Why I Ditched Dependabot for Renovate Bot (And My Open Source Projects Have Never Been Healthier)
I’ve been maintaining open source projects for over five years. For the first three, Dependabot was my go-to for automated dependency updates. It’s simple, it’s free, and GitHub bundles it right into the security tab. No brainer, right?
But last year, something changed. My monorepo (a Turborepo with 15 packages) was drowning in PR noise. Dependabot would open one PR per dependency per package — that’s 30+ open PRs a week. My contributors couldn’t see the important work. I was burning hours closing duplicate updates.
The Open Source Efficiency Trap: Why Contributor Workflows Break at Scale (And How to Fix Yours)
The Open Source Efficiency Trap: Why Contributor Workflows Break at Scale (And How to Fix Yours) You built… ...
So I switched to Renovate Bot. Here’s why you should too.
The Core Problem: Dependabot’s “One PR Per Update” Model
Dependabot treats every dependency update as an independent event. That’s fine for a single-package repo. But for monorepos, multi-module projects, or even standard repos with `devDependencies` and `peerDependencies`, it’s a mess.
Why Smart CTOs Choose to Hire Vietnamese Developers (And You Should Too)
TL;DR: Vietnam has emerged as a top destination for offshore software development, offering a unique blend of technical… ...
You’ll get five separate PRs for `lodash` because it’s used in five workspace packages. Each one triggers CI, each one needs a reviewer. That’s not maintenance — that’s noise.
Renovate, on the other hand, groups updates. You define rules like “bump all `eslint-*` packages together” or “combine all patch updates into one weekly PR”. The result? I went from 30 weekly PRs to 3.
What You Actually Get with Renovate That Dependabot Doesn’t
I’m not saying Dependabot is useless. For beginners or single-repo projects, it’s fine. But if you’re serious about keeping your open source project healthy, Renovate wins in these areas:
- Grouped updates – Batch dependencies by pattern (e.g., `@types/*`, `@angular/*`).
- Automated onboarding – Renovate opens a “Configure Renovate” PR that’s easy to tweak.
- Schedule control – Run updates only on weekends or during low traffic.
- Custom branch naming – No more random `dependabot/npm_and_yarn/lodash-4.17.21`.
- Lock file maintenance – Refresh your lock file weekly without bumping versions.
- Post-update tasks – Run `npm run build` after updates to catch regressions.
- Pin actions by hash – For GitHub Actions, Renovate can pin to commit SHA instead of version tags (a huge security win).
My Exact Renovate Config (That You Can Steal)
I run Renovate as a GitHub App (free for public repos, $0 for up to 20 users in private). Here’s the `renovate.json` I use for all my projects:
json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":separateMajorMinor",
":combinePatchMinorUpdates",
":dependencyDashboard"
],
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"groupName": "all patch dependencies",
"groupSlug": "all-patch",
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true
},
{
"matchPackagePrefixes": ["@types/"],
"groupName": "TypeScript types",
"automerge": true
},
{
"matchPackageNames": ["eslint", "prettier", "@eslint/*"],
"groupName": "linting tools",
"schedule": ["before 9am on Monday"]
}
],
"schedule": ["before 9am on Monday"],
"timezone": "America/New_York",
"labels": ["dependencies"],
"reviewers": ["your-github-username"],
"prConcurrentLimit": 3,
"updateNotScheduled": false,
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 9am on Monday"]
}
}That one config file does more than I ever got out of Dependabot’s UI. It merges minor and patch updates automatically (after tests pass), groups `@types` into a single PR, and runs lint tool updates only on Monday mornings.
The One Feature That Made Me Stay: Grouped Major Updates
Here’s something Dependabot still can’t do well: group major version bumps. Say you have `react` and `react-dom` at version 17. When 18 drops, you want one PR that updates both, not two separate ones that might fail if one’s missing peer deps.
Renovate handles this cleanly:
json
{
"matchPackageNames": ["react", "react-dom"],
"groupName": "React",
"groupSlug": "react",
"matchUpdateTypes": ["major"]
}I set this up for React, Angular, and Express across all my repos. Now I get one clean PR that upgrades everything together. My reviewers love it.
But Wait — Dependabot Has One Thing Renovate Doesn’t
To be fair, Dependabot’s “Security Alerts” integration is smoother. Renovate relies on GitHub Advisory Database too, but its vulnerability alerts feel slightly slower. I’ve seen Renovate open a PR for a security fix a few hours after Dependabot would have.
That’s the trade-off. For security-critical repos, I keep Dependabot’s alerting enabled but still use Renovate for everything else. You can run both side-by-side — just disable Dependabot’s version updates and leave security updates on.
Real Numbers: Before and After
I maintain 12 open source repos, mostly TypeScript packages and tools. Here’s the comparison after 6 months:
| Metric | Dependabot | Renovate |
|---|---|---|
| Avg weekly PRs | 28 | 7 |
| PRs auto-merged | 0 (no policy) | 6 (minor/patch) |
| Time spent reviewing deps | 2.5 hours/week | 45 minutes/week |
| Monorepo support | Basic (per-package) | First-class |
| PR merge conflicts | 4/week | 1/month |
The real win? My contribution velocity didn’t just stay steady — it increased because people weren’t drowning in bot PRs.
How to Migrate (In 10 Minutes)
Switching is straightforward. You don’t need to uninstall Dependabot; just add a `renovate.json` to your repo root. The Renovate GitHub App will detect it automatically. Once you’re happy with the config, disable Dependabot’s “Version updates” in your repository settings.
I did this across all my repos in one afternoon. The team in Ho Chi Minh City that helps me maintain some of these projects (yes, I work with a remote Vietnamese team) was skeptical at first. After two weeks, they asked me to migrate their own personal repos too.
Frequently Asked Questions
Will Renovate bot fill my repo with unwanted PRs?
No. You control the schedule, grouping, and automerge behavior. Start with `schedule: [“before 9am on Monday”]` and `prConcurrentLimit: 3`.
Can I use Renovate with private repos for free?
For public repos, yes. Private repos are free for up to 20 users (closed source). For teams using the ECOA AI platform with offshore developers, you can run Renovate self-hosted for unlimited private repos — that’s what we do.
Does Renovate work with GitHub Actions?
Absolutely. It updates action versions, can pin to commit SHAs, and even handles composite actions. I’ve got it pinning `actions/checkout` to `v4` at commit `v4.1.1-xxx…` for security.
What about security vulnerabilities — is Renovate fast enough?
It’s fast, but Dependabot is slightly faster for critical advisories. I recommend leaving Dependabot’s “Alerts” enabled while using Renovate for version updates. Neither tool blocks your workflow if a vulnerability is found; they only open PRs.
I have 50+ dependencies. Will Renovate overwhelm me?
Define a group for your `devDependencies`. Use `:combinePatchMinorUpdates` and `:separateMajorMinor`. You’ll end up with maybe 3 PRs per week instead of 50.
Related reading: Why Hire Vietnamese Developers? A CTO’s Guide to Building High-Performance Remote Teams
