Renovate has become the tool of choice for many of our teams looking to take a proactive approach to dependency version management. While Dependabot remains a safe default choice for GitHub-hosted repositories, we continue to recommend evaluating Renovate as a more comprehensive and customizable solution. To maximize Renovate’s benefits, configure it to monitor and update all dependencies, including tooling, infrastructure and private or internally hosted dependencies. To reduce developer fatigue, consider automatic merging of dependency update PRs.
Automatically monitoring and updating dependencies as part of the software build process has become standard practice across the industry. It takes the guesswork out of staying current with security updates to open-source packages as they're released. For many years, Dependabot has been the standard tool for this practice, but Renovate has become the preferred tool for many of our teams. They find that Renovate is more suitable to the modern software development environment where a deployable system relies not just on code and libraries but encompasses run-time tools, infrastructure and third-party services. Renovate covers dependencies on these ancillary artifacts in addition to code. Our teams also found that Renovate offers more flexibility through configuration and customization options. Although Dependabot remains a safe default choice and is conveniently integrated with GitHub, we'd recommend evaluating Renovate to see if it can further reduce the manual burden on developers to keep their application ecosystems safe and secure.
