Renovate

Overview

Renovate is an automated dependency update tool that scans repositories for dependency files across 50+ ecosystems (npm, pip, Docker, Go, Rust, Terraform, GitHub Actions) and creates pull requests with changelogs, release notes, and configurable automerge policies. It supports grouping, scheduling, and per-package rules to keep dependencies current without overwhelming teams.

Instructions

• When setting up Renovate, start with config:recommended which provides sensible defaults for grouping, scheduling, and automerge, then add renovate.json to the repo root.
• When configuring automerge, enable it for low-risk updates (@types/*, devDependencies patches) and disable it for major updates, using platformAutomerge for GitHub's native merge feature.
• When reducing PR noise, use group:allNonMajor for a single weekly PR covering all minor and patch updates, and group monorepo packages (React, Angular, Babel) together.
• When setting schedules, configure update windows for low-traffic times (e.g., ["after 9am and before 5pm every weekday"]) to avoid disrupting developers.
• When defining package rules, use matchPackageNames, matchPackagePatterns, and matchUpdateTypes to set per-package automerge, grouping, and version strategies.
• When handling version strategies, pin exact versions in applications for reproducibility and use ranges in libraries for compatibility.

Examples

Example 1: Configure Renovate for a production monorepo

User request: "Set up Renovate with automerge for safe updates and weekly batching"

Actions:

1. Create renovate.json extending config:recommended and schedule:weekly
2. Add package rules to automerge @types/* and devDependency patches
3. Group React, Next.js, and testing library packages into single PRs
4. Enable the dashboard issue for an overview of all pending updates

Output: A Renovate configuration that automerges safe updates, batches non-major changes weekly, and groups related packages.

Example 2: Manage Docker and Terraform dependency updates

User request: "Keep Docker base images and Terraform provider versions up to date"

Actions:

1. Configure Renovate to scan Dockerfiles and .tf files
2. Set matchDatasources: ["docker"] with automerge: false for base image updates
3. Group Terraform providers by cloud provider (AWS, GCP, Azure)
4. Enable vulnerability alerts to prioritize updates that fix known CVEs

Output: Automated PRs for Docker and Terraform dependency updates with grouped providers and security prioritization.

Guidelines

• Start with config:recommended since it handles grouping, scheduling, and automerge sensibly.
• Automerge @types/* and devDependencies patches since they are low-risk and high-volume.
• Group monorepo packages (React, Vue, Angular, Babel, Jest) into single PRs to reduce noise.
• Schedule updates for low-traffic times to avoid disrupting developers during peak hours.
• Pin exact versions in applications and use ranges in libraries.
• Review major updates manually since breaking changes require human judgment.