2 No alert appears at all

| Check item | Fix |
| --- | --- |
| Is the dependency graph enabled | Turn on **Dependency graph** in Settings → Advanced Security |
| Are Dependabot alerts enabled | Turn on **Dependabot alerts** in the same settings |
| Are security updates enabled | Turn on **Dependabot security updates** in the same settings |
| Is the lockfile committed | Security updates target only dependencies **listed in a manifest or lockfile** |
| Is it a supported ecosystem | Unsupported languages/managers aren't detected |

The operations design for vulnerability response (SLA, auto-triage, grouped security updates) is detailed in the [alerts/security-updates guide](/blog/dependabot-security-updates-alerts-vulnerability-management-guide).

---

## 3. Parsing/resolution errors (dependency files)

### 3.1 "Dependabot can't resolve your LANGUAGE dependency files"

An error of **not being able to resolve the dependency files.**

- **Cause**: a referenced dependency (a local path reference, an unreachable URL, a manifest in another repository, etc.) **can't be accessed.**
- **Fix**: confirm all referenced targets are in **accessible locations.** If referencing a private repo, an organization-level allowance of private-repository access may be needed.

### 3.2 "the dependency file is not parseable / not found"

- **Cause**: a **syntax error** in the manifest/lockfile, or **the file isn't** in the expected location (a `directory` mistake).
- **Fix**: run the package manager locally to confirm the manifest resolves correctly (`npm install` / `pip install` / `go mod tidy`, etc.). Re-check the `directory` path.

---

## 4. Private-registry errors (four categories)

Errors around internal registries are classified by the official docs into four codes. **The cause is known from the symptom**, so it's fast to remember.

| Error (code) | Meaning | Main fix |
| --- | --- | --- |
| `private_source_not_reachable` | **Can't reach** the registry | Network reachability. For a private network not reachable from GitHub-hosted, a **self-hosted runner** |
| `private_source_authentication_failure` | **Authentication failed** | Check the `registries` definition and **Dependabot secrets** (≠ Actions secrets). Token expired, insufficient scope |
| `private_source_timed_out` | The registry response **timed out** | Registry load, network delay. Retry, check the route |
| `private_source_certificate_failure` | **Can't verify the certificate** | Self-signed/internal CA. Check the certificate-chain setting |

How to build the configuration (per-type authentication of `registries`, OIDC, self-hosted runners) is comprehensively covered in the [private-registry authentication guide](/blog/dependabot-private-registries-authentication-self-hosted-runners-guide).

---

## 5. How to read logs and the manual trigger (consult the primary source)

Before guessing, look at the **primary source.**

1. Open the repository's **Insights → Dependency graph → Dependabot** tab.
2. Confirm each ecosystem's **Last checked** (last run) and **status.**
3. If it failed, open the **job log** and search for the above error strings.

You can also **trigger manually** to reproduce/confirm immediately.

- **Version updates**: click **"Check for updates"** in the Dependabot tab.
- **Security updates**: click **"Create Dependabot security update"** on the relevant alert screen.

When "I changed a setting but can't tell if it worked," manual trigger → job log is the shortest verification loop.

---

## 6. @dependabot comment commands (mind the January 2026 change)

You can give instructions to an open PR via a comment. **This changed on January 27, 2026** — copying old articles grabs commands that don't work, so be careful.

### 6.1 The update-behavior control commands that "remain"

These control Dependabot's **update behavior** and remain valid since there's no replacement in GitHub's standard UI.

```text
@dependabot rebase                         # PR を rebase する
@dependabot recreate                       # PR を作り直す（手編集は破棄）
@dependabot ignore this dependency         # この依存の今後のPRを止める
@dependabot ignore this major version      # この major を無視
@dependabot ignore this minor version      # この minor を無視
@dependabot ignore this patch version      # この patch を無視
@dependabot unignore <dependency>          # ignore を解除
@dependabot show <dependency> ignore conditions  # 現在の ignore 条件を表示
```

> Increasing `ignore` via comments piles up **implicit ignore conditions not written in `dependabot.yml`.** It's a breeding ground for "updates somehow don't come," so take inventory with `show ... ignore conditions` and state permanent rules on the `dependabot.yml` side ([ignore-pickling countermeasure](/blog/dependabot-yml-configuration-complete-guide#62-ignore対象から外す)).

### 6.2 The deprecated PR-lifecycle commands (2026-01-27)

**The PR-lifecycle operations `@dependabot merge` / `squash and merge` / `cancel merge` / `close` / `reopen`, etc., were deprecated.** GitHub recommends **doing them with the standard PR features.**

| What you want to do | The way going forward |
| --- | --- |
| Merge | GitHub's **Merge button** / `gh pr merge` / [auto-merge workflow](/blog/dependabot-auto-merge-github-actions-automation-guide) |
| Close / reopen | GitHub's **standard UI** / `gh pr close` · `gh pr reopen` / REST API |

An example using the `gh` CLI:

```bash
gh pr merge <PR番号> --squash   # マージ（自動化は auto-merge ワークフローで）
gh pr close  <PR番号>           # クローズ
```

### 6.3 Other tips

- To **skip a force-push** (don't let Dependabot overwrite your edits): include `[dependabot skip]` (or `[skip dependabot]` / `[dependabot-skip]` / `[skip-dependabot]`) in the commit message.
- **The 30-day rule**: for a PR not merged within 30 days, Dependabot **stops auto-rebasing.** Manually rebase/recreate an old PR.

---

## 7. A checklist to prevent stalls

- [ ] The path/indentation/`package-ecosystem`/`directory` of `.github/dependabot.yml` are correct
- [ ] The manifest and **lockfile are committed** (not `.gitignore`'d)
- [ ] alerts / security updates / dependency graph are **all ON**
- [ ] On reaching `open-pull-requests-limit`, cycle slots with [groups](/blog/dependabot-yml-configuration-complete-guide#4-groups複数の更新を1つのprにまとめる) and [auto-merge](/blog/dependabot-auto-merge-github-actions-automation-guide)
- [ ] Private registries with [registries + Dependabot secrets + a self-hosted runner](/blog/dependabot-private-registries-authentication-self-hosted-runners-guide)
- [ ] Periodically inventory the `ignore` increased via comments (`show ... ignore conditions`)
- [ ] Unify PR operations to **the standard UI / `gh` CLI / auto-merge** (don't use deprecated commands)

---

## 8. FAQ

**Q. I placed dependabot.yml but no PR comes.**
A. Confirm the path (`.github/dependabot.yml`), indentation, `package-ecosystem`, and `directory`, and manually run "Check for updates" in the Dependabot tab to see the job log. If it's already latest, nothing happening is normal.

**Q. I'm told "Cannot update X to a non-vulnerable version."**
A. There's no fixed version or the dependencies conflict. Enabling version updates to keep dependencies fresh resolves it more easily. If it can't be fixed, record the decision on a mitigation or library replacement.

**Q. I get an authentication error on a private registry.**
A. If `private_source_authentication_failure`, check the `registries` definition and **Dependabot secrets** (separate from Actions secrets). Token expiry and insufficient scope are classics.

**Q. `@dependabot merge` stopped working.**
A. The PR-lifecycle commands were deprecated on January 27, 2026. For merge, use GitHub's Merge button / `gh pr merge` / the [auto-merge workflow](/blog/dependabot-auto-merge-github-actions-automation-guide).

**Q. Where can I see the logs?**
A. Insights → Dependency graph → Dependabot tab. Last checked and each job's log are the primary sources.