Renovate
Overview
Renovate is an open-source automated dependency update bot that monitors your repositories and opens pull requests when new package versions are available. It supports 70+ package managers including npm, pip, Go modules, Cargo, Maven, Docker, Terraform, GitHub Actions, Helm, and more. Renovate can group updates, schedule them, automerge patch releases, detect security advisories, and is available as a free GitHub/GitLab App or self-hosted via Docker or CLI.
Installation
GitHub App (easiest — no infrastructure)
- Install the Renovate GitHub App
- Grant access to your repositories
- Add
renovate.jsonto your repo root — Renovate opens the onboarding PR automatically
GitLab (hosted or self-managed)
- Add the Renovate GitLab App
- Or deploy self-hosted runner (see below)
Self-hosted via Docker
docker run --rm \
-e RENOVATE_TOKEN=ghp_yourgithubtoken \
-e LOG_LEVEL=debug \
renovate/renovate:latest \
your-org/your-repoSelf-hosted via npm
npm install -g renovate
RENOVATE_TOKEN=ghp_yourtoken renovate your-org/your-repoVerify (self-hosted)
renovate --version
renovate --print-config your-org/your-repo # Dry-run config checkConfiguration
Minimal renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"]
}Full renovate.json reference
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboard",
":semanticCommits",
"group:allNonMajor"
],
"timezone": "America/New_York",
"schedule": ["before 6am on Monday"],
"prConcurrentLimit": 10,
"prHourlyLimit": 2,
"labels": ["dependencies", "renovate"],
"assignees": ["@security-team"],
"reviewers": ["@lead-developer"],
"dependencyDashboard": true,
"dependencyDashboardTitle": "Dependency Updates Dashboard",
"packageRules": [
{
"matchUpdateTypes": ["patch", "minor"],
"matchCurrentVersion": "!/^0/",
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true
},
{
"matchPackagePatterns": ["^@types/"],
"automerge": true
}
],
"vulnerabilityAlerts": {
"labels": ["security"],
"schedule": ["at any time"],
"automerge": false
}
}Config file locations (priority order)
renovate.json(root)renovate.json5.github/renovate.json.gitlab/renovate.json.renovaterc.renovaterc.jsonpackage.jsonunder"renovate"key
Core Commands
| Command / Config Key | Description |
|---|---|
"extends": ["config:recommended"] | Use Renovate’s recommended preset |
"schedule": ["before 6am on weekdays"] | Set update schedule |
"prConcurrentLimit": 5 | Max open PRs at once |
"automerge": true | Auto-merge matching PRs |
"groupName": "all dependencies" | Group PRs by name |
"matchManagers": ["npm"] | Apply rule only to npm |
"matchDepTypes": ["devDependencies"] | Apply rule to dev deps only |
"matchUpdateTypes": ["patch"] | Apply rule to patch-only updates |
"enabled": false | Disable specific packages/managers |
"ignoreDeps": ["lodash"] | Skip specific packages |
"rangeStrategy": "bump" | How to update version ranges |
"minimumReleaseAge": "3 days" | Wait before updating |
"stabilityDays": 5 | Age of release before considering |
"pinVersions": true | Pin to exact versions |
"labels": ["renovate"] | Add PR labels |
"assignees": ["@user"] | Assign PRs to users |
"reviewers": ["@team"] | Request PR reviews |
Advanced Usage
Preset system
{
"extends": [
"config:recommended", // Sane defaults
":dependencyDashboard", // Issue tracker dashboard
":semanticCommits", // Conventional commit messages
":preserveSemverRanges", // Keep ~1.x style ranges
"group:allNonMajor", // Group minor+patch in one PR
"group:monorepos", // Keep monorepo packages together
"schedule:monthly", // Monthly updates only
"docker:enableMajor", // Allow Docker major updates
"workarounds:all" // Known workarounds
]
}Package rules (powerful filtering)
{
"packageRules": [
{
"description": "Automerge TypeScript type definitions",
"matchPackagePatterns": ["^@types/"],
"automerge": true,
"automergeType": "pr"
},
{
"description": "Group all AWS SDK packages",
"matchPackagePatterns": ["^@aws-sdk/"],
"groupName": "AWS SDK",
"schedule": ["on the first day of the month"]
},
{
"description": "Pin major versions of critical packages",
"matchPackageNames": ["django", "flask", "fastapi"],
"matchUpdateTypes": ["major"],
"enabled": false
},
{
"description": "Require review for major updates",
"matchUpdateTypes": ["major"],
"addLabels": ["breaking-change"],
"reviewers": ["@architecture-team"],
"automerge": false
},
{
"description": "Ignore test framework minor updates",
"matchDepTypes": ["devDependencies"],
"matchPackageNames": ["jest", "vitest", "pytest"],
"matchUpdateTypes": ["minor"],
"schedule": ["on the first and third day of the month"]
}
]
}Security vulnerability alerts
{
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security", "urgent"],
"schedule": ["at any time"],
"prPriority": 10,
"automerge": false,
"reviewers": ["@security-team"],
"assignees": ["@security-lead"],
"commitMessagePrefix": "fix(security):"
},
"osvVulnerabilityAlerts": true
}Custom (regex) managers
{
"customManagers": [
{
"customType": "regex",
"description": "Update Python version in .python-version",
"fileMatch": ["^\\.python-version$"],
"matchStrings": ["(?<currentValue>\\d+\\.\\d+\\.\\d+)"],
"depNameTemplate": "python",
"datasourceTemplate": "github-tags",
"packageNameTemplate": "python/cpython",
"extractVersionTemplate": "^v(?<version>.+)$"
},
{
"customType": "regex",
"description": "Update Terraform provider versions",
"fileMatch": ["versions\\.tf$"],
"matchStrings": [
"source\\s*=\\s*\"(?<depName>[^\"]+)\"\\s*version\\s*=\\s*\"(?<currentValue>[^\"]+)\""
],
"datasourceTemplate": "terraform-provider"
},
{
"customType": "regex",
"description": "Update tool versions in Makefile",
"fileMatch": ["^Makefile$"],
"matchStrings": [
"RUFF_VERSION\\s*=\\s*(?<currentValue>[\\d\\.]+)"
],
"depNameTemplate": "ruff",
"datasourceTemplate": "pypi"
}
]
}Automerge configuration
{
"packageRules": [
{
"description": "Automerge patch updates on stable packages",
"matchUpdateTypes": ["patch"],
"matchCurrentVersion": "!/^0\\.0\\./",
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true,
"automergeStrategy": "squash"
},
{
"description": "Automerge GitHub Actions minor/patch",
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
],
"automergeSchedule": ["after 10pm and before 5am every weekday", "every weekend"]
}Scheduling options
| Schedule | Description |
|---|---|
["at any time"] | No schedule restriction |
["before 6am on Monday"] | Weekly on Monday morning |
["on the first day of the month"] | Monthly |
["every weekend"] | Saturday and Sunday |
["after 10pm and before 5am every weekday"] | Weeknight off-hours |
["on the first and third day of the month"] | Bi-monthly |
["on monday and thursday"] | Twice weekly |
Common Workflows
Monorepo setup
{
"extends": ["config:recommended", "group:monorepos"],
"packageRules": [
{
"description": "Group internal workspace packages",
"matchSourceUrls": ["https://github.com/myorg/my-monorepo"],
"groupName": "internal packages"
},
{
"description": "Group @myorg/* scoped packages",
"matchPackagePatterns": ["^@myorg/"],
"groupName": "myorg packages"
}
],
"prConcurrentLimit": 20
}Self-hosted GitHub Actions runner
# .github/workflows/renovate.yml
name: Renovate
on:
schedule:
- cron: '0 */6 * * *' # Every 6 hours
workflow_dispatch:
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: renovatebot/github-action@v40
with:
configurationFile: renovate.json
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: debug
RENOVATE_AUTODISCOVER: true
RENOVATE_AUTODISCOVER_FILTER: "myorg/*"Docker Compose / Dockerfile updates
{
"packageRules": [
{
"matchManagers": ["dockerfile", "docker-compose"],
"matchUpdateTypes": ["major"],
"enabled": true,
"addLabels": ["docker", "breaking"]
},
{
"matchManagers": ["dockerfile", "docker-compose"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"groupName": "Docker base images"
}
]
}Dependency Dashboard issue
When "extends": [":dependencyDashboard"] is set, Renovate creates and maintains a GitHub/GitLab issue listing:
- All pending updates (grouped by type)
- Rate-limited PRs waiting to open
- Packages with updates available but not yet PRed
- Checkboxes to manually trigger specific updates
Tips and Best Practices
Start with config:recommended. The recommended preset includes sane defaults for most projects. Avoid building your config from scratch — extend presets and override only what you need.
Enable the Dependency Dashboard. The dashboard issue gives a single pane of glass for all pending updates and lets you manually trigger specific PRs without touching config.
Use minimumReleaseAge to avoid flaky releases. Setting "minimumReleaseAge": "3 days" prevents Renovate from immediately creating PRs for brand-new releases that might be yanked or hotfixed within hours.
Automerge only patch releases initially. Start automerge conservatively with patch-only updates on stable packages. Expand to minor updates after observing a few weeks of automerged PRs and verifying your test suite catches regressions.
Group related packages. Use groupName to combine all AWS SDK, all React ecosystem, or all test tool updates into a single PR. This dramatically reduces PR noise in active projects.
Set prConcurrentLimit. Without limits, Renovate can open dozens of PRs at once, overwhelming reviewers. Start with 5–10 concurrent PRs and raise it as your team adapts.
Use vulnerabilityAlerts with "schedule": ["at any time"]. Security patches should not wait for the weekly schedule. Ensure vulnerability PRs bypass the schedule restriction.
Pin GitHub Actions by SHA, not tag. Use "pinDigests": true under matchManagers: ["github-actions"] to pin actions to their commit SHA, preventing supply chain attacks from tag mutation.
Test config with --dry-run. Run renovate --dry-run in self-hosted mode to see what PRs would be opened without actually creating them.
Commit renovate.json to the main branch. Changes to Renovate config only take effect when merged. Use a dedicated PR to adjust config and observe the resulting behavior change.