Renovate is an open-source dependency update tool with 20.7k GitHub stars, 1,489 contributors, and over 5,000 releases. It monitors repositories for outdated packages and creates pull requests to keep dependencies current.
With support for over 90 package managers and highly flexible configuration, Renovate is the go-to Dependabot alternative for teams that need advanced scheduling, grouping, and automerge rules. It works on GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea.
What is Renovate?
Renovate scans your project files, detects dependencies across all supported package managers, and creates pull requests when updates are available. Each PR includes changelogs, compatibility information, and (optionally) merge confidence scores.
The tool runs as a GitHub App (hosted by Mend for free), a self-hosted CLI, or a Docker container. Configuration lives in a renovate.json file in your repository root, and presets let you share settings across an organization.
Key features
Package manager highlights
| Category | Managers |
|---|---|
| JavaScript | npm, yarn, pnpm, Bun, Bower |
| Python | pip, Poetry, Pipenv, uv, pip-compile |
| Java/Kotlin | Maven, Gradle, sbt |
| Go | Go modules |
| .NET | NuGet |
| Rust | Cargo |
| PHP | Composer |
| Ruby | Bundler |
| Swift | CocoaPods, Swift PM |
| Infrastructure | Docker, Helm, Terraform, Kubernetes |
| CI/CD | GitHub Actions, GitLab CI, CircleCI, Azure Pipelines |
| Custom | Regex managers for any version string |
Scheduling and grouping
Renovate supports scheduling beyond simple daily/weekly intervals. Use cron expressions, time windows, and timezone-aware scheduling. Group updates by package name patterns, dependency type (production vs. development), or semver level to reduce PR noise.
Security updates
When a CVE is published for a dependency, Renovate creates a pull request immediately, bypassing normal scheduling rules. The PR includes vulnerability details and severity ratings. Security updates get priority treatment in the queue.
Automerge
Set up automerge for low-risk updates. Renovate can automatically merge patch and minor updates that pass CI checks, keeping your dependencies current without manual intervention. Configure conditions per package or update type.
Monorepo support
For monorepos with multiple packages, Renovate understands workspace structures and updates internal dependencies correctly. It groups related updates and respects package-specific version constraints.
Installation
renovate.json in your repository root to set scheduling, grouping, automerge rules, and package-specific policies.GitHub App (Hosted)
The easiest option is the Mend-hosted Renovate GitHub App:
- Install from github.com/apps/renovate
- Select repositories to enable
- Renovate creates an onboarding PR with default configuration
Self-Hosted
Run Renovate on your own infrastructure:
# Install CLI
npm install -g renovate
# Run with GitHub token
export GITHUB_TOKEN=your-token
renovate --platform github --token $GITHUB_TOKEN owner/repo
# Docker
docker run --rm \
-e GITHUB_TOKEN \
-e RENOVATE_PLATFORM=github \
renovate/renovate owner/repo
GitLab CI Runner
renovate:
image: renovate/renovate:latest
script:
- renovate
variables:
RENOVATE_PLATFORM: gitlab
RENOVATE_TOKEN: $GITLAB_TOKEN
RENOVATE_AUTODISCOVER: "true"
Configuration
Create renovate.json in your repository root:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
"security:openssf-scorecard"
],
"schedule": ["before 6am on monday"],
"timezone": "America/New_York",
"labels": ["dependencies"],
"packageRules": [
{
"matchUpdateTypes": ["minor", "patch"],
"matchCurrentVersion": "!/^0/",
"automerge": true
},
{
"groupName": "linting",
"matchPackagePatterns": ["eslint", "prettier"]
},
{
"matchPackagePatterns": ["aws-sdk"],
"enabled": false
}
]
}
Common Configurations
{
"extends": ["config:recommended"],
"prHourlyLimit": 5,
"prConcurrentLimit": 10,
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security"]
},
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 5am on monday"]
},
"regexManagers": [
{
"fileMatch": ["Dockerfile"],
"matchStrings": ["ENV NODE_VERSION=(?<currentValue>.*?)\\n"],
"depNameTemplate": "node",
"datasourceTemplate": "node"
}
]
}
Integration
GitHub Actions (Self-Hosted)
name: Renovate
on:
schedule:
- cron: '0 3 * * *'
workflow_dispatch:
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: renovatebot/github-action@v40
with:
token: ${{ secrets.RENOVATE_TOKEN }}
configurationFile: renovate.json
Automerge with GitHub Actions
# In renovate.json
{
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true
}
]
}
Slack Notifications
{
"extends": ["config:recommended"],
"hostRules": [
{
"matchHost": "hooks.slack.com",
"encrypted": {
"token": "encrypted-webhook-url"
}
}
]
}
When to use Renovate
Renovate suits teams that need fine-grained control over dependency updates. Its configuration flexibility handles complex scenarios like monorepos, custom version schemes, and organization-wide policies.
Strengths:
- 90+ package managers, far more than any competitor
- Works on GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea
- Merge confidence scoring from aggregated CI data
- Regex managers for non-standard files
- Free and open-source (AGPL-3.0)
Limitations:
- Configuration complexity can be overwhelming for small teams
- No built-in vulnerability database (uses upstream advisories)
- Self-hosted mode requires infrastructure management
How it compares:
| vs. | Key difference |
|---|---|
| Dependabot | Dependabot is simpler and GitHub-only. Renovate supports more platforms, more package managers, and more configuration options. |
| Mend SCA | Mend SCA uses Renovate technology for remediation but adds vulnerability scanning, reachability analysis, and license compliance. |
Comments
Powered by Giscus — comments are stored in GitHub Discussions.