Taming Dependabot: Bundle NuGet, npm, and GitHub Actions Updates Without Merge Conflicts

If you’ve enabled Dependabot, you probably love the automated updates but not the PR storm and the merge conflicts that happen when several PRs touch the same lockfiles or project files.

The cure is Dependabot Groups: batch related updates into a single PR so you merge once and move on.

Why conflicts happen

• npm: multiple PRs each rewrite package-lock.json.
• NuGet: several PRs change the same .csproj / packages.lock.json.
• GitHub Actions: many small PRs bumping actions across several workflow files.

Merge one PR → the others go stale → conflicts or repeated rebases.

The fix: group by ecosystem & update type

• Batch minor/patch together (usually safe).
• Keep majors separate (often need code changes).
• Optionally group security updates for quick handling.
• Limit concurrency with open-pull-requests-limit.

Drop-in config: npm, NuGet & GitHub Actions

Create or edit .github/dependabot.yml:

version: 2
updates:
  # npm (package.json / lockfile)
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: weekly
    open-pull-requests-limit: 5
    groups:
      npm-minor-patch:
        patterns: ["*"]
        update-types: ["minor", "patch"]
      npm-majors:
        patterns: ["*"]
        update-types: ["major"]
      npm-security:
        applies-to: security-updates
        patterns: ["*"]

  # NuGet (.csproj, .props, .targets, packages.lock.json)
  - package-ecosystem: nuget
    directory: "/"
    schedule:
      interval: weekly
    open-pull-requests-limit: 5
    groups:
      nuget-minor-patch:
        patterns: ["*"]
        update-types: ["minor", "patch"]
      nuget-majors:
        patterns: ["*"]
        update-types: ["major"]
      nuget-security:
        applies-to: security-updates
        patterns: ["*"]

  # GitHub Actions (.github/workflows/*.yml)
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly
    open-pull-requests-limit: 5
    groups:
      actions-all:
        patterns: ["*"]            # one PR for all action bumps
      actions-security:
        applies-to: security-updates
        patterns: ["*"]

Special notes for GitHub Actions

• One PR, many workflows: Grouping will update all matching workflows in one PR (e.g., bump actions/checkout across multiple files together).
• Version style: Dependabot follows tags you use in uses: (e.g., @v4 or @v4.1.0). Using major tags (@v4) gives you a steady cadence of safe bumps.
• Security posture: Many teams pin to major tags (easier updates) or to exact versions. If you pin to commit SHAs, you won’t receive normal semver/tag updates, review your policy and decide which approach fits your supply-chain requirements.
• Noise reduction: Toolchain bursts (e.g., actions/setup-node, setup-dotnet, checkout, upload-artifact) are where grouping shines, one tidy PR instead of five.
• Still stale? Comment @dependabot rebase on the PR to refresh after other merges.

Tips that save time

• Cadence: Weekly works well-predictable and batch-friendly.
• Lockfile only (npm): For infra repos, consider versioning-strategy: lockfile-only.
• Per-folder repos: Add additional updates blocks with different directory values if you have multiple package roots.
• PR hygiene: Keep open-pull-requests-limit low to avoid “PR storms”.

Troubleshooting quick hits

• “Why didn’t X get grouped?”
  Check the patterns and update-types. Majors won’t join a minor/patch group.
• “Why so many Actions PRs?”
  Ensure the github-actions ecosystem has a groups: block (see above).
• “Conflicts anyway?”
  If another large change touched the same files, trigger a rebase (@dependabot rebase). Grouping minimizes, but can’t eliminate, all conflicts.

Official docs

• Dependabot options reference → Groups
  https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups
• Optimizing PR creation with groups
  https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates
• Configuring Dependabot security updates
  https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
• Configuring multi-ecosystem updates
  https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-multi-ecosystem-updates