Skip to main content
GitHub Docs
Search
Select language: current language is English
Open Search BarClose Search Bar
Open Menu
Open Sidebar
  • Secure coding/
  • GitHub security features
  • Audit security alerts
  • Enable security features in trial
  • Choose security configuration
    • Configure global settings
    • Edit custom configuration
    • Delete custom configuration
    • Push protection
    • Enable push protection
    • Resolve alerts
    • Push protection from the REST API
    • Generate regular expressions with AI
    • About CodeQL code scanning
    • Configure advanced setup
    • Hardware resources for CodeQL
    • Disable Copilot Autofix
    • Track alerts in issues
    • CodeQL query suites
    • C# CodeQL queries
    • Python CodeQL queries
    • Using code scanning with your existing CI system
    • Alerts in generated code
    • Cannot enable CodeQL in a private repository
    • Logs not detailed enough
    • Resource not accessible
    • Two CodeQL workflows
    • GitHub Advanced Security disabled
    • Results file too large
    • Preparing code for analysis
    • Advanced setup of the CodeQL CLI
    • Testing custom queries
    • Specifying command options in a CodeQL configuration file
    • Extractor options
    • bqrs diff
    • database add-diagnostic
    • database create
    • database index-files
    • database run-queries
    • dataset check
    • dataset upgrade
    • execute language-server
    • execute upgrades
    • github merge-results
    • pack ci
    • pack install
    • pack resolve-dependencies
    • query format
    • resolve extensions-by-pack
    • resolve library-path
    • resolve qlpacks
    • resolve tests
    • test run
    • Manage CodeQL databases
    • CodeQL model editor
    • Test CodeQL queries
    • Telemetry
    • About global security advisories
    • Permission levels
    • Edit repository advisories
    • Add collaborators
    • Best practices
    • Dependency graph
    • Export dependencies as SBOM
    • Customize dependency review action
    • Overview
    • Dependabot ecosystem support
    • Configure notifications
    • Manage auto-dismissed alerts
    • Dependabot version updates
    • Control dependency update
    • Auto-update actions
    • Manage Dependabot on self-hosted runners
    • Troubleshoot Dependabot on Actions
    • Dependabot ecosystems/
    • Optimize Java packages

    Optimizing Java packages for Dependabot updates

    By including metadata in your pom.xml file, you can enhance the information available to users in Dependabot pull requests to update your Java packages.

    In this article

    • Including the metadata Dependabot needs in pom.xml files
    • Impact of omitting project metadata from pom.xml files
    • Further reading

    Dependabot uses the information defined in pom.xml files to create pull requests to update Java dependencies for the Gradle and Maven ecosystems. When you include the project metadata that Dependabot expects, pull requests contain links to the release notes for the suggested package update and a link where users can report any issues. This information means that users can update their packages with confidence after reviewing all the release information.

    Including the metadata Dependabot needs in pom.xml files

    Dependabot uses the URLs for the project, the source code management system, and the issue management system to build the summary for update pull requests.

    • url the home page for the project, see More Project Information in the POM reference
    • scm the URL of the source code management system used by the project, see SCM in the POM Reference
    • issueManagement the URL of the issue management system used by the project, see Issue Management in the POM Reference

    Example for a project hosted on GitHub

    <project>
  <url>https://github.com/OWNER/REPOSITORY</url>
  <scm>
    <url>https://github.com/OWNER/REPOSITORY</url>
  </scm>
  <issueManagement>
    <url>https://github.com/OWNER/REPOSITORY/issues</url>
  </issueManagement>
</project>

    Replace OWNER and REPOSITORY with the detailed for your project.

    Impact of omitting project metadata from pom.xml files

    If you forget to include the URLs that Dependabot checks for, then pull requests to update Java packages are still created. However, the information available to users in the pull request summary will be limited.

    • Project repository or Source code management URL undefined: no links to release notes in Dependabot pull requests
    • Issue management URL undefined: no link to the issues page for reporting problems.

    Adding this information helps Dependabot provide better, more accurate updates for your project, complete with helpful links to release notes and issue trackers.

    Further reading

    • Maven SCM Plugin

    Help and support

    Did you find what you needed?

    Privacy
  • Status
  • Blog

    • Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

    Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant