Everyone knows the problem: the project is running, everyone is busy, and the dependencies go months without being updated. At some point a critical security vulnerability appears in an outdated library, and you have to patch in a rush. Renovate Bot solves this problem through automatic, configurable dependency updates delivered as pull requests.
What Is Renovate?
Renovate is an open-source tool by Mend (formerly WhiteSource) that monitors repositories for outdated dependencies and automatically creates pull requests with updates. It supports:
- PHP:
composer.json/composer.lock - JavaScript:
package.json,package-lock.json,yarn.lock,pnpm-lock.yaml - Docker:
Dockerfile,docker-compose.yml - GitHub Actions / GitLab CI: Workflow files
- Terraform, Kubernetes, Helm: Infrastructure-as-Code
- And many more
Setup
GitHub App (Recommended)
The easiest way: install the Renovate GitHub App. After installation, Renovate automatically opens a "Configure Renovate" PR with a minimal renovate.json.
Self-Hosted (GitLab, Bitbucket, Gitea)
# Via Docker
docker run --rm \
-e RENOVATE_TOKEN=your-token \
-e RENOVATE_REPOSITORIES=org/repo \
ghcr.io/renovatebot/renovate
# Via npm
npx renovate --token=your-token org/repo
Configuration
The renovate.json in the repository root controls the behaviour:
Minimal Configuration
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
]
}
This is already sufficient for most projects: config:recommended activates sensible defaults like semantic commit messages, automatic rebase after merge, and detection of all common package managers.
Extended Configuration for Symfony/PHP Projects
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboard",
":semanticCommits"
],
"timezone": "Europe/Berlin",
"schedule": ["before 9am on Monday"],
"labels": ["dependencies", "renovate"],
"assignees": ["wunner-software"],
"packageRules": [
{
"description": "Auto-merge patch updates for all packages",
"matchUpdateTypes": ["patch"],
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true
},
{
"description": "Group Symfony packages",
"groupName": "Symfony",
"matchPackageNames": ["symfony/**"],
"automerge": false
},
{
"description": "Group PHPUnit packages",
"groupName": "PHPUnit",
"matchPackageNames": ["phpunit/**", "php-mock/**"]
},
{
"description": "Auto-merge devDependencies",
"matchDepTypes": ["devDependencies"],
"automerge": true
},
{
"description": "Manually review major updates",
"matchUpdateTypes": ["major"],
"automerge": false,
"labels": ["major-update"]
}
]
}
Configuration for Monorepos
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"enabledManagers": ["composer", "npm", "docker-compose", "github-actions"],
"packageRules": [
{
"matchPaths": ["apps/frontend/**"],
"groupName": "Frontend dependencies",
"schedule": ["before 9am on weekdays"]
},
{
"matchPaths": ["apps/api/**"],
"groupName": "API dependencies"
}
]
}
Dependency Dashboard
With :dependencyDashboard in extends, Renovate creates a GitHub Issue as a dashboard:
## Dependency Dashboard
This issue lists Renovate updates and detected dependencies.
Click on an update to open/re-open the PR.
### Open
- [ ] chore(deps): update dependency symfony/symfony to v7.1.5
### Rate-Limited
These updates are currently rate-limited. Click on a checkbox to
force their immediate creation.
- [ ] chore(deps): update dependency phpunit/phpunit to v11.3.2
### Detected dependencies
**composer.json**
- symfony/framework-bundle `^6.4`
- ...
**package.json**
- bootstrap `^5.3.0`
- ...
Auto-Merge for Patch Updates
Auto-merge is especially useful for patch updates (security fixes, bug fixes) without breaking changes:
{
"packageRules": [
{
"matchUpdateTypes": ["patch", "pin", "digest"],
"automerge": true,
"automergeType": "pr",
"automergeStrategy": "squash"
}
]
}
Important: Auto-merge should only be enabled when CI/CD tests are running and passing. Renovate waits until all required checks have passed before merging.
Composer-Specific Configuration
{
"composer": {
"ignorePlatformReqs": true
},
"packageRules": [
{
"matchManagers": ["composer"],
"matchUpdateTypes": ["major"],
"enabled": false,
"description": "Disable Composer major updates"
},
{
"matchPackageNames": ["phpstan/phpstan", "squizlabs/php_codesniffer"],
"groupName": "PHP Code Quality Tools",
"automerge": true
}
]
}
Lessons from Real-World Usage
After a few weeks with Renovate in a medium-sized Symfony project:
- Security patches now arrive as PRs within hours — with auto-merge for patches, they are even deployed automatically as soon as tests pass
- Major updates (e.g. Symfony 6 to 7) come as individual PRs with a changelog link, so you can decide on each one specifically
- Noise reduction through grouping rules: instead of 20 individual PRs for all Symfony packages, a single "Update Symfony" PR arrives
- Dependency Dashboard provides an overview of which updates are pending
Renovate vs. Dependabot
GitHub offers Dependabot as a built-in alternative. The comparison:
| Feature | Renovate | Dependabot |
|---|---|---|
| Configurability | Very high | Limited |
| Grouping | Yes | Limited |
| Auto-merge | Very flexible | Restricted |
| Self-hosting | Yes (Docker/npm) | GitHub only |
| Dashboard | Yes (Issue) | No |
| Supported managers | 90+ | ~25+ |
| Bundling updates | Yes | Limited |
Renovate is significantly more powerful but requires more configuration effort.
Conclusion
Renovate Bot is one of the most useful DevOps tools that requires hardly any setup. Once configured, it ensures that dependencies stay up to date, security fixes are applied quickly, and manual effort is minimal. For PHP/Symfony projects, I recommend:
- Start with
config:recommended - Configure a
schedulefor weekly updates - Enable auto-merge for patch updates
- Group Symfony and PHPUnit packages together
Comments
Comments are provided by Remark42. By loading comments, data is transmitted to our comment server.