Q: how to disable dependabot for a repository?

[php-coder]

I've decided to not use dependabot any more but I couldn't find in the UI how to turn it off for my repository?

Thanks!

[greysteil]

Hey @php-coder,

Within the Dependabot dashboard there's a delete option here:

You can also uninstall it at the GitHub level by clicking through to configure it here.

Sorry to lose you!

[mlissner]

I'm embarrassed to say this, but I couldn't find the "Dependabot dashboard." It's been a while since I turned it on. Looks like it's here: https://app.dependabot.com (duh).

[FDevman]

Is there a way to disable it without deleting from the repo. I just want it to stop while we sort out bottlenecks in our CI.

[patcon]

Agreed. A way to disable via yaml config would be great. Asking a minimally available repo owner to disable and then re-enable is something I'd prefer to avoid :) thx for considering!

[TomasHubelbauer]

Steps to disable dependabot on all your repositories:

• Go to your GitHub Settings
• Go to Security
• Scroll to Automated security updates
• Check the opt-out checkbox and save

Direct link: https://github.com/settings/security#automated-security-fixes

[nik0kin]

It's also under Repo settings -> Data services -> Security alerts

[TomasHubelbauer]

I think that's a different thing, no? Security alerts being notifications about potential security problems and this feature being automated PRs to your repos. Very related features nonetheless.

[cuducos]

Yes, handling Dependabot is really confusing (let alone the dark pattern that it is opt-out, not opt-in since GitHub added it to all repos without explicit consent).

The screen to disable it is not clear about whether:

1. I’m disabling Dependabot itself, i.e. a bot that will open PR with security fixes updating the version of my dependencies;
2. Or whether I’m disabling the whole world of ways GitHub have to warn me about security issues, e.g. that yellow warning box on top of the files in a repository I own.

I want 2, but definitively not 1. Personally I find Dependabot extremely invasive and disrespectful since it was rolled out all repositories without explicit consent. Now, this confusing ways to disable it.

As a bot, Dependapot is incredible, a masterpiece in the tech world. As a product, a flagship UX disaster case IMHO.

[TomasHubelbauer]

I don't even mind it being opt-in, because I think the bot has a potential of doing a lot of good and the breadth of its reach amplifies that, but I hate that the opt-out links (for this repository and for all my repositories both) are not in the PR description. I have dozens of single-commit repos where I have captured some code to refer to later but which I am definitely not maintaining in any sense of the word and security PRs for those only serve to bother me with email notifications, one of which resulted in ultimately turning the bot off completely.

If dependabot was more decent, I\d let it run on my repos I actually care about and turn it off on a per-repo basis on those that I don't after the first PR to each of those. But as it stands, there is only the nuclear option and it hurts everyone. It's a lose-lose-lose situation (for the developer, for Dependabot and for the community at large) to have to resort to turning it off this way.