Renovate: Stop Updating Dependencies Manually

Every project accumulates dependency debt. You pin a version of a library, a Docker base image, a Helm chart, or a GitHub Action, and six months later you're three major versions behind. Security advisories start appearing. Breaking changes accumulate. What was supposed to be a small update becomes a weekend project.

Renovate solves this by making dependency updates continuous and incremental rather than occasional and painful. It runs on a schedule, scans your repository for version references, checks for newer versions, and opens pull requests automatically. You review, merge when ready, and never fall behind again.

What Renovate is

Renovate is an open-source automated dependency update tool created in 2017 and now maintained by Mend.io. It has 20,700+ GitHub stars, 1,489+ contributors, and supports 90+ package managers — far more than any competing tool. It runs as a GitHub App, GitLab bot, self-hosted CLI, or Docker container.

The core loop is simple: Renovate scans your repository files for dependency version references, checks upstream registries for newer versions, and opens a pull request for each update it finds. Each PR includes a changelog, compatibility notes, and optionally a merge confidence score — an aggregate indicator of how likely the update is to break a build, based on data from millions of Renovate updates across public repositories.

It's AGPL-3.0 licensed. The hosted GitHub App from Mend is free for public and private repositories. Self-hosting is free. There's also a paid Enterprise edition with additional controls for large organizations, but for most teams the free options cover everything they need.

What it supports

90+ package managers covers a lot of ground. The practically relevant ones for DevOps teams:

• Languages — npm/Yarn/pnpm, pip/Poetry/uv, Go modules, Cargo, Maven/Gradle, NuGet, Composer, Bundler
• Containers — Docker image tags in Dockerfiles, Docker Compose files, and Kubernetes manifests
• Kubernetes — Helm chart versions, Helmfile, Kustomize
• Infrastructure as Code — Terraform modules and providers, Pulumi, Ansible
• CI/CD — GitHub Actions, GitLab CI includes, CircleCI orbs, Buildkite plugins
• GitOps — Flux HelmReleases and Kustomizations, ArgoCD
• Non-standard files — regex manager for updating version strings in any file: Makefiles, shell scripts, custom configs

The regex manager deserves a mention — if you have a custom .env file or a Makefile with pinned versions that no standard manager handles, you can write a regex pattern and Renovate will update those too.

Getting started

The fastest path is the hosted GitHub App. Go to github.com/apps/renovate, install it on your repository, and Renovate opens an onboarding PR with a suggested renovate.json configuration. Merge the onboarding PR and Renovate starts running.

For GitLab, you add the Renovate bot as a project member and configure it through a renovate.json in the root of your repository. For self-hosting, Docker is the simplest path:

docker run --rm \
  -e RENOVATE_TOKEN=your_token \
  -e RENOVATE_REPOSITORIES=your-org/your-repo \
  renovate/renovate:latest

Or with Docker Compose for a scheduled self-hosted setup:

services:
  renovate:
    image: renovate/renovate:latest
    environment:
      RENOVATE_TOKEN: ${RENOVATE_TOKEN}
      RENOVATE_AUTODISCOVER: "true"
    volumes:
      - ./config.js:/usr/src/app/config.js

Configuration basics

Renovate is highly configurable through renovate.json in your repository root. A minimal starting point:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ]
}

The config:recommended preset is sensible for most teams — it enables grouping of patch updates, sets reasonable schedules, and avoids opening hundreds of PRs at once.

More realistic configuration for a production project:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "schedule": ["before 6am on Monday"],
  "prConcurrentLimit": 5,
  "automerge": false,
  "packageRules": [
    {
      "matchDepTypes": ["devDependencies"],
      "matchUpdateTypes": ["patch", "minor"],
      "automerge": true
    },
    {
      "groupName": "AWS SDK",
      "matchPackagePatterns": ["^@aws-sdk/"]
    },
    {
      "matchManagers": ["dockerfile"],
      "matchUpdateTypes": ["major"],
      "enabled": false
    }
  ]
}

What this does: runs Monday mornings before 6am, limits concurrent PRs to 5, automerges dev dependency patch and minor updates that pass CI, groups all AWS SDK updates into a single PR, and disables major Docker image updates (which you want to control manually).

Key features

Dependency Dashboard

Renovate creates a special issue in your repository called the Dependency Dashboard. It's a living document showing all pending updates, updates Renovate is waiting on before opening PRs (due to rate limits or schedule), and any configuration issues. You can trigger specific updates directly from the dashboard by checking a checkbox — useful when you want to manually approve a major update that's otherwise on hold.

Automerge

For low-risk updates, you can configure Renovate to merge PRs automatically after CI passes. This works best for patch updates of dev dependencies, pinned GitHub Actions versions, and internal packages you control. The combination of schedule + automerge + CI gates means minor dependency maintenance becomes completely invisible.

Merge confidence

Enterprise and some free users get merge confidence badges on PRs — a score derived from aggregated CI results across millions of public repositories running Renovate. A badge showing "high confidence" on a patch update tells you that this specific version bump rarely breaks CI in the wild. Not a guarantee, but a useful signal for triage.

Grouping

Instead of one PR per package, you can group related packages together. Common patterns: group all linting tools, group all testing libraries, group all AWS SDK packages. Fewer PRs, easier review, less noise.

Vulnerability alerts

Renovate can integrate with GitHub's Dependabot alerts or GitLab's security scanning to immediately create priority PRs when a CVE is associated with one of your dependencies — regardless of your normal schedule.

Renovate vs Dependabot

Dependabot is GitHub's built-in dependency update tool. It's zero-configuration, requires no installation, and handles security updates automatically. For pure GitHub shops with simple stacks, it's a reasonable default.

Renovate wins when:

• Platform — you're on GitLab, Bitbucket, Azure DevOps, or Gitea. Dependabot is GitHub-only.
• Package manager breadth — Renovate supports 90+ managers vs Dependabot's 30+. Helm charts, Flux, Terraform providers, GitHub Actions, and non-standard files via regex all work in Renovate.
• Grouping — Dependabot's grouping is still limited; Renovate's is mature and flexible.
• Scheduling — Renovate has fine-grained schedule control. Dependabot's is more limited.
• Automerge behavior — Renovate's automerge is more configurable with better CI integration.
• Monorepo support — Renovate handles monorepos with multiple package files natively.

Dependabot wins when you want zero-configuration security updates on GitHub and don't need the extra flexibility.

Practical tips

Start with config:recommended — don't try to configure everything upfront. Run Renovate with the recommended preset for a few weeks, see what PRs it opens, and adjust from there.

Set a schedule — without a schedule, Renovate can open a lot of PRs at once. A Monday morning schedule is common: your team starts the week with a batch of dependency updates to triage, not a constant stream.

Pin your Docker base images — use digest pinning for production Dockerfiles. Renovate will update the digest when a new version is available and you'll have a clear PR with the changelog rather than a silent upstream change.

Use the Dependency Dashboard — it gives you a clear overview of everything Renovate knows about and is tracking. If you see too many PRs, the dashboard is where you adjust the pace.

Group noisy packages — if a particular package releases multiple times a week (common with some AWS SDKs, internal tools, or active OSS projects), group them to reduce PR noise.

Self-hosting on your own infrastructure

If you're running GitLab self-managed or have compliance requirements that prevent using the hosted GitHub App, self-hosting Renovate is straightforward. The most common approach is running it as a cron job:

# GitLab CI scheduled pipeline
renovate:
  image: renovate/renovate:latest
  script:
    - renovate
  only:
    - schedules
  variables:
    RENOVATE_TOKEN: ${GITLAB_RENOVATE_TOKEN}
    RENOVATE_GIT_AUTHOR: "Renovate Bot "
    RENOVATE_AUTODISCOVER: "true"

Schedule this pipeline to run nightly or weekly via GitLab's CI/CD schedules. Renovate will autodiscover all repositories it has access to and open PRs across all of them.

My take

Renovate is one of those tools that you set up once and then mostly forget about — which is exactly what you want from automation. The configuration can get complex for large teams with specific requirements, but config:recommended gets you 80% of the value in 30 minutes.

The combination of 90+ package managers and platform-agnostic design makes it the right choice for anyone not on GitHub-only stacks. For GitLab users especially, Renovate is the clear answer — Dependabot simply doesn't exist for them.

Running Kubernetes? The Helm chart and Flux HelmRelease support is particularly good. Instead of manually checking whether your chart versions are current or periodically discovering that your nginx-ingress is six months behind, Renovate opens a PR with a link to the changelog. You merge when you're ready. Dependency debt stops accumulating.