If you're using GitHub, Dependabot can automatically keep your TinaCMS packages up-to-date by checking for new versions and opening PRs.

Configuring Dependabot

You have 2 packages to keep an eye out for:

• tinacms
• @tinacms/cli

To do that, just create a dependabot.yml file in your .github folder like this:

# .github/dependabot.yml

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    allow:
      - dependency-name: "tinacms"
      - dependency-name: "@tinacms/*"

Note: You can find more information about the Dependabot config here: Dependabot options reference

This will tell Dependabot to create pull requests whenever any of those packages need to be updated.

How to manage the Pull Requests

By default, Dependabot opens a separate PR for each package.

Since TinaCMS packages often rely on each other, merging PRs individually can result in package.json versions that appear mismatched—even if the correct versions are resolved in the lockfile. This can prevent Dependabot from detecting actual code changes, leading to missed or incomplete updates.

To fix this, update your dependabot.yml config to group TinaCMS packages into a single PR.

Add this at the end:

    #.github/dependabot.yml

    # ...
    groups:
      tinacms:
        patterns:
          - "@tinacms/*"
          - "tinacms"

By doing this you packages will be in sync and updating your TinaCMS version will be easier!