Configuration

Azure DevOps-specific configuration differences and examples for dependabot.yml.

Paklo uses the standard GitHub Dependabot configuration format. For complete configuration options, see GitHub's Dependabot Configuration Reference. This page only documents Azure DevOps-specific differences and behaviors.

File Location

Place your configuration file at:

.github/dependabot.{yml,yaml} (recommended)
.azuredevops/dependabot.{yml,yaml} (alternative)

Basic Example

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"

Azure DevOps-Specific Behaviors

Schedule

Although this is required for your configuration file to be parsed correctly, it is only used in the hosted version. For the free extension or CLI, you are responsible for scheduling at an appropriate time.

You can use pipeline scheduled triggers when using the extension.

Assignees

Azure DevOps doesn't support pull request assignees. The assignees field is implemented as optional reviewers:

assignees:
  - "user1"
  - "user2"

These users will be added as optional reviewers.

For required reviewers, use branch policies in Azure DevOps as you would have them configured for other types of pull requests.

Variable Substitution

Use ${{ VARIABLE_NAME }} syntax for secrets in the registries section:

registries:
  private-nuget:
    type: nuget-feed
    url: https://nuget.example.com
    token: ${{ NUGET_TOKEN }}

Variable substitution only works for secret values: username, password, token, key Environment variables and pipeline variables are automatically available when using the extension or CLI. The hosted version offers secure organization secrets.

Azure DevOps PAT Format

For Azure DevOps Artifacts feeds, you may need to prefix tokens with PAT: or : to use basic authentication:

registries:
  azure-artifacts:
    type: nuget-feed
    url: https://dev.azure.com/org/_packaging/feed/nuget/v3/index.json
    token: PAT:${{ AZDO_PAT }}

Common Configuration Examples

Monorepo with Multiple Ecosystems

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/frontend"
    schedule:
      interval: "weekly"
    labels: ["dependencies", "frontend"]

  - package-ecosystem: "npm"
    directory: "/backend"
    schedule:
      interval: "weekly"
    labels: ["dependencies", "backend"]

  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"

With Private Registry

version: 2
registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{ NPM_TOKEN }}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    registries:
      - npm-private

For more on configuring private package registries see Private Registries

Security-Only Updates

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 0  # Only security updates
    assignees:
      - "security-team"

For more on security-only updates and custom advisories see Security Advisories

Grouped Updates

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      development:
        dependency-type: "development"
      production-minor:
        update-types: ["minor", "patch"]
        dependency-type: "production"

How is this guide?

Last updated on

File Location

Place your configuration file at:

.github/dependabot.{yml,yaml} (recommended)
.azuredevops/dependabot.{yml,yaml} (alternative)

Basic Example

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"

assignees:
  - "user1"
  - "user2"

These users will be added as optional reviewers.

For required reviewers, use branch policies in Azure DevOps as you would have them configured for other types of pull requests.

Variable Substitution

Use ${{ VARIABLE_NAME }} syntax for secrets in the registries section:

registries:
  private-nuget:
    type: nuget-feed
    url: https://nuget.example.com
    token: ${{ NUGET_TOKEN }}

Azure DevOps PAT Format

For Azure DevOps Artifacts feeds, you may need to prefix tokens with PAT: or : to use basic authentication:

registries:
  azure-artifacts:
    type: nuget-feed
    url: https://dev.azure.com/org/_packaging/feed/nuget/v3/index.json
    token: PAT:${{ AZDO_PAT }}

Common Configuration Examples

Monorepo with Multiple Ecosystems

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/frontend"
    schedule:
      interval: "weekly"
    labels: ["dependencies", "frontend"]

  - package-ecosystem: "npm"
    directory: "/backend"
    schedule:
      interval: "weekly"
    labels: ["dependencies", "backend"]

  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"

With Private Registry

version: 2
registries:
  npm-private:
    type: npm-registry
    url: https://npm.example.com
    token: ${{ NPM_TOKEN }}

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    registries:
      - npm-private

For more on configuring private package registries see Private Registries

Security-Only Updates

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 0  # Only security updates
    assignees:
      - "security-team"

For more on security-only updates and custom advisories see Security Advisories

Grouped Updates

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      development:
        dependency-type: "development"
      production-minor:
        update-types: ["minor", "patch"]
        dependency-type: "production"

How is this guide?

Last updated on

File Location

Basic Example

Azure DevOps-Specific Behaviors

Schedule

Assignees

Variable Substitution

Azure DevOps PAT Format

Common Configuration Examples

Monorepo with Multiple Ecosystems

With Private Registry

Security-Only Updates

Grouped Updates

On this page

Configuration

File Location

Basic Example

Azure DevOps-Specific Behaviors

Schedule

Assignees

Variable Substitution

Azure DevOps PAT Format

Common Configuration Examples

Monorepo with Multiple Ecosystems

With Private Registry

Security-Only Updates

Grouped Updates

On this page