Skip to content

Confusion about dependabot.yml and security updates #42791

New issue
New issue
Closed as not planned
Closed as not planned
Confusion about dependabot.yml and security updates#42791
Labels
contentThis issue or pull request belongs to the Docs Content teamtriageDo not begin working on this issue until triaged by the team
@yeikel

Description

@yeikel
yeikel
opened on Feb 5, 2026

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#commit-message--
https://docs.github.com/en/code-security/concepts/supply-chain-security/about-dependabot-security-updates

What part(s) of the article would you like to see updated?

As per https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#commit-message--:

For security updates: All commit messages follow the defined pattern, unless target-branch defines updates to a non-default branch.

However, this other page: https://docs.github.com/en/code-security/concepts/supply-chain-security/about-dependabot-security-updates

Suggests that

There is no interaction between the settings specified in the dependabot.yml file and Dependabot security alerts,```

This seems unclear. One source states that commit messages for security updates follow a defined pattern unless updates target a non-default branch. The other source says Dependabot security updates are not affected by settings in `dependabot.yml`, except for alert closure when related pull requests are merged.

Metadata

Metadata

Assignees

No one assigned

    Labels

    contentThis issue or pull request belongs to the Docs Content teamtriageDo not begin working on this issue until triaged by the team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions