Dependabot vs. Renovate: Dependency Management on GitHub
Dependency updates are easy to picture one repo at a time. They get political fast when the count is hundreds or thousands: security response, CI minutes, reviewer attention, repo standards, and how much supply-chain theater your org is willing to run.
Most organizations and users will start with Dependabot on GitHub. It's an obvious choice: first-party, no extra service to stand up. Plenty of teams still reach for Renovate when policy, monorepos, or odd manifests stop fitting Dependabot's mold.
Blunt matrix:
| Capability | Dependabot | Renovate |
|---|---|---|
| GitHub integration | First-party, tight dependency graph and advisory wiring | Strong GitHub support, but you run it as an app, Action, or your own worker |
| Configuration model | Simple repository-local YAML | Layered policy model with presets and package rules |
| Custom dependency extraction | Limited to supported ecosystems | Strong, especially with custom regex managers |
| Monorepo handling | Good for straightforward layouts | Better for large, mixed, policy-heavy monorepos |
| Pull request grouping | Useful but bounded | Very granular by manager, package, path, dependency type, and update type |
| Automerge policy | Usually implemented with GitHub Actions and branch protection | First-class Renovate policy, still gated by GitHub rules |
| Security updates | Best native GitHub Advisory Database integration | More programmable, but integration depends on deployment model |
| Fleet-scale operations | Low operational burden, fewer controls | More operational burden, much more control |
Below the fold, the same comparison reads like this: Dependabot is GitHub-shaped configuration plus native security plumbing. Renovate is a scan-and-policy engine you run yourself or buy as a service. The next sections walk from config outward into monorepos, merges, security, and operations.
How They Run¶
Dependabot reads .github/dependabot.yml per repository: ecosystems, paths, schedules, registries, labels, reviewers, ignores, and optional groups. It updates manifests and lockfiles GitHub understands, then opens PRs as dependabot[bot]. The payoff is first-party integration with the advisory database, alerts, security updates, and org security reporting. The cost is an intentional ceiling on ecosystems and expressiveness.
Renovate is a worker model: managers, datasources, versioning, then packageRules. It ships as a hosted app, GitHub App, Action, or self-hosted service. It walks the tree, resolves versions, refreshes branches, and can keep a Dependency Dashboard issue. Extraction and policy are separate layers, so you're not cramming every edge case into one directory-shaped YAML block.
Configuration, Extensibility, and Customization¶
Everything below is the same story told through the knobs people fight over first: inheritance, registries, and custom file formats.
Dependabot configuration is simple by design. Each updates entry declares one supported package-ecosystem, a target path or set of paths, and one schedule. Many examples still use a single directory, while newer configurations can use directories where Dependabot supports multi-directory scanning.
version: 2
updates:
- package-ecosystem: npm
directory: /apps/web
schedule:
interval: weekly
groups:
react:
patterns:
- react
- react-dom
ignore:
- dependency-name: webpack
update-types:
- version-update:semver-major
The file stays easy to read in review. It's still not a general policy language.
Dependabot doesn't give you deep conditional matching across package manager, datasource, dependency type, semantic update type, file path, package namespace, current version, release age, or registry source.
Renovate's configuration is more complex because it's closer to a policy engine.
{
"extends": [
"config:recommended"
],
"packageRules": [
{
"matchManagers": ["npm"],
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "npm development dependency minor and patch updates",
"automerge": true
},
{
"matchPackagePatterns": ["^@example-org/"],
"registryUrls": ["https://npm.example.com"],
"groupName": "internal npm packages"
},
{
"matchManagers": ["dockerfile"],
"matchPackageNames": ["node"],
"allowedVersions": "<21"
}
]
}
The main Renovate abstraction is packageRules. Most fleet policy I have seen ends up expressible there (managers, patterns, paths, update types, versions, registries) without a bespoke bot per repo.
Presets and Policy Inheritance¶
Dependabot has no first-class equivalent to Renovate presets. You can standardize by copying .github/dependabot.yml, generating it from templates, or managing it through another repository management tool. That works for small fleets, but it can easily start to drift.
Renovate supports layered configuration with extends. Presets can be built in, local, shared from another repository, or centrally inherited depending on the deployment model.
{
"extends": [
"github>example-org/platform-renovate-config:default",
"github>example-org/platform-renovate-config:automerge-safe-updates"
]
}
One platform repo can ship defaults; application repos layer small overrides. At scale, that beats copy-pasting the same Dependabot file and hoping drift stays manageable.
Private and Internal Registries¶
Dependabot supports private registries through a registries block and repository or organization secrets.
version: 2
registries:
private-npm:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
updates:
- package-ecosystem: npm
directory: /
registries:
- private-npm
schedule:
interval: daily
For standard ecosystems, this is often enough. The rough edges show up when topology gets messy: multiple internal registries, credentials that vary by namespace, mirrors, vendor proxies, and GitHub Packages sitting next to Artifactory or Nexus.
Dependabot still maps each case to an ecosystem entry in its model. When your reality doesn't fit that map, you feel it first in this part of the config.
Renovate uses hostRules and datasource-specific configuration. In self-hosted Renovate, I prefer to keep credentials outside renovate.json and inject them through the runtime environment or a secrets manager.
module.exports = {
hostRules: [
{
matchHost: "npm.example.com",
hostType: "npm",
token: process.env.NPM_TOKEN
},
{
matchHost: "ghcr.io",
username: "x-access-token",
password: process.env.GITHUB_TOKEN
}
]
};
For an enterprise platform team, hostRules are easier to centralize. Credentials can be injected through the Renovate runtime, scoped to a GitHub App, stored in a secrets manager, or distributed through inherited configuration depending on how Renovate is hosted.
Custom and Unsupported Ecosystems¶
Custom file formats are where the fork gets obvious.
Dependabot only understands supported ecosystems. If dependencies are hidden in arbitrary YAML, custom deployment descriptors, internal Helm wrappers, image catalogs, release train files, or bespoke platform metadata, Dependabot generally can't extract and update them. You either wait for native support, move the pin into a supported manifest, write Actions, or add a second tool.
Renovate has custom managers, usually regex managers, for that gap.
A regex manager tells Renovate how to find dependency declarations in arbitrary files. You define the files to scan, the capture pattern, the datasource, and the versioning behavior.
{
"customManagers": [
{
"customType": "regex",
"managerFilePatterns": [
"/^deploy/.+\\.ya?ml$/"
],
"matchStrings": [
"image:\\s+(?<depName>ghcr.io/example-org/[^:]+):(?<currentValue>[^\\s]+)"
],
"datasourceTemplate": "docker",
"versioningTemplate": "docker"
}
]
}
That can update a custom deployment file like this:
The same regex approach works for internal Helm chart pins or other YAML-shaped pins when your file layout matches the capture groups. Same warning: narrow managerFilePatterns, validate in CI.
Regex managers are powerful and easy to get wrong. Poorly scoped expressions can match the wrong text, miss valid declarations, scan too many files, or open pull requests nobody trusts. They don't infer your build graph or validation rules. If a custom deployment format needs a generated lockfile or validation step, you still need CI or post-update automation to handle that.
Regex Managers Need Guardrails
Renovate's regex managers are powerful, but they should be treated like parser code. Keep file patterns narrow, capture only what you intend to update, and make CI validate the resulting changes.
If you already own odd YAML and internal chart wiring, Renovate's escape hatches matter. That lane is where Dependabot mostly hands off to other automation or a second tool.
Monorepos and Complex Ecosystems¶
Dependabot can handle monorepos by declaring multiple updates entries, or by using multi-directory configuration where the package ecosystem and repository layout support it.
version: 2
updates:
- package-ecosystem: npm
directory: /apps/web
schedule:
interval: daily
- package-ecosystem: npm
directory: /packages/ui
schedule:
interval: daily
- package-ecosystem: gomod
directory: /services/api
schedule:
interval: daily
This works for simple monorepos, and directories can reduce some repetition for compatible ecosystems. It's still less pleasant for large ones. If you have hundreds of workspace packages, shared lockfiles, generated manifests, mixed package managers, path-specific ownership, and different merge policies by team, the configuration gets repetitive quickly.
Dependabot thinks directory plus ecosystem. Renovate thinks repository scan plus rules. The difference shows up the first time you need path-based behavior without duplicating ten YAML blocks.
Renovate can scan for many managers across the repository and then apply policy based on manager, path, package name, dependency type, update type, or registry.
{
"packageRules": [
{
"matchFileNames": ["apps/web/**"],
"groupName": "web application dependencies"
},
{
"matchFileNames": ["services/foo/**"],
"groupName": "foo service dependencies"
},
{
"matchManagers": ["github-actions"],
"groupName": "GitHub Actions workflow updates"
}
]
}
For workspace monorepos, containers, Helm pins, Terraform modules, and GitHub Actions, Renovate usually pulls ahead on policy and grouping.
Renovate still doesn't read your whole build graph. Nx affected logic, Bazel, CODEOWNERS, merge queues, and deploy gates stay in CI and branch protection. It splits dependency work into sane pull requests. It's not your build system.
Grouping Pull Requests¶
Grouping is where CI cost and reviewer patience show up first.
Dependabot can group inside an updates block by name patterns, dependency type, and semver bump size:
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
groups:
production-minor-and-patch:
dependency-type: production
update-types:
- minor
- patch
react:
patterns:
- react
- react-dom
That trims a lot of pull request noise in ordinary repos.
Renovate groups by path, manager, package family, dependency class, update size, and combinations of the above. One packageRules array can carry all of it:
{
"packageRules": [
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "development dependency minor and patch updates"
},
{
"matchPackagePatterns": ["^@angular/"],
"groupName": "Angular framework"
},
{
"matchManagers": ["github-actions"],
"groupName": "GitHub Actions"
},
{
"matchManagers": ["dockerfile", "docker-compose"],
"groupName": "container image updates"
},
{
"matchFileNames": ["services/foo/**"],
"groupName": "foo service dependencies"
}
]
}
At fleet scale, bad grouping burns CI and blocks merges. Good grouping separates patch churn from risky upgrades.
Automerge and CI/CD Workflow Automation¶
Automerge is policy plus CI plus branch protection plus token identity. Dependabot doesn't ship a policy engine for it; you wire GitHub auto-merge, Actions, and dependabot/fetch-metadata. Renovate puts more of that in packageRules, still behind GitHub's gates.
The workflow below uses the v2 tag to keep the example readable. In production, pin third-party GitHub Actions to a full commit SHA and update that SHA intentionally.
name: Dependabot auto-merge
on:
pull_request:
types:
- opened
- synchronize
- reopened
permissions:
contents: write
pull-requests: write
checks: read
jobs:
automerge:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
- name: Enable auto-merge
if: |
steps.metadata.outputs.update-type != 'version-update:semver-major' &&
steps.metadata.outputs.dependency-type == 'direct:development'
run: gh pr merge "$PR_URL" --auto --squash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_URL: ${{ github.event.pull_request.html_url }}
Auto-merge Prerequisites
For gh pr merge --auto to queue a merge, the repository needs Allow auto-merge enabled in repository settings. Branch protection and required checks still apply before GitHub completes the merge.
That pattern is fine for a handful of repositories. At fleet scale, it becomes another workflow you need to standardize, secure, update, and debug everywhere.
Renovate treats automerge as configuration.
{
"packageRules": [
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"automergeType": "platform"
}
]
}
Only development dependencies, only minor and patch, and automergeType: "platform" hands the actual merge to GitHub once its own gates pass.
Renovate can't and shouldn't bypass GitHub branch protection. If a repository requires one CODEOWNER approval, required status checks, signed commits, a merge queue, or a deployment gate, Renovate waits for those controls to pass.
For a policy like this:
Auto-merge only minor and patch updates for development dependencies, after CI passes, with one required CODEOWNER approval.
Renovate handles the dependency filter. GitHub handles the approval and CI requirements through CODEOWNERS, branch protection, rulesets, and required checks.
Dependabot can reach the same result, but the logic usually lives in GitHub Actions beside the bot. Renovate keeps more of the decision next to the dependency rules.
GitHub Actions and Token Identity¶
Token identity is one of the easiest ways to get dependency automation wrong.
Token Identity Matters
In GitHub Actions, automation identity affects workflow triggers, secret access, audit trails, and branch protection behavior. For enterprise Renovate deployments, prefer a GitHub App token over a shared personal access token.
Dependabot pull requests are created by dependabot[bot]. GitHub applies security restrictions to workflows triggered by Dependabot, especially around secrets. If your tests require private package registry credentials, cloud credentials, or privileged integration tokens, you need to design that path intentionally.
Renovate gives you more deployment choices:
- Hosted Renovate app
- GitHub App
- GitHub Action
- Self-hosted worker using a GitHub App token or personal access token
Those choices affect auditability, workflow triggers, rate limits, and secret exposure.
One GitHub footgun: commits and pull requests created with the default GITHUB_TOKEN usually don't start new workflow runs. If Renovate runs inside GitHub Actions using GITHUB_TOKEN, pull requests or pushes it creates may not trigger the downstream workflows you expect. A GitHub App token or carefully scoped personal access token is often required when the automation itself must create events that start other workflows.
For enterprise use, a GitHub App based Renovate deployment is usually cleaner than a shared human PAT. It gives better auditability, revocation, installation scoping, and permission management.
Security, CVEs, and Transitive Dependencies¶
Dependabot's strongest position is GitHub-native vulnerability remediation.
Dependabot Security Updates use GitHub's dependency graph and the GitHub Advisory Database. When GitHub identifies a vulnerable dependency in a supported manifest, it can open a security pull request. Those alerts show up naturally in GitHub security views, organization dashboards, and repository security workflows.
If your security team already lives in GitHub's dependency graph views, Dependabot's wiring saves arguments.
Same wiring, same blind spot: GitHub only reasons about manifests and ecosystems it understands. If the vulnerable component lives in a custom platform descriptor, an internal release file, a generated manifest, or an unsupported ecosystem, Dependabot may never see it.
Renovate bolts security work onto the same scheduler and rules engine as routine bumps. What you get depends heavily on hosting: GitHub App versus cron worker versus Action, and whether OSV is in the mix alongside GitHub alerts.
{
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security", "dependencies"],
"assignees": ["platform-security"]
},
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true
}
]
}
Example Only
Narrow packageRules before you automerge real security PRs. This JSON shows wiring shape, not copy-paste production policy.
Renovate can route CVE work through the same packageRules you use for chores: faster cadence for critical alerts, dashboard approval for noisy families, digest pinning on base images, majors split out from patch trains. You still have to own which signal you trust when OSV, GitHub alerts, and hosted app behavior disagree.
Dependabot stays closer to GitHub's native alert story; Renovate gives you more ways to route and label the same noise.
Transitive Dependency Remediation¶
Transitive CVEs are never pretty. Both tools eventually hit what the package manager will actually resolve.
If your application depends on parent, and parent depends on vulnerable child, there are only a few legitimate ways out:
- Update
parentto a version that uses a safechild. - Regenerate the lockfile if the existing version range permits a safe
child. - Add a package-manager-specific override, such as npm
overrides, Yarnresolutions, pnpmoverrides, Maven dependency management, or Gradle constraints. - Fork or replace the parent package.
Dependabot usually aims for the first two. For supported ecosystems, it can update lockfiles and may remediate transitive vulnerabilities when the resolver can select a safe version. It generally doesn't invent new override policy in your manifest as a first-class behavior.
Renovate is stronger at lockfile maintenance and can work with existing override mechanisms, package rules, replacement rules, and constraints. But it shouldn't be treated as a magic transitive CVE surgeon. Automatically adding new overrides can break runtime behavior even when tests pass.
In mature organizations, treat forced transitive overrides as an exception path: security tooling flags the package, platform approves the risk, Renovate bumps pins you already maintain, and new override blocks get review plus written acceptance.
That's less about either bot and more about how packages actually ship.
Operational Limits, Scaling, and State¶
Dependabot is easy to operate because GitHub runs most of it. You trade control: scheduling, queue behavior, fleet policy, and rollout nuance are mostly opaque.
open-pull-requests-limit is your big throttle:
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: daily
open-pull-requests-limit: 5
Renovate exposes knobs such as prConcurrentLimit, prHourlyLimit, branchConcurrentLimit, and cron-style schedule blocks. Those matter when automation competes with humans for CI minutes, reviewers, and merge windows.
{
"prConcurrentLimit": 10,
"prHourlyLimit": 2,
"branchConcurrentLimit": 20,
"schedule": ["before 5am on monday"],
"timezone": "America/New_York"
}
At thousands of repositories, Renovate is infrastructure, not a checkbox.
Plan for GitHub REST and GraphQL limits (including secondary limits), private registry limits, worker and cache topology, GitHub App permissions, logging and metrics, onboarding and offboarding, and a real emergency stop.
Dependabot keeps state mostly inside GitHub: open PRs, closed branches, alert linkage. Close a PR unmerged and it usually respects that signal.
Renovate leans on branches, PR metadata, labels, comments, the optional Dependency Dashboard issue, and persistent caches when self-hosted. That dashboard is ugly and invaluable at fleet scale: it collects blocked work, approvals, ignores, and rate limits in one place you can actually read.
Rebase policy is another dial (rebaseWhen, for example). Aggressive rebases burn CI; stale branches hide failures and clog merge queues. Pick intentionally.
In summary, the more repositories you have, the more you need to treat dependency automation as a platform service. That usually means adding Renovate as a second layer when you outgrow Dependabot's native path.
-
Dependabot is a strong default for standard GitHub repositories. It's native, easy to enable, easy to understand, and deeply integrated with GitHub's security model. For common ecosystems, simple policy, and vulnerability visibility with routine update PRs, it remains the sensible default. Plenty of mature orgs run large fleets on Dependabot alone because the operational surface area stays small.
-
Renovate is the right additional layer when dependency work stops fitting comfortably in repository-local YAML: inherited presets, path-aware rules, custom extractors, fleet throttles, and the kind of observability you expect from something you operate.
None of that invalidates Dependabot on the repos where it already works. It usually means the same company is running both shapes at once: Dependabot where the native path wins, Renovate where the policy engine wins.
Signals you're ready to add or standardize Renovate alongside what you already have:
- Custom manifests, image pins, or org-wide defaults that need more than copied
dependabot.yml. - PR volume, grouping, or monorepos that need path-scoped rules without repeating the same YAML tree.
- Registry topology or merge policy that outgrew per-repo secret wiring alone.
- A platform team that needs limits, logs, onboarding, and kill switches for the bot itself.
Dependabot is GitHub's product integration for dependency updates.
Renovate is an automation platform you run when updates become a product surface.
Smaller estates rarely need more than Dependabot and GitHub's native security surfaces. When monorepos, messy registries, or CI economics force operated automation, standardize Renovate only for the repos that need it and keep Dependabot wherever the native path still clears the bar.
That's not a downgrade of Dependabot. It's the same decision as any other platform default: use the built-in tool until the work you're asking it to do is no longer the work it was designed to carry.