Skip to content

Replace Dependabot with Renovate for better monorepo support #669

New issue
New issue
Open
Open
Replace Dependabot with Renovate for better monorepo support#669
@javiertoledo

Description

@javiertoledo
javiertoledo
opened on Jan 24, 2026

Summary

Replace Dependabot with Renovate to improve dependency update workflow in our Rush monorepo.

Current Problems with Dependabot

  1. Separate PRs per package: When the same dependency (e.g., jwks-rsa) exists in multiple packages, Dependabot creates separate PRs for each package directory. This creates noise and requires multiple merge cycles.

  2. Cannot run custom commands: Dependabot only modifies package.json files. It cannot run rush change to generate the required change files, causing CI to fail on the rush change --verify step.

  3. Manual workaround required: We currently use a "sub-PR" pattern where Copilot/Claude creates follow-up PRs (e.g., copilot/sub-pr-649) to add change files. This adds friction and delays to the dependency update process.

Proposed Solution: Renovate

Renovate has better monorepo support:

Key Benefits

  • Single PR for same dependency across packages: Renovate can update the same dependency in all packages within a single PR using its monorepo grouping feature.

  • Post-upgrade tasks: Renovate supports postUpgradeTasks to run custom commands after updating dependencies, allowing us to automatically run rush change.

  • Native Rush support: Renovate has a rush manager that understands Rush monorepo structure.

Example Configuration

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "packageRules": [
    {
      "matchUpdateTypes": ["minor", "patch"],
      "groupName": "all non-major dependencies",
      "groupSlug": "all-minor-patch"
    }
  ],
  "postUpgradeTasks": {
    "commands": [
      "node common/scripts/install-run-rush.js change --bulk --message \"chore(deps): update dependencies\" --bump-type patch"
    ],
    "fileFilters": ["common/changes/**/*.json"],
    "executionMode": "branch"
  },
  "ignoreDeps": ["@types/node"]
}

Migration Steps

  1. Create renovate.json configuration file in repo root
  2. Install Renovate GitHub App on the repository
  3. Test with a few dependencies to verify change file generation works
  4. Remove .github/dependabot.yml once Renovate is working
  5. Update CLAUDE.md to reflect new workflow

References

Notes

  • Renovate is free for public repositories and has a self-hosted option
  • The GitHub App approach requires no infrastructure to maintain
  • Consider running Renovate on a schedule similar to current Dependabot (daily)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions