Automate Dependency Updates with Renovate Bot: A Step-by-Step Developer Tutorial

Let’s be real. Keeping dependencies fresh is the most boring, yet critical, chore in modern development. You know it. Your team knows it.

But here’s the kicker: ignoring it is a ticking time bomb. I’ve seen projects grind to a halt because a three-month-old `lodash` patch broke the build. And security vulnerabilities? They’re everywhere.

Outsourcing Software in 2025: The Hard Truths, Hidden Costs, and How to Get It Right

TL;DR: Outsourcing software isn’t dead, but the old playbook is. This guide breaks down real costs, team management… ...

Read more

At ECOA AI, we manage distributed teams across Ho Chi Minh City and Can Tho. My Vietnamese engineers spend their time building features, not clicking “Update” on npm. That’s why we bet on Renovate Bot — and it’s been a game-changer.

This tutorial walks you through the exact setup we use. You’ll learn how to automate dependency updates for Node.js, Python, and Java projects, all running on GitHub Actions. No fluff. Just working code.

Outsourcing Software the Right Way: Lessons From 20+ Failed Projects

TL;DR: Most companies fail at outsourcing software because they treat it as a cost play, not a capability… ...

Read more

Why Renovate Over Dependabot?

Honestly, both are solid. But Renovate wins for teams that need flexibility.

• Monorepo support? Renovate handles it natively. Dependabot… not so much.
• Grouping updates? You can bundle patch releases into a single PR. Reduces noise.
• Auto-merge? Yes, with configurable policies.
• Custom schedules? Weekends only, please.

Our team in Can Tho used to spend 6-8 hours per sprint just managing updates. After Renovate, that dropped to nearly zero. I’m not exaggerating.

Step 1: Setting Up Renovate on GitHub

The easiest path? The Renovate GitHub app. It’s free for public repos and up to 3 private repos.

But we’re using the self-hosted version on GitHub Actions. That way we control all config.

1. Add `renovate.json` to your repo root.
2. Create a GitHub Actions workflow file.
3. Configure the token with proper scopes: `read:packages`, `write:repository`, `pull-requests:write`.

Here’s our starter `renovate.json`:

json
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base",
    ":separateMajorMinor",
    ":automergeDisabled",
    "schedule:weekly"
  ],
  "assignees": ["[your-username]"],
  "labels": ["dependencies", "auto-update"],
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true,
      "automergeType": "pr",
      "platformAutomerge": true
    },
    {
      "matchDepTypes": ["devDependencies"],
      "automerge": true
    }
  ],
  "commitMessagePrefix": "chore(deps): ",
  "lockFileMaintenance": { "enabled": true, "schedule": ["before 6am on Monday"] }
}

A few things to note:

• We auto-merge patch updates for runtime deps. Yes, I know it’s risky. But we have solid tests and the minor/major changes still require human review.
• devDependencies are also auto-merged — they rarely break things.
• We run the maintenance every Monday morning. That way we don’t get PRs mid-sprint.

Retro question: *Have you ever had a minor update break your build?* If yes, don’t enable auto-merge until you trust your test coverage. We learned that the hard way.

Step 2: Configuring GitHub Actions Workflow

Now let’s wire Renovate into your CI. This is the workflow we use across all our client projects.

Create `.github/workflows/renovate.yml`:

yaml
name: Renovate

on:
  schedule:
    - cron: '0 0 * * 1'  # Every Monday at midnight
  workflow_dispatch: # Allow manual trigger

jobs:
  renovate:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Self-hosted Renovate
        uses: renovatebot/github-action@v40.2.2
        with:
          configurationFile: renovate.json
          token: ${{ secrets.RENOVATE_TOKEN }}
        env:
          LOG_LEVEL: debug

That’s it. Seriously. The action pulls the latest Renovate version and runs against your config.

We schedule it weekly on Monday midnight. But you could run it hourly if you’re paranoid about security patches. Choose your own schedule.

Pro tip: The `RENOVATE_TOKEN` should be a personal access token with `repo` scope. Don’t use `GITHUB_TOKEN` — it won’t trigger CI on the PRs Renovate creates.

Step 3: Grouping Updates to Reduce Noise

No one wants 20 separate PRs every Monday. Group them. Here’s how:

json
"packageRules": [
  {
    "matchPackagePrefixes": ["@nestjs/"],
    "groupName": "NestJS Core",
    "groupSlug": "nestjs-core"
  },
  {
    "matchPackagePrefixes": ["@types/"],
    "groupName": "TypeScript Definitions",
    "automerge": true
  }
]

Now you’ll get one PR titled “chore(deps): update NestJS Core” instead of ten. Our PM in Ho Chi Minh City loves this.

Step 4: Handling Multiple Package Managers

Renovate detects `package.json`, `requirements.txt`, `pom.xml`, etc., automatically. But you might need to exclude some directories.

Add an `ignorePaths` block:

json
"ignorePaths": ["**/node_modules/**", "**/bower_components/**", "archive/**"]

If you have a monorepo with multiple package managers, Renovate handles it. We’ve got clients running npm, pip, and Maven side-by-side. No conflicts.

Step 5: Security-First Approach

Vulnerability scanning is built-in. Renovate checks the GitHub Advisory Database and flags critical CVEs.

For maximum speed, we configure it to create immediate PRs for critical vulnerabilities, ignoring the schedule:

json
"vulnerabilityAlerts": {
  "labels": ["security"],
  "automerge": true,
  "assignees": ["security-team"]
}

This is our safety net. We’ve caught multiple zero-days this way — Log4j, Hibernate CVEs, you name it.

Real-World Results from Our Vietnamese Teams

Let me share a concrete example. We took over a client’s legacy SaaS platform in Can Tho. They had over 400 dependencies across 6 microservices. Manual updates were impossible.

We rolled out Renovate on day one. Within a month:

• 80% of dependencies were up-to-date.
• 12 critical vulnerabilities patched – all within 48 hours of publication.
• Team productivity jumped by 25% because they stopped context-switching to fix outdated packages.

I’m not saying Renovate is magic. But for a team of 5 developers in Vietnam working across multiple time zones, it was the difference between firefighting and building.

Frequently Asked Questions

Q: Will Renovate update major versions automatically?

A: No, not by default. Only patch and minor if you configure it. We have automerge only for patches and devDependencies. Major updates create a PR that needs manual review – always test those before merging.

Q: Can I use Renovate with GitLab or Bitbucket?

A: Yes. Renovate supports GitHub, GitLab, Bitbucket Cloud/Server, Gitea, and Azure DevOps. The setup is similar, but you’ll need to adjust the workflow to match the CI platform.

Q: How do I prevent Renovate from flooding me with PRs?

A: Use the `schedule` directive. Set it to run once a week, and group related packages with `groupName`. We also limit the number of concurrent PRs with `prConcurrentLimit: 5`.

Q: What if my tests take 30 minutes? Will Renovate wait?

A: Yes. Renovate creates a PR, and your CI pipeline runs. If you enable `platformAutomerge`, it won’t merge until all checks pass. You can also set `prBranchBlockedByCI` to wait.

Related: Elite Vietnamese Developers — Learn more about how ECOA AI can help your team.

Related: Vietnamese software developers — Learn more about how ECOA AI can help your team.

Related: Hire Vietnamese Developers — Learn more about how ECOA AI can help your team.

Related reading: Outsourcing Software in 2025: Why Vietnam Is Winning the Offshore Engineering Race