type: service
status: active
timestamp: 2026-06-20
tags: [services, code-quality, security, dependencies]

Dependabot

Automated dependency security updates — GitHub-native, free for all repos

Dependabot

Role

Automated dependency updates and security alerts for every oriz repo. Opens a PR whenever:

Native GitHub integration — no separate account or token required.

Free tier

Free for all GitHub repos, public and private. No quota on PR count. Two modes:

  1. Security updates (always on by default) — opens a PR whenever a vulnerability is published.
  2. Version updates (opt-in via .github/dependabot.yml) — opens PRs on a schedule for non-security version bumps.

Card / subscription required?

NO. Built into GitHub for every account.

Alternatives

Swap cost

Low. Both alternatives accept similar config and open similar PRs. Switching is a dependabot.ymlrenovate.json translation.

Why this is our pick

Zero-config security baseline. Every repo gets a .github/dependabot.yml enabling weekly version updates for npm ecosystem; security updates are on by default whether the file exists or not. PRs land at main, get reviewed by CodeRabbit, and merge under the same biome + CI gates as human PRs.

Cross-refs


Edit on GitHub · Back to index