Out of the box this repo uses Renovate for dependency management. More information on the decision to try renovate can be found here. Renovate is free and open-source and allows us to bundle dependency updates together and customize their scheduling.
Opting out of renovate:
If you decide you don't want to use renovate, you can delete the renovate.json
file from the template code. If you plan to rely on Dependabot, you'll likely want to add a .github/dependabot.yml
file (example here)
Getting started with renovate:
- Install Renovate's GitHub App for your repo (Docs). For most projects, you most likely only want to do this for your select repository. Note that if you prefer not to use the GitHub App, renovate does offer some alternatives including self-hosting.
- After installation, Renovate should open a "Configure Renovate" pull request in your repository. Once you merge this PR, you will be all set. For more detail on this onboarding PR (what it contains, what to look for, what you can customize etc), check out renovate's onboarding tutorial README for useful examples. Note that this codebase comes with a
renovate.json
file out of the box with configuration options you can keep dependending on your preferences. - Note that Renovate can read GitHub's Vulnerability Alerts to customize pull requests. For this to work, you must enable Dependency graph and Dependabot alerts (This is covered in the 'other Github settings' section above, but mentioning here explicitly). For more detail on vulnerability management with renovate, see here.
Beyond the basics:
After following the above steps your repository should be good to go with Renovate in terms of the basics. Future optimizations you may wish to look into include the Renovate Dashboard and adding the renovate-config-validator program to validate any future renovate config changes prior to merge (documentation here).