Skip to content
Codex

2026-03-19: Renovate over Dependabot for dependency management

2026-03-19 Accepted

Context

Section titled “Context”

All repositories in the Groupe-3D organization need an automated dependency update strategy. The two primary candidates are GitHub Dependabot (native to GitHub) and Renovate (open-source, self-hosted or cloud).

Our repositories include JavaScript/TypeScript monorepos (Astro, Next.js, Strapi), Ruby projects, and various GitHub Actions workflows and devcontainer definitions. Beyond package managers, we also need to keep language runtimes themselves up to date (Node.js, Bun.js, Ruby, etc.).

Decision

Section titled “Decision”

We choose Renovate as the standard dependency update tool across all Groupe-3D repositories.

Rationale

Section titled “Rationale”

Why not Dependabot

Section titled “Why not Dependabot”

Dependabot is limited to package-level updates only (npm, pip, bundler, etc.). It cannot update language runtime version declarations such as:

  • .node-version / .nvmrc / engines.node in package.json
  • .ruby-version
  • .tool-versions (asdf/mise)
  • Dockerfile base images
  • devcontainer.json image tags

Why Renovate

Section titled “Why Renovate”

Renovate supports a much broader set of managers, including all of the above, as well as:

  • GitHub Actions (uses: references)
  • devcontainers
  • Docker / Dockerfile
  • All major language package managers

Renovate also provides first-class support for grouping rules via packageRules, allowing teams to merge minor and patch updates as a single PR while keeping major version bumps separate for explicit review.

Finally, a shared base config can be published at github>Groupe-3D/Groupe-3D and extended by all repositories, keeping individual renovate.json files minimal.

Trade-offs

Section titled “Trade-offs”

Renovate requires:

  1. A renovate.json file per repository (extending the shared config and adding project-specific grouping rules).
  2. A GitHub Actions workflow (dependencies.yml) to schedule and run Renovate using a dedicated PAT (RENOVATE_TOKEN).

This is slightly more setup than enabling Dependabot (a single checkbox in repository settings), but the additional capability justifies the overhead.

Consequences

Section titled “Consequences”
  • Every repository must include a renovate.json and a .github/workflows/dependencies.yml file.
  • The RENOVATE_TOKEN PAT is provisioned at the organization level and does not need to be configured per repository.
  • Minor and patch updates are grouped per project area (e.g., astro/, next/, strapi/) to reduce PR noise.
  • Major updates always produce individual pull requests to ensure deliberate review.
  • Dependabot is disabled on all repositories in favour of this approach.