My App
Extensions

Azure Extension Guide

Complete guide for using, troubleshooting, and developing the Dependabot Azure DevOps extension.

Using the extension

Refer to the extension README.md.

Troubleshooting issues

Dependabot will log more diagnostic information when verbose logs are enabled; i.e. System.Debug variable is set to true.

When sharing pipeline logs, please be aware that the task log contains potentially sensitive information such as your DevOps organisation name, project names, repository names, private package feeds URLs, list of used dependency names/versions, and the contents of any dependency files that are updated (e.g. package.json, *.csproj, etc). The Flame Graph report does not contain any sensitive information about your DevOps environment.

To mask environment secrets from the task log, set the System.Secrets variable to true in your pipeline.

Development guide

Getting the development environment ready

Install Node.js (22+), Go (1.22+), and Docker (with Linux containers); Install project dependencies using PNPM:

cd extension
pnpm install

Building the extension

cd extension
pnpm build

To then generate the a Azure DevOps .vsix extension package for testing, you'll first need to create a publisher account for the Visual Studio Marketplace Publishing Portal. After this, use pnpm package to build the package, with an override for your publisher ID:

pnpm package -- --rev-version --publisher your-publisher-id-here

Installing the extension

To test the extension in a Azure DevOps organisation:

  1. Build the extension .vsix package
  2. Publish the extension to your publisher account
  3. Share the extension with the organisation.

Running the task locally

To run the latest task version:

pnpm start

To run a specific task version:

pnpm start:V1 # runs dependabot@1 task
pnpm start:V2 # runs dependabot@2 task

Running the unit tests

cd extension
pnpm test

Architecture

dependabot2 versioned update process diagram

High-level sequence diagram illustrating how the dependabot@2 task performs versioned updates using dependabot-cli. For more technical details, see how dependabot-cli works.

dependabot2 security-only update process diagram

High-level sequence diagram illustrating how the dependabot@2 task performs security-only updates using dependabot-cli.

Troubleshooting

Fix common problems when running Dependabot in Azure Pipelines.

On this page

Using the extensionTroubleshooting issuesDevelopment guideGetting the development environment readyBuilding the extensionInstalling the extensionRunning the task locallyRunning the unit testsArchitecturedependabot2 versioned update process diagramdependabot2 security-only update process diagram