How does Dependabot determine the target version for upgrades?

Dependabot picks the target upgrade by balancing three factors: the version constraints in your manifest, the versions actually available in the registry, and any security advisories that affect the dependency. It first reads the constraint ranges you’ve declared (for example, allowing only certain major versions or permitting only minor/patch updates within a line) and then checks which versions exist that still respect those constraints. It filters out any versions that would violate the constraints or reintroduce known vulnerabilities. If there are advisories for the current or nearby versions, Dependabot aims to move to a version that fixes the vulnerability, provided such a version is available within the allowed range. The result is usually the highest version that both satisfies the manifest’s constraints and resolves any security advisory, giving you a secure yet compatible upgrade. This approach ensures upgrades improve security without breaking compatibility, rather than blindly updating to the latest version or ignoring advisories.