Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Dependabot is GitHub's automated dependency management service that helps keep your project dependencies up-to-date by automatically creating pull requests when new versions are available. Starting in 2025, Dependabot added support for vcpkg.
How Dependabot works with vcpkg
When you enable Dependabot for your vcpkg projects, it monitors your vcpkg.json manifest files and automatically
creates pull requests to update the builtin-baseline commit hash. This ensures your C/C++ dependencies stay current
with the latest versions available in the vcpkg port repository.
Setting up Dependabot for vcpkg
To enable Dependabot version updates for your vcpkg project:
- Create or update your
.github/dependabot.ymlfile in your repository's default branch:
version: 2
updates:
- package-ecosystem: "vcpkg"
directory: "/" # Location of your vcpkg.json file
schedule:
interval: "weekly"
- Customize the configuration based on your project needs:
version: 2
updates:
- package-ecosystem: "vcpkg"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "America/New_York"
labels:
- "dependencies"
- "vcpkg"
commit-message:
prefix: "deps"
Configuration options
Dependabot for vcpkg supports all standard Dependabot configuration options. The key vcpkg-specific requirements are:
package-ecosystemmust be set to"vcpkg".directoryshould point to the location of yourvcpkg.jsonfile.
For comprehensive configuration options see the Dependabot options reference.
vcpkg-specific considerations
- Test thoroughly: Baseline updates can introduce breaking changes from dependencies. Always test your build after applying updates.
- Monitor vcpkg announcements: Watch the vcpkg repository for announcements about breaking changes or important updates.
- Consider version pinning: If you need some ports to stay on the same version as you move the rest forward with the
baseline, consider overriding their versions in
your
vcpkg.json.
vcpkg-specific issues
Dependabot not creating pull requests:
- Ensure your repository has a valid
vcpkg.jsonwith abuiltin-baselinefield. - Verify the
directorypath in your configuration points to the correct location.
Build failures after baseline updates:
- Baseline updates may introduce breaking changes from dependencies.
- Review the vcpkg port changes included in the baseline update.
- Consider pinning specific dependency versions in your
vcpkg.jsonif needed.
Learn more
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
