# Install dependabot with Homebrew

Tool for testing and debugging Dependabot update jobs. Version 1.91.0 via Homebrew; verified 2026-06-29.

## Install

```sh
sudo av install brew:dependabot
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install dependabot
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:dependabot
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/dependabot>
- **Version:** 1.91.0
- **Source summary:** Tool for testing and debugging Dependabot update jobs
- **Homepage:** <https://github.com/dependabot/cli>
- **Repository:** <https://github.com/dependabot/cli>
- **Upstream docs:** <https://github.com/dependabot/cli#readme>
- **License:** MIT
- **Source archive:** <https://github.com/dependabot/cli/archive/refs/tags/v1.91.0.tar.gz>
- **Last updated:** 2026-06-29T20:51:51Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- dependabot (cli)
- dependabot (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.91.0
- Package-manager updated: 2026-06-29
- Local data: ok
- Upstream repository: https://github.com/dependabot/cli
- Upstream latest detected: v1.91.0 (current)
## Project history and usage

Dependabot CLI is the command-line companion for running Dependabot update jobs outside the hosted GitHub workflow. It is aimed less at end users casually enabling dependency updates and more at maintainers, security engineers, and package ecosystem developers who need to reproduce, debug, or smoke-test the exact update jobs that Dependabot runs.

### Project history

The CLI repository was created under the official Dependabot GitHub organization in 2022. Its README describes a Go command that runs Dependabot jobs, pulls the updater and proxy container images, and records the pull-request operations that a hosted Dependabot run would normally perform.

The tool is closely tied to Dependabot's broader configuration model: the same package ecosystem names, repository paths, registry credentials, and update-job concepts show up in both CLI job files and GitHub's official dependabot.yml documentation.

### Adoption history

Adoption is mainly among people who already operate Dependabot at scale. The README points users to Go installation, GitHub releases, and Homebrew, which made the tool easy to reach from developer laptops and CI debugging sessions without building Dependabot internals by hand.

### How it is used

Typical usage is to run `dependabot update` for a package ecosystem and repository, or to pass a YAML job description for security-update and private-registry cases. The CLI can pass tokens from environment variables into the proxy so that the updater can access GitHub APIs and package registries without directly receiving secrets.

### Why package nerds care

For package nerds, Dependabot CLI is interesting because it exposes the machinery behind automated dependency PRs: ecosystem identifiers, manifest directory selection, registry credentials, update strategies, and the split between updater containers and a credential-injecting proxy.

### Timeline

- 2022: Official dependabot/cli repository created.
- 2022: README examples documented `dependabot update` and smoke-test workflows.
- 2026: GitHub Docs continue to document dependabot.yml as the primary configuration surface for Dependabot.

### Related projects

- Dependabot CLI depends conceptually on dependabot-core for package ecosystem behavior and on GitHub's dependabot.yml configuration model for hosted repository updates.

### Sources

- <https://github.com/dependabot/cli#readme>
- <https://api.github.com/repos/dependabot/cli>
- <https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference>


## Security Notes

No matching local secret-handling manifest was found for dependabot. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: .github/dependabot.yml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** dependabot
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Text processing packages](https://www.automicvault.com/pkg/text-processing-tools/) - Matched text, document, or structured-data processing metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [cargo-edit](https://www.automicvault.com/pkg/brew/cargo-edit/) - Shares av.db curated category or tags: cli, dependencies, dependency-management, developer-tools.
- [cargo-outdated](https://www.automicvault.com/pkg/brew/cargo-outdated/) - Shares av.db curated category or tags: cli, dependencies, dependency-management, developer-tools.
- [dotslash](https://www.automicvault.com/pkg/brew/dotslash/) - Shares av.db curated category or tags: cli, dependencies, dependency-management, developer-tools.
- [renovate](https://www.automicvault.com/pkg/brew/renovate/) - Shares av.db curated category or tags: automation, cli, dependency-management, developer-tools.
- [taze](https://www.automicvault.com/pkg/brew/taze/) - Shares av.db curated category or tags: cli, dependencies, dependency-management, developer-tools.
- [cargo-features-manager](https://www.automicvault.com/pkg/brew/cargo-features-manager/) - Shares av.db curated category or tags: cli, dependency-management, developer-tools.
- [carthage](https://www.automicvault.com/pkg/brew/carthage/) - Shares av.db curated category or tags: cli, dependency-management, developer-tools.
- [carton](https://www.automicvault.com/pkg/brew/carton/) - Shares av.db curated category or tags: cli, dependency-management, developer-tools.

## Combined YAML source

View the package source record on GitHub. [combined/dependabot.yml](https://github.com/automic-vault/db/blob/main/combined/dependabot.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
