Dependencies add reusable components

They increase productivity

Dependencies require updates

Focus on new code

Dependency updates prevent this

What now?

Dev dependencies

Ecosystem Dependencies
NodeJS package.json
Java (Maven) pom.xml
Java (Gradle) build.gradle
Go go.mod
Python (peotry) pyproject.toml
Ruby Gemfile
Rust Cargo.toml
Docker Dockerfile, [docker-]compose.ya?ml

…any many more!

Ops dependencies

The good…

Ecosystem Dependencies
Docker Dockerfile, [docker-]compose.ya?ml
Kubernetes *.yaml
Helm Chart.yaml

…any many more!

The bad…

Required tools, e.g. downloaded from GitHub releases

And the ugly

Versions stored in variables in scripts

Enter Software Bill of Materials

SBOM is an inventory of dependencies

Provides visibility

Can be matched against known vulnerabilities

Evaluation is the last resort

Update dependencies quickly

(Be prepared to) ship fast

Drive adoption of new versions

Know about remaining vulnerabilities

Check options for mitigation

Outdated dependencies

All dependencies can and will introduce vulnerabilities

Younger version receive security updates

Updates can introduce breaking changes

Regular small updates over seldom large updates

Manual updates…

…are too slow

…prevent other tasks

…are ignored until necessary


Check repository

Can you spot possible updates?


Check repository

Can you spot possible updates?


Outdated GitHub actions without pinning

Base image without digest pinning

Outdated version variable

Outdated go.mod for hello world

Outdated requirements.txt for Python tools

Automated dependency updates

Enter Renovate

Open Source implemented in TypeScript

Commercial offering by Mend

How it works

Clones repository and loads configuration

Searches in numerous places for dependencies

Proposes update in pull/merge requests

Renovate Features

Platforms: Azure DevOps (Server), BitBucket, AWS CodeCommit, Gitea/Forgejo, GitHub, GitLab

Datasources: crate, docker, git-tags, gitea-releases, github-releases, gitlab-releases, go, helm, maven, npm, nuget, pypi, rubygems (and dozens more)

Custom Managers for special use cases

Deployment options: GitHub App, Self-hosted


Powerful but complex

Initially many and/or breaking updates

Once settled in, smaller incremental updates


Add renovate.json for onboarding

Check dashboard

Check pull requests

Check release notes

Check workflows


Renovate can merge automatically

Requires opt-in through configuration

Requires successful automated tests

How to automerge

Identify updates with low impact, e.g. patches, well-tested packages

Create package rules for automerging


Add package rule for specific cases

Enable automerge for them


Nothing out-of-the-box


Filter log for errors / failures for…

XXX open PRs


Failures will show in the log


Create and analyze SBOM

Custom Managers

Special use cases

Version must be injected into code, e.g.

FROM ubuntu:22.04

# renovate: datasource=github-releases depName=kubernetes/kubernetes extractVersion=^v(?<version>.+?)$
RUN curl -sSfLO "${KUBECTL_VERSION}/bin/linux/amd64/kubectl"

Use predefined custom manager

Ships with regex to match comment above and configure Renovate

    "$schema": "",
    "extends": [

Merge Confidence

Merge Confidence supports merge decisions

Based on data collect from countless PRs on GitHub

Supported ecosystems: Go, JavaScript, Java, Python, .NET, PHP, Ruby

Information provided

Age of the package

Adoption percentage for other Renovate users with this release

Passing percentage of updates with successful checks

Confidence calculated by proprietary algorithm

Vulnerability Alerts

Show updates addressing security alerts

Integrates with GitHub and Dependabot

XXX new feature… open issue?


Enable GitHub Dependency Graph

Enable alert from Dependabot

Testing the Renovate configuration

XXX isolate change in separate repo

XXX --platform=local



Now owned by GitHub

Tightly integrated but can run without GitHub

Detailed comparison

Other tools lack…

…broad support for languages

…is integrated in a specific platform

Case study: uniget

XXX improve value proposition

Installer and updater for (container) tools


Offers 632 packages

Uses Renovate at scale

2022-06-13 – 2024-01-22

over 6.725 merged PRs

~9 PRs per day

90% merged after ~1min (6.050 PRs)

95% merged after ~3min (6.390 PRs)

98% merged after ~10min (6.590 PRs)

Lessons learned

GitHub Secondary API rate limits

Prevent excessive concurrency

Mitigation: Custom implementation of automerge

Custom managers will break

Name changes in GitHub release asset

Found 70 times in 12 months

Stability issues of GitHub

Detector for GitHub glitches / outages

Acts as a status page for GitHub