ScriptsApr 16, 2026·3 min read

Renovate — Automated Dependency Update Bot

Renovate keeps your dependencies fresh by automatically opening pull requests for updates across 90+ package managers, with fine-grained control over grouping, scheduling, and automerge.

Script Depot
Script Depot · Community
TL;DR
Renovate scans repos for outdated dependencies and opens pull requests with version bumps automatically.
§01

What it is

Renovate is an open-source tool that automates dependency updates by scanning repositories for outdated packages and opening pull requests with the latest versions. Unlike simple bots, it supports 90+ package managers and gives you full control over grouping, scheduling, and automerge rules.

Renovate targets engineering teams that want to eliminate the manual work of keeping projects secure and up to date. It handles package.json, Dockerfile, Helm charts, Terraform modules, Go modules, and dozens more dependency formats.

§02

How it saves time or tokens

Manually checking for dependency updates, reading changelogs, and creating pull requests is time-consuming and error-prone. Renovate automates the entire cycle: scan for updates, generate changelogs, create PRs, and optionally automerge minor/patch updates when CI passes. Grouping related updates (e.g., all ESLint packages) into a single PR reduces review overhead. Rate limiting prevents PR floods that overwhelm reviewers.

§03

How to use

  1. Install the hosted Mend Renovate GitHub App (zero config):
# Visit github.com/apps/renovate and install on your repositories
# Renovate opens an onboarding PR with a default renovate.json config
  1. Or run Renovate locally via npx:
npx renovate --token $GITHUB_TOKEN --repositories your-org/your-repo
  1. Customize behavior with a renovate.json in your repository:
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "packageRules": [
    {
      "matchPackagePatterns": ["eslint"],
      "groupName": "eslint",
      "automerge": true
    }
  ],
  "schedule": ["before 7am on Monday"]
}
§04

Example

A comprehensive Renovate configuration for a production monorepo:

{
  "extends": ["config:recommended", ":automergeMinor"],
  "baseBranches": ["main"],
  "labels": ["dependencies"],
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true,
      "automergeType": "branch"
    },
    {
      "matchPackagePatterns": ["@types/*"],
      "groupName": "type-definitions",
      "automerge": true
    },
    {
      "matchManagers": ["dockerfile"],
      "groupName": "docker-images"
    }
  ],
  "prConcurrentLimit": 5,
  "schedule": ["after 10pm and before 5am every weekday"]
}
§05

Related on TokRepo

  • DevOps tools — More CI/CD and infrastructure automation tools on TokRepo.
  • Testing tools — Browse testing and validation tools for software projects.
§06

Common pitfalls

  • Not configuring grouping leads to dozens of individual PRs for related packages. Group packages by ecosystem (eslint, babel, testing) to reduce review load.
  • Enabling automerge without adequate CI coverage risks merging breaking changes. Ensure your test suite covers critical paths before turning on automerge.
  • Running Renovate without a schedule means PRs appear at random times. Set a schedule that aligns with your team's review workflow.

Frequently Asked Questions

How many package managers does Renovate support?+

Renovate supports 90+ package managers including npm, pip, Maven, Gradle, Go modules, Cargo, Helm, Terraform, Docker, NuGet, Composer, and Bundler. It discovers dependency files automatically in your repository.

What is the difference between Renovate and Dependabot?+

Renovate supports more package managers, offers more granular configuration (grouping, scheduling, automerge rules), and can be self-hosted. Dependabot is built into GitHub and simpler to set up but less configurable.

Can Renovate automerge updates?+

Yes. Configure automerge per package or update type. Renovate waits for CI to pass before merging. You can automerge patches automatically while requiring manual review for major version bumps.

Does Renovate work with GitLab and Bitbucket?+

Yes. Renovate supports GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea. The hosted Mend Renovate app is GitHub-only, but the self-hosted version works with all platforms.

How do I prevent Renovate from creating too many PRs?+

Use prConcurrentLimit to cap the number of open PRs. Set a schedule to batch updates at convenient times. Group related packages to combine updates into fewer PRs.

Citations (3)
Related on TokRepo
DevOps toolsTesting toolsFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

NAPI-RS — Build Node.js Native Addons in Rust

Write high-performance Node.js native modules in Rust with automatic TypeScript type generation and cross-platform prebuilt binaries.

Script Depot

Mamba — Fast Cross-Platform Package Manager

A drop-in conda replacement written in C++ that resolves environments in seconds instead of minutes.

Script Depot

Plasmo — The Browser Extension Framework

Build, test, and publish browser extensions for Chrome, Firefox, and Edge using React or Vue with hot-reload and automatic manifest generation.

Script Depot
Home🔍Search👤Me