Renovate, auto-merge, and why a small team has no other option
Open npm outdated on any project older than six months. Run uv lock --check on the backend. Look at the base image tag in your Dockerfile.
You already know what you'll find. Things behind. Things with CVEs. Things end-of-life next month. The migration guide for Vite 5 → 6 nobody wants to read.
Nobody schedules this work. Nobody enjoys it. On a small team, nobody has time for it. So it doesn't happen — until the day a CVE forces it to, in a hurry, on a Friday afternoon.
That model doesn't scale to a real project. Especially not a real project with two people on it.
So I stopped doing it manually.
Handle It End to End, or Don't Handle It
There's a design principle I keep coming back to: a problem should be handled end to end. Do it, and forget. If something fails, you'll be notified.
That's it. That's the bar.
A small team can ship a real product only if every recurring chore is either automated end-to-end or deleted. There is no third option. Half-automated means "someone has to remember to check on it," and someone, in a two-person team, always forgets.
Dependency updates are the textbook case. They're recurring, mechanical, security-critical, and boring. You cannot afford to do them manually. You also cannot afford to skip them. So the only honest answer is: hand them to a system that does them every night, lets the good ones through, flags the rest, and emails you when something breaks.
That system, for me, is Renovate.
Enter Renovate
Renovate is a bot. You point it at your repo. It reads your manifests — package.json, pyproject.toml, Dockerfile, GitHub Actions workflows, GitLab CI files, Helm charts, basically anything pinned. It checks the registries. When a new version exists, it opens a pull request (or merge request, depending on your forge — I'll say PR for the rest of the article and trust you to translate).
That's the whole pitch.
Renovate works on GitHub, GitLab, Bitbucket, Gitea, Azure Repos, and a few others. Same config, same behavior. That portability matters more than it sounds — your dependency policy is now a renovate.json you can carry between projects regardless of where the code lives.
The trick is in the delegation. A bot opening PRs is not new. Dependabot has done that for years on GitHub. What makes Renovate the right tool is the configuration surface — you can describe, with reasonable precision, which updates you trust enough to auto-merge.
Patch from 1.6.2 to 1.6.3? Auto-merge if CI is green. I'd never review that diff anyway.
Major from 5.x to 6.x? Open the PR, slap a major-update label, leave it for me.
The whole thing runs on a schedule. Mine fires at 3 a.m. every night. I wake up to a dashboard that says "12 PRs merged, 2 waiting for you." The 12 were patch and minor bumps with passing pipelines. The 2 are pgvector going from 0.7 to 0.8 and a Postgres major. Those, I read.
The Config, in Plain English
The whole config is under 50 lines. Here's the load-bearing part:
{
"extends": ["config:recommended", ":dependencyDashboard"],
"baseBranches": ["dev"],
"platformAutomerge": true,
"packageRules": [
{
"matchUpdateTypes": ["patch", "minor", "pin", "digest"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"addLabels": ["major-update"]
}
],
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 5am on monday"]
},
"vulnerabilityAlerts": { "enabled": true }
}
Five rules. That's it.
- Target the
developmentbranch, notmain. Bumps still flow through the normal development → pre-production → production (main) promotion, and they get tested again at every stage. The bot only opens the first door; everything downstream still has to pass. - Auto-merge patch, minor, pin, and digest bumps. Block majors behind a label.
- Run lockfile maintenance every Monday, even when no direct deps changed — this catches transitive security fixes without anyone touching
package.json. - Surface security advisories with their own label so they jump the queue.
The :dependencyDashboard preset is the unsung hero. It opens a single issue in your repo that lists every pending update, every blocked one, and every checkbox you can tick to force an immediate retry. When something looks weird, you go to one place.
The Prerequisite: A Pipeline That Tells the Truth
Here's the part most posts skip.
Auto-merging dependency bumps is not a Renovate feature. It's a trust delegation. You're telling the bot: "if the pipeline says green, that means it works." Renovate is downstream of that. It is not what makes auto-merge safe. Your CI is.
If your pipeline doesn't actually verify the code works, auto-merge is a foot-gun pointed at production. The bot will cheerfully merge a react minor bump that breaks SSR — because the only thing it checked was npm install.
This is the direct sequel to Programming by Coercion. The whole point of that article was to build a pipeline that physically cannot let bad code through. Lint, type-check, unit tests, integration tests, end-to-end tests, security scans — each stage a finish line the code has to cross.
The key idea worth pulling out: the tests verify behavior, not implementation. If a customer has to add an item to their cart and pay, the test does exactly that. It can be decomposed into steps — add to cart, open the checkout, fill in the payment form, see the confirmation page — but the thing being verified is the user-visible outcome. When the test passes, you can be confident the feature actually works, because there is no other way the test could pass. The test only goes green if the behavior is real.
That's why auto-bumping a dependency is safe under this kind of pipeline. The PR isn't asking "does the code still compile?" — it's asking "can the customer still buy the thing?" If the answer is yes across every layer, the version bump is fine. If a transitive change broke the checkout, the e2e test fails, the merge is blocked, and you get an email. End to end.
So I won't enable auto-merge on a project that doesn't have, at a minimum:
- Linting and type-checking that fail the build.
- Unit and integration tests that actually exercise the upgraded dependency.
- End-to-end tests that hit the real code paths a user uses.
- Security scans on the result (Trivy, Bandit, gitleaks).
The pipeline is what makes auto-merge honest. Without it, you're not automating — you're just shipping faster. Renovate is downstream of the pipeline, not a replacement for it. If you don't have those gates yet, Renovate isn't your next problem — the pipeline is.
So What Do You Actually Get?
A bot on a cron and a config file under 50 lines. That's the install. From there, the system runs itself and the pipeline catches what would otherwise reach you. Here's the honest accounting — what you gain, what you give up, and what else you could have picked.
Pros
It's invisible when it works. And it works most days. I have not manually bumped a patch version in weeks.
Lockfile maintenance is a free vulnerability scan. Even when none of your package.json versions change, the resolved tree underneath does. Monday-morning lockfile refresh catches transitive CVEs you would never see otherwise.
The dependency dashboard kills the "what should I update next" anxiety. It's just a list. You go down the list. You stop.
It respects your branching model. Target the development branch, not main. Bumps still flow through pre-production and get tested again before they reach users. Renovate opens the first door — the rest of the promotion chain stays unchanged.
Major updates get human-flagged automatically. You don't have to remember to be careful. The label tells you.
The configuration is declarative and reviewable. Your dependency policy is a file in the repo, in git, with diff history. New team member asks "why do we auto-merge minors?" — answer is in the commit log.
Cons
You add a bot to your supply chain. Renovate runs with a token that can merge code. If that token leaks, an attacker can merge to your default branch. The mitigation is the same as for any CI secret — masked, protected, repo-scoped — but it is a non-zero surface area.
The "scheduled job in CI" model is fragile. A failing pipeline silently stops Renovate. You need to actually watch the maintenance stage, or you'll discover three months later it's been red the whole time. Enable your forge's pipeline-failure notifications (GitHub Actions notifications, GitLab "failed pipeline" emails — same idea, different UI).
It's noisy at first. Day one, you get 30+ PRs. You have to either merge them in a sitting or rate-limit Renovate (prConcurrentLimit) until you catch up. There's no way around the initial backlog.
Auto-merge is only as good as your CI. I said this above. Worth saying twice. If your tests don't exercise the dependency, auto-merge is theater.
Major bumps still take human time. Renovate doesn't magic away Vite 5 → 6. It just makes sure the PR exists. The actual work — reading the migration guide, fixing the breaking changes, running the manual smoke test — is still on you. The bot reduces frequency-of-decisions, not depth-of-decisions.
Configuration depth has a learning curve. The packageRules matching system is powerful and confusing. You will, at some point, write a rule that matches nothing and silently does nothing, and you'll lose an afternoon to it.
License and limits
Renovate is open source under AGPL-3.0, maintained by Mend. The CLI you run yourself — in a CI job, a container, wherever — is free, and that's what the config in this article describes. Mend also offers a hosted GitHub App ("Mend Renovate") for free, and a commercial tier with extras like compliance reports, SLAs, and a UI on top.
For a small team self-hosting on any forge, the free CLI is more than enough. The AGPL only matters if you're embedding Renovate into a product you ship to users — running it as a maintenance bot in your own pipeline doesn't trigger anything. Reasonable hard limits to be aware of: very large monorepos (hundreds of manifests) can push past Renovate's per-repo timeout in CI, and registries with aggressive rate limits sometimes need explicit hostRules entries.
What About the Alternatives?
Dependabot is the obvious one. Built into GitHub, zero setup, works fine. If you're on GitHub and don't need fine-grained grouping, custom schedules, or lockfile maintenance, just use Dependabot. The configuration is leaner, the defaults are reasonable. The trade-offs: less control over auto-merge rules, no monorepo grouping, no scheduled transitive-lockfile refresh, and — the one that matters most — it only exists on GitHub. Move repos to another forge and you start over. Renovate is the platform-agnostic answer: same renovate.json whether you're on GitHub, GitLab, Bitbucket, or self-hosted.
Snyk, Mend, Socket. These are the commercial offerings. They go further than Renovate — security posture, license compliance, dashboards, SLAs. Worth it for a company; overkill for a side project.
npm-check-updates + a calendar reminder. This is what most people actually do. It works. It also requires the human to remember, which means it gets skipped any week the human is busy. Compound interest, wrong sign.
Doing nothing. Always an option. The honest one. If your project ships once and never again, doing nothing is correct. For anything you intend to keep running, doing nothing is just borrowing time at a punitive rate.
Automate the Maintenance. Build the Future.
Automate what you can. Do it properly — documented, tested, monitored, gated. Then leave it alone.
The point isn't to write less code. The point is to free the only finite resource you have — your attention — for the work that actually moves the project forward. The next feature. The hard architectural call. The thing nobody else can do for you.
The maintenance still happens. CVEs get patched, lockfiles refresh, base images bump. None of that needs you in the loop. It just needs to be set up well once, then trusted to keep running.
A small team can run a real project — but only if every recurring chore is handled by something other than human attention. Automate the boring half properly, and you've bought yourself the time to build the interesting half.
The maintenance runs itself. The next thing is waiting for you.