ReddRadar
Agent skill
renovate
Configure Renovate Bot for automated dependency updates. Keep packages secure and up-to-date with customizable rules, grouping, and scheduling. Use for dependency management, security updates, or automated maintenance. Triggers on renovate, dependabot, dependency updates, package updates.
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/renovate
SKILL.md
Renovate Dependency Updates
Automated dependency update management with Renovate Bot.
Quick Reference
| Config File | Location |
|---|---|
renovate.json |
Repository root |
renovate.json5 |
With comments |
.github/renovate.json |
GitHub location |
package.json |
"renovate" key |
1. Basic Setup
Enable Renovate
# GitHub: Install Renovate App
# https://github.com/apps/renovate
# Self-hosted: npm package
npm install -g renovate
Basic Configuration (renovate.json)
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
]
}
Extended Configuration
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
"schedule:weekends",
"group:allNonMajor",
":automergeMinor",
":automergePatch",
":dependencyDashboard"
],
"labels": ["dependencies"],
"assignees": ["@me"],
"prHourlyLimit": 5,
"prConcurrentLimit": 10
}
2. Scheduling
Preset Schedules
{
"extends": [
"schedule:weekly",
"schedule:weekends",
"schedule:nonOfficeHours",
"schedule:earlyMondays"
]
}
Custom Schedule
{
"schedule": [
"after 10pm every weekday",
"before 5am every weekday",
"every weekend"
],
"timezone": "America/New_York"
}
Package-Specific Schedule
{
"packageRules": [
{
"matchPackagePatterns": ["eslint"],
"schedule": ["before 3am on Monday"]
},
{
"matchUpdateTypes": ["major"],
"schedule": ["on the first day of the month"]
}
]
}
3. Package Rules
Group Updates
{
"packageRules": [
{
"groupName": "React",
"matchPackagePatterns": ["^react", "^@types/react"]
},
{
"groupName": "ESLint",
"matchPackagePatterns": ["eslint"]
},
{
"groupName": "Testing",
"matchPackagePatterns": ["jest", "vitest", "@testing-library"]
},
{
"groupName": "TypeScript",
"matchPackagePatterns": ["typescript", "^@types/"]
}
]
}
Auto-merge Configuration
{
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true
},
{
"matchUpdateTypes": ["minor"],
"matchPackagePatterns": ["eslint", "prettier"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"labels": ["breaking-change"]
},
{
"matchDepTypes": ["devDependencies"],
"automerge": true
}
]
}
Version Constraints
{
"packageRules": [
{
"matchPackageNames": ["node"],
"allowedVersions": ">=18.0.0 <21.0.0"
},
{
"matchPackagePatterns": ["^@aws-sdk/"],
"allowedVersions": "3.x"
},
{
"matchPackageNames": ["typescript"],
"matchCurrentVersion": ">=5.0.0",
"enabled": true
}
]
}
Disable Updates
{
"packageRules": [
{
"matchPackageNames": ["legacy-package"],
"enabled": false
},
{
"matchPackagePatterns": ["^@internal/"],
"enabled": false
},
{
"matchUpdateTypes": ["major"],
"matchPackagePatterns": ["react"],
"enabled": false
}
]
}
4. Manager Configuration
Node.js
{
"npm": {
"extends": ["npm:unpublishSafe"],
"stabilityDays": 3
},
"packageRules": [
{
"matchManagers": ["npm"],
"rangeStrategy": "bump"
}
]
}
Python
{
"pip_requirements": {
"fileMatch": ["requirements.*\\.txt$"]
},
"pip_setup": {
"enabled": true
},
"poetry": {
"enabled": true
},
"packageRules": [
{
"matchManagers": ["pip_requirements", "poetry"],
"groupName": "Python dependencies"
}
]
}
Docker
{
"docker": {
"enabled": true,
"pinDigests": true
},
"docker-compose": {
"enabled": true
},
"packageRules": [
{
"matchManagers": ["docker-compose", "dockerfile"],
"groupName": "Docker images"
},
{
"matchDatasources": ["docker"],
"matchPackagePatterns": ["^node$"],
"versioning": "node"
}
]
}
GitHub Actions
{
"github-actions": {
"enabled": true,
"pinDigests": true
},
"packageRules": [
{
"matchManagers": ["github-actions"],
"groupName": "GitHub Actions",
"automerge": true
}
]
}
Terraform
{
"terraform": {
"enabled": true
},
"packageRules": [
{
"matchManagers": ["terraform"],
"matchPackagePatterns": ["hashicorp/*"],
"groupName": "HashiCorp providers"
}
]
}
5. Labels and Assignees
{
"labels": ["dependencies", "automated"],
"assignees": ["team-lead"],
"assigneesSampleSize": 1,
"reviewers": ["team:core"],
"reviewersSampleSize": 2,
"packageRules": [
{
"matchUpdateTypes": ["major"],
"labels": ["dependencies", "breaking-change"],
"reviewers": ["team:seniors"]
},
{
"matchPackagePatterns": ["security"],
"labels": ["dependencies", "security"],
"prioritySchedule": ["at any time"]
}
]
}
6. Pull Request Configuration
{
"prTitle": "deps({{depName}}): update to {{newVersion}}",
"commitMessagePrefix": "deps:",
"commitMessageAction": "update",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{newVersion}}",
"prBodyColumns": [
"Package",
"Type",
"Update",
"Change",
"Pending"
],
"prBodyNotes": [
"This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate)."
]
}
7. Security Updates
{
"extends": [
"config:recommended",
":enableVulnerabilityAlertsWithLabel('security')"
],
"vulnerabilityAlerts": {
"labels": ["security"],
"automerge": true,
"schedule": ["at any time"],
"stabilityDays": 0
},
"packageRules": [
{
"matchCategories": ["security"],
"labels": ["security", "priority-high"],
"prPriority": 10
}
]
}
8. Monorepo Configuration
{
"ignorePaths": [
"**/node_modules/**",
"**/bower_components/**"
],
"packageRules": [
{
"matchPaths": ["packages/frontend/**"],
"groupName": "Frontend dependencies"
},
{
"matchPaths": ["packages/backend/**"],
"groupName": "Backend dependencies"
}
],
"additionalBranchPrefix": "{{parentDir}}-"
}
9. Complete Example
// renovate.json5
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
// Base configuration
"extends": [
"config:recommended",
":dependencyDashboard",
":semanticCommits",
"schedule:weekends"
],
// General settings
"labels": ["dependencies"],
"prHourlyLimit": 5,
"prConcurrentLimit": 10,
"timezone": "America/New_York",
// Commit message format
"commitMessagePrefix": "deps:",
"commitMessageAction": "update",
// Package rules
"packageRules": [
// Auto-merge patches and minor for dev deps
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["patch", "minor"],
"automerge": true
},
// Group TypeScript ecosystem
{
"groupName": "TypeScript",
"matchPackagePatterns": ["typescript", "^@types/"],
"schedule": ["before 3am on Monday"]
},
// Group React ecosystem
{
"groupName": "React",
"matchPackagePatterns": ["^react", "^@types/react"]
},
// Group linting tools
{
"groupName": "Linting",
"matchPackagePatterns": ["eslint", "prettier"],
"automerge": true
},
// Group testing tools
{
"groupName": "Testing",
"matchPackagePatterns": ["jest", "vitest", "@testing-library"]
},
// Pin GitHub Actions
{
"matchManagers": ["github-actions"],
"groupName": "GitHub Actions",
"automerge": true,
"pinDigests": true
},
// Docker updates
{
"matchManagers": ["dockerfile", "docker-compose"],
"groupName": "Docker",
"pinDigests": true
},
// Major updates need review
{
"matchUpdateTypes": ["major"],
"labels": ["dependencies", "breaking-change"],
"automerge": false
},
// Disable problematic packages
{
"matchPackageNames": ["node"],
"allowedVersions": "20.x"
}
],
// Regex managers for custom files
"regexManagers": [
{
"fileMatch": ["Dockerfile$"],
"matchStrings": [
"ARG NODE_VERSION=(?<currentValue>.*?)\\n"
],
"depNameTemplate": "node",
"datasourceTemplate": "node"
}
]
}
10. Dependency Dashboard
{
"extends": [":dependencyDashboard"],
"dependencyDashboardTitle": "Dependency Dashboard",
"dependencyDashboardLabels": ["dependencies"],
"dependencyDashboardOSVVulnerabilitySummary": "all"
}
The Dependency Dashboard is a GitHub issue that shows:
- Pending updates
- Open PRs
- Rate-limited PRs
- Detected vulnerabilities
- Checkbox to trigger updates manually
Best Practices
- Start conservative - Use
config:recommended - Group related packages - Fewer PRs, easier review
- Auto-merge wisely - Patches for dependencies with good test coverage
- Schedule updates - Non-work hours, weekends
- Pin versions in production - Use lock files
- Security first - Enable vulnerability alerts
- Use stability days - Wait for bug reports
- Set concurrency limits - Avoid PR flood
- Review majors manually - Breaking changes need attention
- Dashboard for visibility - Track pending updates
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
Didn't find tool you were looking for?