Dependabot running when not enabled

I just noticed a pull request from Dependabot in one of my repositories. This is unexpected, as I haven’t enabled Dependency Graph or Dependabot in that repo:

This repo is a fork, and the owner of the source repo merges the Dependabot pull requests regularly.

Is this expected behaviour, and if so is there any way to prevent it?

That is probably caused by a .github/dependabot.yml file in the repository, which configures Dependabot for version updates:

From the description there you’d still need to enable version updates in a fork before that file is used. There’s no mention of how to disable it once enabled, but maybe that is a place to start looking? :sweat_smile:

1 Like

From that page I spotted this section about enabling Dependabot on forks. That refers to the Insights->Dependency Graph->Dependabot page, which looks like this on my fork:

I don’t remember enabling that, but maybe I clicked on it accidentally without noticing :sweat_smile:

The odd thing is that I still don’t have dependency graph enabled. Perhaps Dependabot is pulling the graph from upstream, but that seems like it’d break if I edit the dependencies in my fork :confused:

Unfortunately there doesn’t seem to be any way out of this situation. The documentation only gives one way to switch Dependabot off, and that’s to delete the dependabot.yml file. I don’t want to do that as it will make my fork’s default branch diverge from upstream. If anyone knows a way to fix for this I’d appreciate some pointers.


EDIT: I tried switching the three settings shown in my original post on/off to see if that would help. It doesn't seem to have changed anything, plus it won't let me switch off dependency graph:

Notice how now it says public repos always have dependency graph enabled. I guess that’s how Dependabot was running even though I appeared to not have the dependency graph switched on.

1 Like

This is a known issue, apologies for the confusion and your experience here.

Currently, when you fork a repo with Dependabot version updates enabled, your fork will also have Dependabot version updates enabled. This is because Dependabot version updates is configured with a dependabot.yml config file.

To disable Dependabot version updates, remove the dependabot.yml config file from your repo. (I realize this complicates suggesting changes, which is why this is a bug we are working to address today.)

EDIT: I tried switching the three settings shown in my original post on/off to see if that would help.

The settings on the Security tab only control Dependabot security updates, not also Dependabot version updates. Dependabot version updates are only controlled with the configuration file.

Notice how now it says public repos always have dependency graph enabled. I guess that’s how Dependabot was running even though I appeared to not have the dependency graph switched on.

Dependency Graph is on for all public repos and cannot be disabled on public repos. Dependabot version updates (which is what you are dealing with here) does not require the dependency graph - it doesn’t check your dependencies from the graph, only suggests edits to what’s in your lockfile.

1 Like