Renovate Bot: Automatic Dependency Updates for PHP and JavaScript

Outdated dependencies are a security risk and technical debt accumulator. Renovate Bot automates dependency updates by creating pull requests for outdated packages in composer.json, package.json, Dockerfiles, GitHub Actions workflows, and 90+ other package managers.

Setup: Install the Renovate GitHub App (or self-host via Docker/npm for GitLab/Bitbucket). A minimal renovate.json with "extends": ["config:recommended"] is sufficient to start.

Key configuration options:

• schedule: Control when PRs are created (e.g., weekly Monday morning)
• packageRules: Group related packages (e.g., all symfony/* in one PR), enable auto-merge for patches, disable major updates
• automerge: Automatically merge patch updates after CI passes
• dependencyDashboard: GitHub Issue overview of all pending updates

Auto-merge for patch updates (security fixes, bug fixes) is the highest-value configuration: Renovate waits for all required CI checks to pass before merging, making it safe to fully automate patch-level updates.

Renovate outperforms GitHub's built-in Dependabot in configurability, grouping capabilities, and supported package managers, but requires more initial configuration investment.