Why I recommend Renovate over any other dependency update tools

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Dependencies Npm Elixir Dependabot Package Management

SurveyJS
Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
Our great sponsors

  • evergreen

    GitHub Action to enable automated security updates and open a issue/PR in repos in an org that have dependency files but no dependabot.yaml file (by github)

    • I don't understand why Github does not invest more into Dependabot. Everyone need something like this, and Github is positioned to offer the best sca tool there is. And yet... stuff like grouping has only been recently added.

    Anyhow, this is useful to rollout dependabot.yaml config at scale: https://github.com/github/evergreen

  • oapi-codegen

    Generate Go client and server boilerplate from OpenAPI 3 specifications (by jamietanna)

    • Renovate isn't special with how it authenticates - you can run it as your own user ie https://github.com/jamietanna/oapi-codegen/pull/12 and Renovate runs against GitLab, Bitbucket and I believe other platforms too

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

    SurveyJS logo

  • renovate-automatic-branch

    Create automatic branch to merge Renovate PR

    • https://github.com/bodinsamuel/renovate-automatic-branch

    So you have nothing to do except a big review once in a while.

  • dependabot-core

    🤖 Dependabot's core logic for creating update PR's.

    • Oh yes, https://github.com/dependabot/dependabot-core/issues/3253. I wouldn't go so far as saying it was locked because it was too uncivil, mostly just because "additional commentary wasn't adding value" ;)

    Your read on the situation is spot on, and no, it doesn't look like it's been "fixed" (mostly because "fixing it would re-introduce the same potential vulnerability).

  • renovate

    Universal dependency automation tool.

    • This is a big deal! Where did you read this? I found:

    https://github.com/renovatebot/renovate/discussions/26917

  • frontend

    • Started using renovate to update a few internal dependencies.

    A few years later more than 30 projects using it and almost all of that growth happened naturally: https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot

    We operate on a fork (5 commits or so) which contains some hacks to support a forked workflow on GitLab and some minor adjustments for that workflow. Really need to upstream some of it: https://gitlab.com/gitlab-org/frontend/renovate-fork/-/merge...

    The author was always super kind, responsive and accommodating.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts