Add dependabot.yml to help control automatic PR behavior (#622)

jairus-m · web-flow · commit e4d11778ed26 · 2026-03-04T13:04:18.000-08:00
## Summary  Adds config to control dependabot behavior. This PR is in response to the internal Slack thread [here](https://dbt-labs.slack.com/archives/C08JCDZDECB/p1772495075910279) on constant up-keep of security bumps to `examples/` manifests. Behavior: - Allow security updates to the root manifest (uv) and the `ui/` folder (npm) - Prevent automatic "latest" version updates - Therefore, dependabot will open PRs for security vulnerabilities for production code ## Checklist - [ ] I have performed a self-review of my code - [ ] I have made corresponding changes to the documentation (in https://github.com/dbt-labs/docs.getdbt.com) if required -- Mention it here - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes ## Additional Notes  Docs to reference: - [depandabots.yml](https://docs.github.com/en/code-security/concepts/supply-chain-security/about-the-dependabot-yml-file) - [exclude-paths config](https://github.blog/changelog/2025-08-26-dependabot-can-now-exclude-automatic-pull-requests-for-manifests-in-selected-subdirectories/) - [open-pull-request-limit config](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#open-pull-requests-limit-) Tested locally with Claude Code + [Dependabot CLI](https://github.com/dependabot/cli) 🤖
diff --git a/.changes/unreleased/Under the Hood-20260303-071210.yaml b/.changes/unreleased/Under the Hood-20260303-071210.yaml
@@ -0,0 +1,3 @@
+kind: Under the Hood
+body: Add dependabot YML config
+time: 2026-03-03T07:12:10.394855-08:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    # Ignore version update PRs - security updates remain active
+    open-pull-requests-limit: 0
+    exclude-paths:
+      - "examples/**"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "npm"
+    directory: "/ui"
+    # Ignore version update PRs - security updates remain active
+    open-pull-requests-limit: 0
+    schedule:
+      interval: "weekly"
diff --git a/README.md b/README.md
@@ -100,6 +100,10 @@ The dbt MCP server architecture allows for your agent to connect to a variety of
 
 Commonly, you will connect the dbt MCP server to an agent product like Claude or Cursor. However, if you are interested in creating your own agent, check out [the examples directory](https://github.com/dbt-labs/dbt-mcp/tree/main/examples) for how to get started.
 
+## Dependencies
+
+Dependencies are pinned to specific versions and are not updated automatically. Only security-related dependency updates are submitted via automated pull requests.
+
 ## Contributing
 
 Read `CONTRIBUTING.md` for instructions on how to get involved!

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+kind: Under the Hood`
	`2`	`+body: Add dependabot YML config`
	`3`	`+time: 2026-03-03T07:12:10.394855-08:00`