How to Disable Dependabot Alerts for a GitHub Repo

If you’re managing a personal project that’s been dormant for months, or maintaining demo repositories for educational purposes, you know the frustration: Dependabot keeps flooding your inbox with security alerts and opening pull requests for dependencies you’re never going to update. Let’s fix that.

This guide shows you exactly how to disable Dependabot alerts and automated pull requests for individual GitHub repositories—both through the GitHub interface and using configuration files. We’ll cover the differences between Dependabot’s three features and how to turn off each one.

Understanding Dependabot’s Three Features

Before diving into how to disable Dependabot, it’s crucial to understand what you’re turning off. Dependabot isn’t a single feature—it’s actually three distinct services:

1. Dependabot alerts: Notifications about security vulnerabilities in your dependencies
2. Dependabot security updates: Automated pull requests that fix known vulnerabilities
3. Dependabot version updates: Automated pull requests that keep all dependencies current (not just vulnerable ones)

Each can be disabled independently, giving you granular control over what notifications and PRs you receive.

Method 1: Disable Dependabot Through GitHub Settings

The quickest way to turn off Dependabot is through your repository’s settings page. This method is perfect for one-off changes and requires no code.

Disabling Dependabot Alerts

1. Navigate to your GitHub repository
2. Click Settings (if you don’t see it, click the dropdown menu first)
3. In the sidebar, find the “Security” section and click Code security and analysis
4. Locate “Dependabot alerts” and click Disable

Disabling Dependabot Security Updates

Follow the same path as above, but look for “Dependabot security updates” instead. Click Disable to stop automatic security PRs.

Note: For public repositories, some Dependabot features may be permanently enabled by GitHub policy.

What About Version Updates?

Version updates are configured differently. If you’ve previously enabled them via a dependabot.yml file, you’ll need to remove that configuration or use the file-based method below to disable them.

Method 2: Disable Dependabot Using Configuration Files

For more permanent or version-controlled changes, use a .github/dependabot.yml configuration file. This approach is ideal when you want to:

• Document why Dependabot is disabled
• Apply consistent settings across team members
• Selectively disable certain features while keeping others

Completely Disable Version Updates

To disable Dependabot version updates, set the pull request limit to zero:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 0

This configuration tells Dependabot to check for updates but never open pull requests. Apply this pattern to each package ecosystem in your project (npm, pip, bundler, etc.).

Disable Updates for Specific Dependencies

Sometimes you want to keep Dependabot active but ignore certain problematic dependencies:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    ignore:
      - dependency-name: "lodash"
      - dependency-name: "react"
        versions: ["16.x", "17.x"]

Remove All Dependabot Configuration

To completely turn off Dependabot version updates, simply delete the .github/dependabot.yml file from your repository. Without this file, Dependabot won’t check for version updates at all.

Common Scenarios and Solutions

Archived or Inactive Projects

For truly dead projects, disable all three Dependabot features through the GitHub UI. There’s no point in receiving security alerts for code that will never run again.

Demo and Educational Repositories

Consider keeping Dependabot alerts enabled but disabling automatic PRs. This way, you stay informed about vulnerabilities without the PR noise. Students or readers can see security warnings without confusion from automated pull requests.

Monorepos with Mixed Activity

Use the configuration file approach to selectively disable Dependabot for inactive directories while keeping it active for maintained code:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/active-app"
    schedule:
      interval: "weekly"
  - package-ecosystem: "npm"
    directory: "/archived-app"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 0

Important Considerations

When you disable Dependabot security features, you’re accepting responsibility for manually monitoring and updating vulnerable dependencies. For active projects, consider these alternatives before completely disabling:

• Reduce update frequency instead of disabling entirely
• Group updates to receive fewer, larger PRs
• Use ignore rules for specific dependencies rather than blanket disabling

Remember that disabling Dependabot alerts doesn’t make vulnerabilities disappear—it just stops the notifications.

Conclusion

Disabling Dependabot is straightforward whether you prefer clicking through GitHub’s UI or managing configuration files. The key is understanding which of Dependabot’s three features you actually want to turn off and choosing the right method for your workflow. For dormant projects, aggressive disabling makes sense. For anything else, consider selective configuration over complete deactivation.

FAQs

Understand every bug

Uncover frustrations, understand bugs and fix slowdowns like never before with OpenReplay — the open-source session replay tool for developers. Self-host it in minutes, and have complete control over your customer data. Check our GitHub repo and join the thousands of developers in our community.