Automated dependency updates with Renovate

Keeping track with all the updates of dependencies we use is way to time consuming.

Renovate

In most of our project we use Renovate for automated updates of dependencies. Renovate itself is a very configurable open-source script written in TypeScript. It can be used as a free hosted service with GitHub, but we normally run it self-hosted inside Gitlab CI. In order to do its job, renovate first needs credentials to access our projects on GitLab (Other platforms are also supported). With these credentials it then downloads the code of each project and starts searching for supported Managers like npm, gradle or cargo. It then builds a list with all the used dependencies and there version.

Cool configuration options

There are lots of options that can be used to configuration what exactly renovate should do for each project.

• Add specific labels to merge requests
• Assign someone to merge requests
• Automatically merge updates when the merge request ci pipline passes
• Group multiple updates in one merge request
• Use Semantic Commit prefixes for merge requests
• Create update merge requests only at a specific date or time
• Limit the number of concurrent update merge requests
• Wait some days before opening updating to a new version
• Create separate merge requests for major and minor updates (FYI: Have a look at Semantic Versioning)
• Define language or manager version constraints (e.g. no node version above 18 because AWS Lambda only supports that version)
• Intentionally disable renovate for projects no longer in active development

With the usage of 'packageRules' it is also possible to use specific configuration for a subset of dependencies.

Other Automated dependency update tools

We chose renovate way back because of the Gitlab support and free hosting. So far we never had a reason to think about switching away from renovate but there are now even more tools for this job.

• Dependabot - Basically the same thing.

tl;dr

1. All our projects in active development should use renovate for automated version updates.
2. All our projects should have a .renovaterc.json configuration file.
3. Have a look at our Internal Setup