Dependency Management with Renovate: Beyond the Limits of Dependabot
While mature CI pipelines often incorporate security scanner tools like Trivy and Clair, these tools primarily identify vulnerabilities and to fix those vulnerabilities developers manually upgrade versions of those dependencies like packages, libraries, etc.
Manually managing dependencies in software development can be a time-consuming and error-prone process, leading to several challenges.
what if we use a tool that scans the entire repo and detects if updates/patches are available or not and raises PR to upgrade dependency automatically, allowing developers to review and merge them as needed. This proactive approach helps prevent the introduction of vulnerabilities in the first place by ensuring dependencies are kept up-to-date until it is zero-day vulnerabilities.
Well, this blog introduces you to Renovate, a powerful open-source tool that automates dependency management. As an open-source, it offers various ways of installing and configuring it. We will specifically focus on installation using the command-line interface (CLI) in this blog.
Steps
1. Install Renovate with a single command:
npm install -g renovate
2. Configure Renovate:
Set up environment variables:
RENOVATE_REPOSITORIES
: List of repositories (comma-separated) Renovate should manage.
export RENOVATE_REPOSITORIES="<username>/<repo-name>"
RENOVATE_TOKEN
: Your personal access token for accessing repositories. e.g. if you are using github then create a PAT token and paste here.
export RENOVATE_TOKEN="<token goes here>"
3. Create a .renovaterc.json or renovate.json
configuration file:
Create a file named either .renovaterc.json or renovate.json
in your project root and paste the following content:
JSON | base config with default behaviour.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}
OR
Just skip this step and jump to point number 5. By doing so a “Configure Renovate” PR will be raised with default configuration.
I chose to edit it to change the default behaviour of renovate (refer to the below images) and then merged it.
4. Push the configuration file:
If previous step is not skipped then Commit and push the .renovaterc.json
file to your repository in default branch ( as per the settings of version control ) e.g. master is default in my case because renovate retrieves this config from default branch only.
5. Unleash the power of Renovate:
Renovate scans your dependencies, suggests updates, and creates pull requests for your approval.
export LOG_LEVEL=debug
renovate
Demo
Here’s how you can set up Renovate for your Go application hosted on Github with this example repo
Push file .renovaterc.json
to the default branch ( master in this case ) of repo with below content.
Scenario(A) — JSON | base config only — it targets default branch only for pull request.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
]
}
Scenario(B) — JSON | Targeting the “release” branch for pull request creation
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
],
"baseBranches": ["release"],
"dependencyDashboard": true
}
Run below commands or you can configure the renovate in dependency management pipeline.
npm install -g renovate
export RENOVATE_REPOSITORIES="vikas-gautam/renovate-demo"
export RENOVATE_TOKEN="<token goes here>"
export LOG_LEVEL=debug
renovate
Result — As we can see that, PR has been raised for detected dependency in the code. now you can choose to merge this PR or close this.
Beyond Dependabot
Renovate offers unique features like:
- Grouping similar updates: Organize pull requests for related dependencies (e.g., all ESLint packages) for cleaner management. Check out official doc to enable this.
- Scheduled auto-merge: Automate merging approved updates for a streamlined workflow. Refer official doc to enable this.
- Dependency Dashboard: It shows an overview of the state of your repositories’ dependencies. To enable/disable this just put below code in
.renovaterc.json
{
"dependencyDashboard": true
}
It lists down all the PR raised in this repo in one place as tasks, you can mark them done once the respective PR is merged.
After disabling this, nothing will be shown under the issues.
{
"dependencyDashboard": false
}
Conclusion
While this blog provides a basic setup, remember that the .renovaterc.json
file offers extensive configuration options. Explore the documentation to configure Renovate to your specific needs and make dependency management truly handy.
I hope you found this information helpful. If you have any feedback or suggestions, please reach out to me or leave comments below.
References: