← Docs
Recipe

Dependabot Setup

Keep your Meridian dependencies fresh with automated PRs.

1. Enable Dependabot

In your GitHub repo, go to Settings → Code security → Dependabot and enable Dependabot version updates.

2. Create the config

Add .github/dependabot.yml at your repo root:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"
      timezone: "America/Chicago"
    open-pull-requests-limit: 5
    versioning-strategy: increase
    labels:
      - "dependencies"
      - "automated"

3. Group patches

Bundle non-breaking updates to reduce noise. Append to your config:

    groups:
      patch:
        applies-to: version-updates
        patterns:
          - "*"
        update-types:
          - "patch"

4. Verify

After merging, Dependabot opens its first PR within 24 hours. Check the Insights → Dependency graph tab to confirm it's active.

Pro tip: Enable auto-merge for patch-level Dependabot PRs in your repo settings to ship safe updates without manual approval.

← Back to docs