Renovate - Automated dependency updates
This template uses Renovate to keep dependencies up to date automatically. It scans project files for dependencies, checks for newer versions, and opens pull requests with the necessary changes.
The configuration is stored in
renovate.json.
Configuration overview
| Setting | Value | Description |
|---|---|---|
extends | config:recommended | Inherits Renovate's recommended base configuration |
automerge | true | Automatically merges PRs that pass all checks |
rangeStrategy | bump | Bumps the version within the existing range rather than widening it |
dependencyDashboard | true | Creates a GitHub issue tracking all pending updates |
pinDigests | true | Pins Docker and GitHub Actions references to exact digests for reproducibility |
branchPrefix | deps/ | All Renovate branches are prefixed with deps/ |
Update rules
All dependency updates are grouped into a single pull request to reduce noise.
Language version constraints
Language version constraints are completely disabled from Renovate updates and must be updated manually:
| Constraint | Manager | Why |
|---|---|---|
php | Composer | PHP version changes affect the entire runtime environment |
node, yarn | npm | Node/Yarn version changes affect the build toolchain |
Major version updates
Major version updates are disabled for npm and Composer packages to prevent breaking changes from being introduced automatically.
| Manager | Major updates | Minor/patch updates |
|---|---|---|
| npm | Disabled | Enabled (automerge) |
| Composer | Disabled | Enabled (automerge) |
| GitHub Actions | Enabled (automerge) | Enabled (automerge) |
| Docker | Enabled (automerge) | Enabled (automerge) |
To update npm or Composer packages to a new major version, update the dependency constraint manually and run the appropriate install command.
Template initialization
During project initialization via init.sh, the Renovate configuration
adjusts based on selected features:
| Features selected | Changes to configuration |
|---|---|
| PHP + NodeJS | All rules active |
| PHP only | node/yarn ignore rule and "npm" from major-blocking removed |
| NodeJS only | php ignore rule and "composer" from major-blocking removed |
| Neither PHP nor NodeJS | All language and major-blocking rules removed |
If Renovate is deselected during initialization, the renovate.json file is
removed entirely.
Dependency dashboard
The Dependency Dashboard is a GitHub issue that provides visibility into:
- Available dependency updates scheduled for later
- Updates filtered out due to configuration rules
- Failed update attempts and their reasons
Further reading
For more information on how to configure Renovate, see the Renovate Docs.