Dependency Management with Renovate: Beyond the Limits of Dependabot

While mature CI pipelines often incorporate security scanner tools like Trivy and Clair. But these tools primarily identify vulnerabilities and to fix those vulnerabilities, developers manually upgrade versions of those dependencies like packages, libraries, etc.

Manually managing dependencies in software development can be a time-consuming and error-prone process, leading to several challenges. What if we use a tool that scans the entire repo and detects if updates/patches are available or not and raises PR to upgrade dependency automatically, allowing developers to review and merge them as needed. This proactive approach helps prevent the introduction of vulnerabilities in the first place by ensuring dependencies are kept up-to-date until it is zero-day vulnerabilities.

This blog introduces you to Renovate, a powerful open-source tool that automates dependency management. As an open-source, it offers various ways of installing and configuring it. We will specifically focus on installation using the command-line interface (CLI), in this blog.

Steps 

1. Install Renovate with a single command:

npm install -g renovate

2. Configure Renovate:

Set up environment variables:

  • RENOVATE_REPOSITORIES: List of repositories (comma-separated) Renovate should manage.
export RENOVATE_REPOSITORIES="<username>/<repo-name>"
  • RENOVATE_TOKEN: Your personal access token for accessing repositories. e.g. if you are using GitHub, then create a PAT token and paste here.
export RENOVATE_TOKEN="<token goes here>"

3. Create a .renovaterc.json configuration file:

Create a file named .renovaterc.json in your project root and paste the following content:

JSON | base config with default behaviour.

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ]
}

OR 

Just skip this step and jump to point number 5. By doing so a “Configure Renovate” PR will be raised with default configuration.
I chose to edit it to change the default behaviour of renovate (refer to the below images) and then merged it.

 

Creation of json file automatically
default content in file
edited content with required features

4. Push the Configuration File:

Commit and push the .renovaterc.json file to your repository in default branch ( as per the settings of version control ) e.g. master is default in my case because renovate retrieves this config from default branch only.

showing the default branch

5. Unleash the Power of Renovate:

Renovate scans your dependencies, suggests updates and creates pull requests for your approval.

export LOG_LEVEL=debug
renovate

Demo

Here’s how you can set up Renovate for your Go application hosted on Github with this example repo.

Push file .renovaterc.json to the default branch ( master in this case ) of repo with below content.

Scenario(A) — JSON | base config only — it targets default branch only for pull request.

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ]
}

Scenario(B) — JSON | Targeting the “release” branch for pull request creation

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:base"
  ],
  "baseBranches": ["release"],
  "dependencyDashboard": true
}

Run below commands or you can configure the renovate in dependency mangement pipeline.

npm install -g renovate
export RENOVATE_REPOSITORIES="vikas-gautam/renovate-demo"
export RENOVATE_TOKEN="<token goes here>"
export LOG_LEVEL=debug
renovate

Result — As we can see that, PR has been raised for detected dependency in the code. Now, you can choose to merge this PR or close this.

Scenario(A) — PR has been raised for master branch
Scenario(B) — PR has been raised for release branch

Beyond Dependabot

Renovate offers unique features like:

  • Grouping similar updates: Organize pull requests for related dependencies (e.g., all ESLint packages) for cleaner management. Check out the official doc to enable this.
  • Scheduled auto-merge: Automate merging approved updates for a streamlined workflow. Refer the official doc to enable this.
  • Dependency Dashboard: It shows an overview of the state of your repositories’ dependencies. To enable/disable this, just put below code in .renovaterc.json
{
  "dependencyDashboard": true
}

It lists down all the PR raised in this repo in one place as tasks, so, you can mark them done, once respective PR will be merged.

when dependency Dashboard is enabled
Inside dependency dashboard | list down all the PR raised in this repo

 

After disabling this, nothing will be shown under issues.

{
  "dependencyDashboard": false
}
when dependencyDashboard is disabled

Conclusion

While this blog provides a basic setup, remember that the .renovaterc.json file offers extensive configuration options. Explore the documentation to configure Renovate as per your specific needs and make dependency management truly handy.

I hope you found this information helpful. If you have any feedback or suggestions, please reach out to me or leave comments below.

References:

Cheers till next time!!

Blog Pundits: Adeel Ahmed and Sandeep Rawat

OpsTree is an End-to-End DevOps Solution Provider.

Contact Us

Connect with Us

Author: V!kash Gautam

DevOps Engineer

Leave a Reply