diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..9b17f77
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+# This file is only used for vulnerability alerts for NPM, not for automatic updates.
+# Renovate has trouble patching NPM lockfile-only vulnerabilities.
+
+version: 2
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 0  # only allow vulnerabilities
+    groups:
+      npm-vulnerabilities:
+        applies-to: security-updates
+        patterns:
+          - "*"
+    labels:
+      - "type: security"
+    reviewers:
+      - alma/squad-e-commerce-integrations
+      - alma/it-and-security-operation
diff --git a/.github/renovate.json b/.github/renovate.json
new file mode 100644
index 0000000..63d7e0d
--- /dev/null
+++ b/.github/renovate.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "prHourlyLimit": 20,
+  "prConcurrentLimit": 20,
+  "recreateWhen": "always",
+  "enabledManagers": ["github-actions", "nvm", "npm"],
+  "reviewers": ["team:squad-e-commerce-integrations"],
+  "extends": [
+    "github>alma/renovate:github-actions",
+    "github>alma/renovate:confidence-badges",
+    "github>alma/renovate:vulnerabilities"
+  ],
+  "separateMinorPatch": true,
+  "packageRules": [
+    {
+      "matchManagers": ["npm"],
+      "groupName": "NPM dependencies",
+      "reviewers": ["team:squad-e-commerce-integrations"]
+    },
+    {
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    }
+  ]
+}