Renovate — Automated Dependency Update Bot
Renovate keeps your dependencies fresh by automatically opening pull requests for updates across 90+ package managers, with fine-grained control over grouping, scheduling, and automerge.
这个资产会安全暂存
这个资产会先安全暂存。复制的指令会要求 Agent 读取暂存文件,并在激活脚本、MCP 配置或全局配置前先确认。
npx -y tokrepo@latest install 9b8e21a5-3942-11f1-9bc6-00163e2b0d79 --target codex先暂存文件;激活前需要读取暂存 README 和安装计划。
What it is
Renovate is an open-source tool that automates dependency updates by scanning repositories for outdated packages and opening pull requests with the latest versions. Unlike simple bots, it supports 90+ package managers and gives you full control over grouping, scheduling, and automerge rules.
Renovate targets engineering teams that want to eliminate the manual work of keeping projects secure and up to date. It handles package.json, Dockerfile, Helm charts, Terraform modules, Go modules, and dozens more dependency formats.
How it saves time or tokens
Manually checking for dependency updates, reading changelogs, and creating pull requests is time-consuming and error-prone. Renovate automates the entire cycle: scan for updates, generate changelogs, create PRs, and optionally automerge minor/patch updates when CI passes. Grouping related updates (e.g., all ESLint packages) into a single PR reduces review overhead. Rate limiting prevents PR floods that overwhelm reviewers.
How to use
- Install the hosted Mend Renovate GitHub App (zero config):
# Visit github.com/apps/renovate and install on your repositories
# Renovate opens an onboarding PR with a default renovate.json config
- Or run Renovate locally via npx:
npx renovate --token $GITHUB_TOKEN --repositories your-org/your-repo
- Customize behavior with a renovate.json in your repository:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"packageRules": [
{
"matchPackagePatterns": ["eslint"],
"groupName": "eslint",
"automerge": true
}
],
"schedule": ["before 7am on Monday"]
}
Example
A comprehensive Renovate configuration for a production monorepo:
{
"extends": ["config:recommended", ":automergeMinor"],
"baseBranches": ["main"],
"labels": ["dependencies"],
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true,
"automergeType": "branch"
},
{
"matchPackagePatterns": ["@types/*"],
"groupName": "type-definitions",
"automerge": true
},
{
"matchManagers": ["dockerfile"],
"groupName": "docker-images"
}
],
"prConcurrentLimit": 5,
"schedule": ["after 10pm and before 5am every weekday"]
}
Related on TokRepo
- DevOps tools — More CI/CD and infrastructure automation tools on TokRepo.
- Testing tools — Browse testing and validation tools for software projects.
Common pitfalls
- Not configuring grouping leads to dozens of individual PRs for related packages. Group packages by ecosystem (eslint, babel, testing) to reduce review load.
- Enabling automerge without adequate CI coverage risks merging breaking changes. Ensure your test suite covers critical paths before turning on automerge.
- Running Renovate without a schedule means PRs appear at random times. Set a schedule that aligns with your team's review workflow.
常见问题
Renovate supports 90+ package managers including npm, pip, Maven, Gradle, Go modules, Cargo, Helm, Terraform, Docker, NuGet, Composer, and Bundler. It discovers dependency files automatically in your repository.
Renovate supports more package managers, offers more granular configuration (grouping, scheduling, automerge rules), and can be self-hosted. Dependabot is built into GitHub and simpler to set up but less configurable.
Yes. Configure automerge per package or update type. Renovate waits for CI to pass before merging. You can automerge patches automatically while requiring manual review for major version bumps.
Yes. Renovate supports GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea. The hosted Mend Renovate app is GitHub-only, but the self-hosted version works with all platforms.
Use prConcurrentLimit to cap the number of open PRs. Set a schedule to batch updates at convenient times. Group related packages to combine updates into fewer PRs.
引用来源 (3)
- Renovate GitHub— Renovate is an automated dependency update tool
- Renovate Documentation— Renovate configuration and package rules
- GitHub Security— Dependency management best practices
讨论
相关资产
Release Please — Automated Releases Based on Conventional Commits
Release Please generates release pull requests and changelogs from Conventional Commit messages, automating semantic versioning and publishing for GitHub repositories.
PDM — Modern Python Package and Dependency Manager
PDM is a Python package and dependency manager that supports PEP 582 and PEP 621 standards, offering fast resolution, lockfiles, and build backends without requiring virtualenvs.
Dependency-Track — Continuous Software Composition Analysis
Dependency-Track is a self-hosted platform that ingests Software Bills of Materials to continuously identify vulnerabilities and license risks across your software portfolio.
Terratest — Automated Testing for Infrastructure Code
Terratest is a Go library that makes it easy to write automated tests for your Terraform, Packer, Kubernetes, and Docker infrastructure.