Renovate Research & Documentation

[JOELNATHAN544]

Renovate

Renovate is an automated dependency update tool. It helps to update dependencies in your code without needing to do it manually. When Renovate runs on your repo, it looks for references to dependencies (both public and private) and, if there are newer versions available, Renovate can create pull requests to update your versions automatically.

Features

• Delivers update PRs directly to your repo
  • Relevant package files are discovered automatically
  • Pull Requests automatically generated in your repo
• Provides useful information to help you decide which updates to accept (age, adoption, pass rates, merge confidence)
• Highly configurable and flexible to fit in with your needs and repository standards
• Largest collection of languages and platforms
• Connects with private repositories and package registries

Languages and package managers

Renovate can provide updates for most popular languages, platforms, and registries including: npm, pnpm, yarn, Java, Python, .NET, Scala, Ruby, Go, Docker and more.

Supported Platforms

Works with GitHub, GitLab, Bitbucket, Azure DevOps, and more.

Ways to run Renovate

🌐 Mend Renovate Community (Cloud-Hosted)

What it is: A free hosted service provided by Mend (the company behind Renovate).

How it works: You connect your GitHub/GitLab/Bitbucket repos, and Mend runs Renovate for you in the cloud.

Pros:

• Zero infrastructure setup.
• Automatic updates without needing to maintain servers.
• Ideal for individuals, small teams, or open-source projects.

Cons:

• Limited customization compared to self-hosted.
• Runs on Mend’s schedule (less control over execution timing).
• May have restrictions on advanced features.

🖥 Mend Renovate Community (Self-Hosted)

What it is: The open-source Renovate tool you install and run yourself (via Docker, CLI, or CI/CD).

How it works: You manage the infrastructure, configuration, and execution.

Pros:

• Full control over configuration, scheduling, and scaling.
• Can integrate deeply with enterprise workflows.
• Supports advanced features like custom presets and private registries.

Cons:

• Requires setup and maintenance (servers, pipelines).
• More complex for beginners.
• You’re responsible for updates and troubleshooting.

🔄 What Happens After You Accept the Config PR

1. Renovate Bot Initialization

• When you add a repo, Renovate first proposes a PR with a starter config (renovate.json containing config:recommended).

• Once merged, Renovate now knows how to behave in your repo.

2. Scanning Dependencies

• Renovate scans all supported manifest files (package.json, requirements.txt, pom.xml, Dockerfile, etc.) and lock files (yarn.lock, package-lock.json, etc.).

• It compares the versions in your repo against the latest versions available in the upstream registries (npm, PyPI, Maven Central, Docker Hub, etc.).

3. Update Triggers

• Renovate checks for updates based on:

  • Registry changes: If a new version is published upstream, Renovate detects it.
  • Scheduled runs: Renovate runs on a schedule (default: daily), but you can configure it (e.g., weekends only).
  • Repo changes: If you modify your dependency files, Renovate re-scans them.

👉 It does not instantly update the repo the moment a new version is published. Instead, it runs on its configured schedule or when triggered by repo changes.

⚠️ What About Breaking Changes?

Renovate’s job is to propose updates, not guarantee compatibility. It:

• Automatically detects outdated dependencies in your project
• Creates pull requests (PRs) with updated version numbers
• Updates package lock files (package-lock.json, yarn.lock, etc.)
• Runs your existing CI/CD tests on the PR

What Renovate Does NOT Do:

• Does not modify your application code
• Does not fix breaking changes in your codebase
• Does not refactor code to match new APIs
• Does not guarantee the update won't break your app

Example Scenario:

Let's say you're using React Router v5:

// Your code
import { useHistory } from 'react-router-dom';

function MyComponent() {
  const history = useHistory();
  history.push('/home');
}

Renovate will Update package.json and package-lock.json to React Router v6 and trigger your CI tests.
Renovate will NOT change useHistory to useNavigate in your code.
Renovate creates a PR to update to React Router v6. But in v6, useHistory was removed and replaced with useNavigate.
Your CI tests will fail, showing you there's a problem. You then need to manually fix the code.

📚 References

• Official Documentation - Complete configuration guide and API reference
• GitHub App Installation - Install Renovate on your repositories
• Source Code - Renovate's open source repository