Renovate — Automated Dependency Update Bot

Introduction

Renovate is an open-source tool that automates dependency updates by scanning your repositories for outdated packages and opening pull requests with the latest versions. Unlike simple bots, it supports 90+ package managers and gives you full control over grouping, scheduling, and automerge rules. It was created to eliminate the toil of keeping projects secure and up to date.

What Renovate Does

• Scans repos for dependency files (package.json, Dockerfile, Helm charts, Terraform modules, etc.)
• Opens pull requests with version bumps, changelogs, and compatibility notes
• Groups related updates (e.g., all ESLint packages) into a single PR
• Supports automerge for trusted minor/patch updates with passing CI
• Runs on a configurable schedule with rate limiting to avoid PR floods

Architecture Overview

Renovate runs as a Node.js CLI or as a hosted bot service. On each run it clones the target repository, discovers dependency files using built-in manager plugins, queries upstream registries for newer versions, applies update rules from renovate.json config, and opens or updates pull requests via the platform API (GitHub, GitLab, Bitbucket, Azure DevOps). The bot is stateless between runs — all state is stored in branches and PRs.

Self-Hosting & Configuration

• Install globally: npm install -g renovate or use the official Docker image renovate/renovate
• Create renovate.json at repo root with { "$schema": "https://docs.renovatebot.com/renovate-schema.json" }
• Set RENOVATE_TOKEN and RENOVATE_PLATFORM env vars for self-hosted mode
• Use presets like config:recommended for sane defaults or extend with custom rules
• Schedule runs via cron or run as a persistent service with --autodiscover

Key Features

• Supports 90+ package managers including npm, pip, Maven, Go, Docker, Terraform, and Helm
• Replacement and migration PRs when packages are renamed or deprecated
• Dashboard issue summarizes all pending updates in a single GitHub issue
• Regex manager lets you define custom dependency patterns for any file format
• Merge confidence integration shows adoption and test-pass rates for each update

Comparison with Similar Tools

• Dependabot — GitHub-native but limited to fewer ecosystems and less configurable grouping
• Snyk — focuses on security vulnerabilities rather than general version freshness
• Greenkeeper — deprecated in favor of Snyk; Renovate absorbed much of its user base
• WhiteSource Bolt — commercial scanner with limited free tier vs Renovate's full open-source model
• Update CLI tools (npm-check, pip-review) — manual and repo-by-repo, no PR automation

FAQ

Q: Can Renovate handle monorepos with multiple package.json files? A: Yes, it discovers all dependency files recursively and can group updates per workspace or across the entire repo.

Q: Does Renovate support private registries? A: Yes, configure hostRules in renovate.json with authentication tokens for npm, Docker, Maven, and other private registries.

Q: How do I prevent Renovate from updating certain packages? A: Use packageRules with enabled: false or pin specific packages with allowedVersions constraints.

Q: Is the Mend Renovate GitHub App free? A: Yes, the hosted GitHub App is free for both public and private repositories with no usage limits.

Sources

• https://github.com/renovatebot/renovate
• https://docs.renovatebot.com/