Skip to content

Consider migrating from Dependabot to Renovate #120

Open
Open
Consider migrating from Dependabot to Renovate#120
@daedalist

Description

@daedalist
daedalist
opened on Dec 17, 2025

Summary

Evaluate migrating from Dependabot to Renovate for dependency management. Renovate offers several features that we've manually implemented in our Dependabot workflow, plus additional safety features.

Why Consider Renovate?

Feature Dependabot Renovate
Stability days (cooling period) Custom workflow Built-in
Dependency grouping Built-in Built-in (more flexible)
Auto-merge by update type Custom workflow Built-in
Download count monitoring
Replacement suggestions ✅ (deprecated pkg warnings)
Scheduling Basic Advanced (timezone-aware)
Config complexity YAML + workflow Single JSON file

Current Setup to Replicate

Our Dependabot workflow currently handles:

  • 48-hour cooling period before auto-merge
  • Auto-merge patch updates (all deps)
  • Auto-merge minor updates (dev deps only)
  • Manual review for major updates
  • Grouping (@types/*, eslint, testing, formatting)
  • Exclusions for risky packages (next, react, typescript majors)

Recommended Renovate Setup

1. Install Renovate GitHub App

2. Create renovate.json config

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":dependencyDashboard",
    ":semanticCommitTypeAll(chore)",
    "group:allNonMajor"
  ],
  "timezone": "America/Los_Angeles",
  "schedule": ["before 9am on Monday"],
  "stabilityDays": 2,
  "prCreation": "not-pending",
  "automerge": true,
  "automergeType": "pr",
  "platformAutomerge": true,
  "packageRules": [
    {
      "description": "Auto-merge patch updates for all deps",
      "matchUpdateTypes": ["patch"],
      "automerge": true,
      "stabilityDays": 2
    },
    {
      "description": "Auto-merge minor updates for dev deps",
      "matchDepTypes": ["devDependencies"],
      "matchUpdateTypes": ["minor"],
      "automerge": true,
      "stabilityDays": 2
    },
    {
      "description": "Require manual review for production minor updates",
      "matchDepTypes": ["dependencies"],
      "matchUpdateTypes": ["minor"],
      "automerge": false
    },
    {
      "description": "Require manual review for all major updates",
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "stabilityDays": 7
    },
    {
      "description": "Group TypeScript type definitions",
      "matchPackagePatterns": ["^@types/"],
      "groupName": "TypeScript types"
    },
    {
      "description": "Group ESLint packages",
      "matchPackagePatterns": ["eslint", "typescript-eslint"],
      "groupName": "ESLint"
    },
    {
      "description": "Group testing packages",
      "matchPackagePatterns": ["jest", "@testing-library"],
      "groupName": "Testing"
    },
    {
      "description": "Disable major updates for core framework",
      "matchPackageNames": ["next", "react", "react-dom", "typescript"],
      "matchUpdateTypes": ["major"],
      "enabled": false
    }
  ]
}

3. Migration Steps

  1. Install Renovate GitHub App
  2. Merge Renovate's onboarding PR (creates renovate.json)
  3. Customize config based on template above
  4. Test with a few PRs to verify behavior
  5. Disable Dependabot (dependabot.yml)
  6. Remove custom auto-merge workflow (dependabot-auto-merge.yml)
  7. Clean up unused labels

Decision

  • Proceed with migration
  • Keep current Dependabot setup
  • Revisit later

Resources

/label enhancement

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions