AI / RenovateBot Interview Questions
1. What is Renovate and what problem does it solve for software teams?
Renovate (also called RenovateBot) is an open-source automated dependency update tool created by Mend (formerly WhiteSource). It monitors a repository's dependency files and automatically raises pull requests whenever newer versions of dependencies are available, keeping software supply chains up to date without manual effort.
| Feature | Detail |
|---|---|
| License | GNU Affero GPL v3 (self-hosted) / commercial hosted |
| Language | Node.js / TypeScript |
| Platforms | GitHub, GitLab, Bitbucket, Azure DevOps, Gitea, Forgejo |
| Managers | 90+ (npm, pip, Maven, Docker, Helm, Terraform, and more) |
| Config format | renovate.json / .renovaterc / package.json |
| Hosted option | Mend Renovate App (free for public and private repos) |
Key differentiators from Dependabot: Renovate supports far more package managers, offers rich grouping and scheduling configuration, supports monorepos natively, and can be fully self-hosted with identical behaviour to the cloud version.
2. How does Renovate work at a high level — what is its execution flow?
Renovate follows a repeatable discover-evaluate-act cycle each time it runs.
| Step | What happens |
|---|---|
| 1. Discover repos | Connects to platform API and lists accessible repositories |
| 2. Clone and scan | Each repo is cloned; dependency files are detected |
| 3. Extract dependencies | Files are parsed by the relevant manager to extract current versions |
| 4. Look up updates | Registries (npm, PyPI, Docker Hub) are queried for newer versions |
| 5. Filter and apply config | Schedules, ranges, and ignore rules filter which updates to action |
| 6. Create/update PRs | Branches and PRs are raised for each actionable update |
| 7. Automerge (optional) | If enabled and CI passes, Renovate merges the PR automatically |
Renovate is stateless between runs — it re-discovers everything from scratch each time. The only persistent state is the PRs and branches on the platform. Rerunning Renovate is always safe and idempotent.
3. How do you install and enable Renovate on a GitHub repository?
There are two main ways: the Mend Renovate GitHub App (hosted, easiest) and self-hosted Renovate. Both result in the same behaviour once configured.
# .github/workflows/renovate.yml — self-hosted on GitHub Actions
name: Renovate
on:
schedule:
- cron: "0 2 * * 1-5"
workflow_dispatch:
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: renovatebot/github-action@v40
with:
token: ${{ secrets.RENOVATE_TOKEN }}# renovate.json — placed in repo root
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"]
}When Renovate first accesses a repository with no renovate.json, it raises an onboarding PR proposing a default configuration. Merging this PR activates Renovate for that repository.
4. What is renovate.json and what are the most important top-level configuration options?
renovate.json is the primary configuration file placed in the repository root. It is JSON (or JSON5 with comments) controlling every aspect of how Renovate behaves.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"enabledManagers": ["npm", "pip_requirements", "dockerfile"],
"ignoreDeps": ["lodash"],
"schedule": ["after 10pm every weekday", "before 5am every weekday", "every weekend"],
"prConcurrentLimit": 5,
"minimumReleaseAge": "3 days",
"labels": ["dependencies", "automated"],
"automerge": false
}| Field | Purpose |
|---|---|
| extends | Inherit configuration from one or more presets |
| enabledManagers | Restrict which package managers Renovate processes |
| ignoreDeps | Never raise PRs for these specific packages |
| packageRules | Apply different settings to subsets of packages |
| schedule | Time windows when Renovate may create PRs |
| prConcurrentLimit | Cap on open Renovate PRs at any one time |
| minimumReleaseAge | Wait N days after a release before raising a PR |
| automerge | Automatically merge passing PRs |
5. What are Renovate presets and how do you use them?
Presets are named, reusable configuration bundles that can be extended in renovate.json. Renovate ships dozens of built-in presets covering common use cases.
{
"extends": [
"config:recommended",
"schedule:weekly",
"group:allNonMajor",
":automergeMinor",
":timezone(Europe/London)",
":prHourlyLimit2",
"helpers:pinGitHubActionDigests"
]
}| Preset | Effect |
|---|---|
| config:recommended | Sensible defaults: semantic commits, rangeStrategy, common ignores |
| :automergeMinor | Automerge all minor version updates that pass CI |
| :automergePatch | Automerge all patch updates |
| group:allNonMajor | Combine all minor and patch updates into a single PR |
| schedule:weekly | Run only at weekends |
| helpers:pinGitHubActionDigests | Pin GitHub Actions to immutable SHA256 digests |
| :dependencyDashboard | Enable a dashboard issue tracking all updates |
Custom organisation presets: host a renovate-config repo in your org and reference it as "github>myorg/renovate-config".
6. What are packageRules in Renovate and how do you use them to customise update behaviour per package?
packageRules is an array of rule objects combining match criteria (which packages to target) with action settings. Rules are evaluated in order and all matching rules are merged.
{
"packageRules": [
{
"matchPackagePatterns": ["^@myorg/"],
"automerge": true,
"automergeType": "branch"
},
{
"matchManagers": ["dockerfile"],
"matchUpdateTypes": ["major"],
"labels": ["docker", "major-update"],
"reviewers": ["team:platform"]
},
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["patch", "minor"],
"groupName": "Dev dependency updates",
"automerge": true
},
{
"matchPackageNames": ["node"],
"enabled": false
}
]
}| Match field | What it matches |
|---|---|
| matchPackageNames | Exact package name strings |
| matchPackagePatterns | Regex patterns against package names |
| matchManagers | Package manager type (npm, pip, dockerfile…) |
| matchDepTypes | Dependency type (dependencies, devDependencies…) |
| matchUpdateTypes | Update type: major, minor, patch, pin, digest |
| matchCurrentVersion | Only if current version matches this range |
7. How does Renovate scheduling work and what schedule syntax does it support?
The schedule field controls when Renovate is allowed to create PRs. Outside the window, Renovate detects updates but does not open new PRs. Schedules use a human-readable string format.
{
"schedule": ["after 10pm every weekday", "before 5am every weekday", "every weekend"],
"timezone": "Europe/London",
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"schedule": ["at any time"]
},
{
"matchUpdateTypes": ["major"],
"schedule": ["on monday"]
}
]
}| Schedule string | Meaning |
|---|---|
| at any time | No restriction — run whenever Renovate runs |
| "after 9pm on friday" | Friday nights |
| "every weekend" | Saturday and Sunday any time |
| "before 5am every weekday" | Weekday nights before 5am |
| "every 2 weeks on sunday" | Bi-weekly on Sundays |
8. How does Renovate's grouping feature work and how do you configure it?
The groupName setting combines multiple updates into a single PR. Built-in group presets provide common patterns.
{
"packageRules": [
{
"matchPackagePatterns": ["^@aws-sdk/"],
"groupName": "AWS SDK packages"
},
{
"matchUpdateTypes": ["patch", "minor"],
"matchDepTypes": ["devDependencies"],
"groupName": "Dev non-major updates"
}
],
"extends": [
"group:allNonMajor",
"group:linters",
"group:test",
"group:monorepos"
]
}| Concern | Detail |
|---|---|
| PR title | Group PRs get a generated title listing the group name |
| Changelogs | Renovate includes changelogs for every package in the group body |
| Partial failure | If one package causes test failure, all packages in the group are blocked |
| group:monorepos | Auto-groups packages from the same source monorepo |
9. What is automerge in Renovate and what are the different automerge strategies?
Automerge allows Renovate to merge a PR automatically once all status checks pass. This is most useful for patch updates and trusted packages where CI provides sufficient confidence.
{
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true,
"automergeType": "pr"
},
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"automergeStrategy": "squash"
},
{
"matchDepTypes": ["dependencies"],
"matchUpdateTypes": ["major"],
"automerge": false
}
]
}| Value | Behaviour |
|---|---|
| pr (default) | Creates a normal PR; merges it when all checks pass |
| branch | Commits directly to the default branch without creating a PR |
| pr-comment | Posts a comment to trigger automerge via a bot comment |
10. What is the Renovate Dependency Dashboard and how does it work?
The Dependency Dashboard is a GitHub/GitLab issue maintained by Renovate providing a single-pane view of all pending, open, and blocked updates. Maintainers can trigger actions by checking checkboxes in the issue.
{
"dependencyDashboard": true,
"dependencyDashboardTitle": "Dependency Dashboard",
"dependencyDashboardAutoclose": true
}| Section | Content |
|---|---|
| Rate-Limited | Updates held back by prConcurrentLimit or prHourlyLimit |
| Pending Approval | Updates needing manual approval before a PR is created |
| Awaiting Schedule | Updates detected but outside the configured schedule window |
| Open | PRs currently open and awaiting review or CI |
| Ignored or Blocked | Updates ignored or blocked by branch protection or conflicts |
11. How do you configure Renovate pull request titles, commit messages, and branch names?
Renovate generates PR titles, commit messages, and branch names from configurable Handlebars-like templates.
{
"prTitle": "chore(deps): update {{depName}} {{#if isMajor}}(MAJOR) {{/if}}to {{newVersion}}",
"commitMessage": "chore(deps): {{commitMessageAction}} {{commitMessageTopic}}",
"branchPrefix": "renovate/",
"semanticCommits": "enabled",
"semanticCommitType": "chore",
"semanticCommitScope": "deps"
}| Variable | Value |
|---|---|
| {{depName}} | The package name (e.g. lodash) |
| {{currentVersion}} | The version currently in the file |
| {{newVersion}} | The version Renovate wants to update to |
| {{updateType}} | major, minor, patch, pin, digest |
| {{manager}} | The package manager (npm, pip, dockerfile…) |
| {{isMajor}} | Boolean: true if this is a major version bump |
12. How do you configure Renovate to work with private npm registries and other private package sources?
Credentials for private registries are stored in hostRules or environment variables — never directly in renovate.json (which is committed to source control).
// renovate.json — reference private registry (no credentials here!)
{
"npmrc": "@myorg:registry=https://npm.pkg.github.com",
"hostRules": [
{
"matchHost": "npm.pkg.github.com",
"hostType": "npm",
"token": "{{ secrets.GITHUB_TOKEN }}"
},
{
"matchHost": "myartifactory.example.com",
"hostType": "npm",
"username": "{{ secrets.ARTIFACTORY_USER }}",
"password": "{{ secrets.ARTIFACTORY_PASS }}"
}
]
}# Self-hosted: provide credentials via environment variables
export RENOVATE_TOKEN=ghp_xxx
export NPM_TOKEN=npm_xxx
docker run \
-e RENOVATE_TOKEN="${RENOVATE_TOKEN}" \
-e NPM_TOKEN="${NPM_TOKEN}" \
renovate/renovate:latest \
--token="${RENOVATE_TOKEN}" myorg/myrepo
13. How does Renovate handle versioning and range strategies for different package ecosystems?
Renovate's rangeStrategy controls how it modifies version constraints when an update is available.
| Value | Behaviour | Example |
|---|---|---|
| auto (default) | Picks the best strategy per manager | npm → replace; pip → pin |
| pin | Convert ranges to exact pinned versions | ^1.2.0 → 1.3.0 |
| bump | Bump the range to include the new version | ^1.2.0 → ^1.3.0 |
| replace | Replace with a new equivalent range | >=1.0.0 <2.0.0 → >=1.3.0 <2.0.0 |
| widen | Widen the range to include the new version | ^1.2.0 → >=1.2.0 <3.0.0 |
| update-lockfile | Only update the lockfile, keep range unchanged | package.json unchanged |
{
"rangeStrategy": "pin",
"packageRules": [
{
"matchFileNames": ["packages/*/package.json"],
"rangeStrategy": "bump"
},
{
"matchFileNames": ["apps/*/package.json"],
"matchDepTypes": ["dependencies"],
"rangeStrategy": "update-lockfile"
}
]
}
14. How do you run Renovate self-hosted using Docker?
The official renovate/renovate Docker image contains the complete Renovate CLI.
# Basic Docker run for a single repository
docker run --rm \
-e RENOVATE_TOKEN="${GITHUB_TOKEN}" \
renovate/renovate:latest \
--token="${GITHUB_TOKEN}" \
myorg/myrepo
# With a global config file
docker run --rm \
-e RENOVATE_TOKEN="${GITHUB_TOKEN}" \
-e LOG_LEVEL="debug" \
-v "$(pwd)/config.js:/usr/src/app/config.js" \
renovate/renovate:latest// config.js — global Renovate config
module.exports = {
platform: "github",
token: process.env.RENOVATE_TOKEN,
autodiscover: true,
autodiscoverFilter: ["myorg/*"],
logLevel: "info",
onboarding: true,
extends: ["config:recommended"],
prConcurrentLimit: 10,
}| Tag | Purpose |
|---|---|
| latest | Most recent stable release |
| slim | Smaller image without some infrequent managers |
| full | All managers including heavy native deps (Gradle, etc.) |
| x.y.z | Pinned specific version for reproducibility |
15. How does Renovate support GitLab and what differences exist compared to GitHub?
Renovate has first-class GitLab support. The core functionality is identical — differences are in configuration keys, token requirements, and MR (merge request) vs PR terminology.
// config.js — GitLab self-hosted
module.exports = {
platform: "gitlab",
endpoint: "https://gitlab.com/api/v4/",
token: process.env.RENOVATE_TOKEN,
repositories: ["mygroup/myrepo"],
}# .gitlab-ci.yml
renovate:
image: renovate/renovate:latest
variables:
RENOVATE_TOKEN: $RENOVATE_TOKEN
LOG_LEVEL: info
script:
- renovate
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"| Feature | GitHub | GitLab |
|---|---|---|
| Terminology | Pull Request (PR) | Merge Request (MR) |
| Token type | PAT or GitHub App token | Personal Access Token or Project token |
| Pipeline trigger | GitHub Actions / cron | GitLab CI schedules |
| Self-hosted config | platform: github | platform: gitlab |
16. What package managers does Renovate support and how are they detected?
Renovate supports over 90 package managers (called managers), auto-detected by scanning for known file patterns.
| Ecosystem | Manager | Files detected |
|---|---|---|
| JavaScript | npm | package.json, package-lock.json, yarn.lock |
| Python | pip_requirements / poetry | requirements.txt, pyproject.toml, Pipfile |
| Java | maven / gradle | pom.xml, build.gradle |
| Docker | dockerfile / docker-compose | Dockerfile, docker-compose.yml |
| Kubernetes | helm-values / kubernetes | values.yaml, Chart.yaml, *.yaml |
| Terraform | terraform | *.tf, .terraform.lock.hcl |
| Go | gomod | go.mod, go.sum |
| Ruby | bundler | Gemfile, Gemfile.lock |
| GitHub Actions | github-actions | .github/workflows/*.yml |
| .NET | nuget | *.csproj, packages.config |
{
"enabledManagers": ["npm", "dockerfile", "github-actions"],
"packageRules": [
{
"matchManagers": ["gradle"],
"enabled": false
}
]
}
17. How does Renovate handle npm lockfiles and what is lockFileMaintenance?
Renovate distinguishes between the manifest (package.json) and the lockfile. lockFileMaintenance periodically regenerates the entire lockfile to update transitive dependencies.
{
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 5am on monday"]
},
"packageRules": [
{
"matchManagers": ["npm"],
"rangeStrategy": "pin"
}
]
}| Scenario | package.json changed? | Lockfile changed? |
|---|---|---|
| rangeStrategy: pin (patch update) | Yes — 1.2.x → 1.3.0 | Yes |
| rangeStrategy: update-lockfile | No — range unchanged | Yes |
| Lock file maintenance run | No | Yes — full regeneration |
| New major dep (out of range) | Yes — range updated | Yes |
18. How does Renovate update Docker image versions in Dockerfiles?
Renovate's dockerfile manager extracts FROM image references and raises PRs when newer tags are available. It supports both tag-based and digest-based pinning.
# Dockerfile — Renovate parses FROM lines
FROM node:20.11.0-alpine3.19
# → PR to update to node:20.12.0-alpine3.19
# Digest pinning (immutable)
FROM node:20@sha256:a1b2c3d4... # Renovate updates digest when node:20 changes{
"packageRules": [
{
"matchManagers": ["dockerfile"],
"matchPackageNames": ["node"],
"allowedVersions": "20",
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
],
"digest": {
"enabled": true,
"automerge": true
}
}
19. How does Renovate handle Helm chart updates?
Renovate supports Helm via two managers: helmv3 (Chart.yaml dependencies) and helm-values (image tags in values.yaml).
# Chart.yaml — Renovate updates chart dependency versions
dependencies:
- name: postgresql
version: "13.2.0"
repository: "https://charts.bitnami.com/bitnami"
# values.yaml — Renovate updates image tags
image:
repository: myorg/myapp
tag: "1.2.3"{
"helmv3": { "fileMatch": ["(^|/)Chart\.yaml$"] },
"helm-values": { "fileMatch": ["(^|/)values.*\.ya?ml$"] },
"packageRules": [
{
"matchManagers": ["helmv3"],
"matchPackageNames": ["postgresql"],
"allowedVersions": ">=13.0.0 <14.0.0",
"groupName": "Helm database charts"
}
]
}
20. How does Renovate handle security vulnerability updates and CVE patching?
Renovate integrates with the GitHub Security Advisory database (GHSA) and OSV to detect vulnerable dependency versions and can be configured to treat security updates differently from routine updates.
{
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security", "vulnerability"],
"assignees": ["@security-team"],
"prPriority": 10,
"schedule": ["at any time"],
"automerge": false
},
"schedule": ["after 9am and before 5pm every weekday"],
"packageRules": [
{
"matchDepTypes": ["dependencies"],
"matchUpdateTypes": ["patch"],
"schedule": ["at any time"],
"prPriority": 5
}
]
}| Feature | Detail |
|---|---|
| vulnerabilityAlerts | Separate config block for security-flagged updates |
| Data sources | GitHub Advisory Database (GHSA), OSV |
| prPriority | Higher numbers appear first in the Dependency Dashboard |
| Limitation | Only catches packages with published advisories — pair with dedicated SCA tools |
21. How do you configure Renovate for a monorepo with multiple packages?
Renovate supports monorepos natively — it detects multiple manifest files across subdirectories and groups packages from the same source via group:monorepos.
{
"extends": ["config:recommended", "group:monorepos"],
"includePaths": ["packages/**", "apps/**", "libs/**"],
"ignorePaths": ["**/node_modules/**", "legacy/**"],
"packageRules": [
{
"matchPackagePatterns": ["^@myorg/"],
"groupName": "Internal workspace packages",
"automerge": true
},
{
"matchFileNames": ["packages/*/package.json"],
"groupName": "Package dependencies"
}
]
}
22. What is the minimumReleaseAge setting and why is it recommended?
minimumReleaseAge tells Renovate to wait a specified number of days after a package version is published before raising a PR, guarding against bad releases that are quickly patched.
{
"minimumReleaseAge": "3 days",
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"minimumReleaseAge": "0 days"
},
{
"matchUpdateTypes": ["major"],
"minimumReleaseAge": "7 days"
},
{
"matchPackagePatterns": ["^@myorg/"],
"minimumReleaseAge": "0 days"
}
]
}| Risk | How waiting helps |
|---|---|
| Accidental publish | Authors sometimes publish then immediately unpublish bad releases within hours |
| Post-publish patch | A bug discovered after release often gets a patch within 24-72 hours |
| Registry propagation | Some private registries take time to sync a new release |
| Community vetting | Popular packages get rapid community testing — known-good releases emerge within days |
23. How do you debug Renovate when it is not creating expected PRs?
When Renovate appears to have missed an update, most issues fall into a handful of root causes: schedule restrictions, rate limits, config rules filtering the update out, or the update being in an unexpected state.
| Check | How to investigate |
|---|---|
| Dependency Dashboard | Check which section the update is in (Rate-Limited, Awaiting Schedule, Pending Approval) |
| Log output | Set LOG_LEVEL=debug and re-run — grep for the package name |
| Schedule conflict | Ensure the runner cron and renovate.json schedule window overlap |
| prConcurrentLimit | If limit is reached, new PRs are held in Rate-Limited section |
| ignoreDeps / enabled:false | Check if a rule is explicitly disabling the package |
| Manager disabled | Verify enabledManagers includes the relevant manager |
| minimumReleaseAge | The version might not be old enough yet |
# Debug with verbose logging
docker run --rm \
-e RENOVATE_TOKEN="${GITHUB_TOKEN}" \
-e LOG_LEVEL="debug" \
renovate/renovate:latest \
--token="${GITHUB_TOKEN}" \
myorg/myrepo 2>&1 | grep -i "lodash"
# Dry run — shows what Renovate WOULD do without making changes
npx renovate --token="${GITHUB_TOKEN}" --dry-run=full myorg/myrepo
24. What is Renovate's prCreation setting and what are the available options?
prCreation controls when Renovate actually opens a PR after detecting an update.
| Value | Behaviour |
|---|---|
| immediate (default) | Open the PR as soon as an update is detected |
| not-pending | Wait until all branch status checks are complete before opening the PR |
| status-success | Only open the PR if branch CI checks pass — never opens if tests fail |
| approval | Wait for a maintainer to check the box in the Dependency Dashboard |
{
"packageRules": [
{
"matchUpdateTypes": ["major"],
"prCreation": "approval",
"dependencyDashboardApproval": true
},
{
"matchUpdateTypes": ["patch"],
"prCreation": "status-success",
"automerge": true
},
{
"matchUpdateTypes": ["minor"],
"prCreation": "not-pending"
}
]
}
25. How does Renovate handle Terraform and infrastructure-as-code updates?
Renovate's terraform manager updates provider versions, module versions, and the Terraform core version in .tf files.
# main.tf — Renovate detects and updates these
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.1.2"
}{
"packageRules": [
{
"matchManagers": ["terraform"],
"matchPackageNames": ["hashicorp/aws"],
"matchUpdateTypes": ["major"],
"enabled": false
},
{
"matchManagers": ["terraform"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
]
}
26. How do you configure Renovate for GitHub Actions workflow updates?
Renovate's github-actions manager detects uses: references and raises PRs when new action versions are available. The helpers:pinGitHubActionDigests preset pins actions to immutable SHA digests.
# .github/workflows/ci.yml — Renovate manages these
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4.0.2
# After digest pinning:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2{
"extends": ["config:recommended", "helpers:pinGitHubActionDigests"],
"packageRules": [
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["major"],
"labels": ["github-actions", "major"],
"reviewers": ["team:devops"]
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
]
}
27. What is the difference between Renovate's 'pin' and 'digest' update types?
Renovate classifies PRs with update types beyond major/minor/patch. Understanding pin and digest helps configure automerge correctly.
| Type | Meaning | Example |
|---|---|---|
| major | Breaking change | 1.x.x → 2.0.0 |
| minor | New features, backward-compatible | 1.2.x → 1.3.0 |
| patch | Bug fixes, backward-compatible | 1.2.3 → 1.2.4 |
| pin | Convert range to exact pinned version | ^1.2.0 → 1.2.3 |
| digest | Update a SHA digest — same tag, new underlying content | sha256:abc → sha256:def |
| replacement | A package has been renamed by its author | request → node-fetch |
{
"packageRules": [
{
"matchUpdateTypes": ["pin"],
"automerge": true,
"groupName": "Pin dependencies"
},
{
"matchUpdateTypes": ["digest"],
"automerge": true,
"schedule": ["at any time"]
},
{
"matchUpdateTypes": ["replacement"],
"labels": ["dependency-replacement"],
"automerge": false
}
]
}
28. How do you configure Renovate to rebase or update pull requests when the base branch changes?
Renovate's rebaseWhen setting controls when it automatically rebases update branches.
| Value | Behaviour |
|---|---|
| auto (default) | Rebase when PR is behind the base branch OR has conflicts |
| never | Never rebase — leave branch as-is even if conflicts exist |
| conflicted | Only rebase if there are merge conflicts |
| behind-base-branch | Rebase whenever PR is behind the base branch, even without conflicts |
{
"rebaseWhen": "auto",
"rebaseLabel": "rebase",
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true,
"rebaseWhen": "behind-base-branch"
}
]
}
29. How does Renovate work with Python dependency management (pip, Poetry, pip-compile)?
Renovate supports several Python dependency tools, each as a separate manager.
| Manager | Files | Notes |
|---|---|---|
| pip_requirements | requirements*.txt | Simple requirements files; exact version pins |
| pip-compile | requirements*.in | Updates .in files and regenerates .txt |
| poetry | pyproject.toml + poetry.lock | Full Poetry support including lockfile |
| pep621 | pyproject.toml | PEP 621 [project.dependencies] without Poetry |
| pipenv | Pipfile + Pipfile.lock | Pipenv support |
{
"packageRules": [
{
"matchManagers": ["pip_requirements", "poetry"],
"matchPackageNames": ["django"],
"allowedVersions": "<5",
"minimumReleaseAge": "7 days"
},
{
"matchManagers": ["pip_requirements"],
"rangeStrategy": "pin",
"automerge": false
}
]
}
30. What are Renovate's prHourlyLimit and prConcurrentLimit and how do they work together?
These two settings prevent Renovate from overwhelming a repository with pull requests, working at different time scales.
| Setting | Controls | Default |
|---|---|---|
| prHourlyLimit | Maximum new PRs opened in a single Renovate run | 2 |
| prConcurrentLimit | Maximum total open Renovate PRs at any one time | 10 |
| branchConcurrentLimit | Maximum open Renovate branches | Follows prConcurrentLimit |
{
"prHourlyLimit": 5,
"prConcurrentLimit": 15,
"packageRules": [
{
"matchUpdateTypes": ["major"],
"prConcurrentLimit": 2,
"prPriority": -1
},
{
"matchUpdateTypes": ["patch", "minor"],
"prPriority": 1
}
]
}
// Setting to 0 removes the limit entirely (unlimited)
31. How do you configure Renovate to support Azure DevOps repositories?
Renovate supports Azure DevOps for both Azure Repos (Git) and Azure Artifacts. Self-hosted deployment is the primary approach.
# Azure DevOps Pipeline — renovate.yml
trigger: none
schedules:
- cron: "0 2 * * 1-5"
displayName: "Nightly Renovate"
branches:
include: ["main"]
always: true
pool:
vmImage: ubuntu-latest
steps:
- task: NodeTool@0
inputs:
versionSpec: "20.x"
- script: npx renovate
env:
RENOVATE_TOKEN: $(RENOVATE_TOKEN)
RENOVATE_PLATFORM: azure
RENOVATE_ENDPOINT: https://dev.azure.com/myorg/
RENOVATE_REPOSITORIES: "myproject/myrepo"| Item | Detail |
|---|---|
| platform value | "azure" |
| Token type | PAT with Code (read/write) and Pull Request scopes |
| Endpoint format | https://dev.azure.com/{org}/ |
| Repository format | "project/repo" — not "org/repo" like GitHub |
| Azure Artifacts | Use hostRules with matchHost: "pkgs.dev.azure.com" |
32. What is Renovate's 'ignorePaths' and 'includePaths' and when do you need them?
By default Renovate scans every file matching a known dependency pattern. ignorePaths excludes specific paths; includePaths restricts scanning to only specific paths.
{
"ignorePaths": [
"**/node_modules/**",
"vendor/**",
"legacy/**",
"docs/**",
"**/test/fixtures/**"
],
"includePaths": [
"src/**",
"packages/*/package.json",
".github/workflows/**"
],
"packageRules": [
{
"matchFileNames": ["docs/example/package.json"],
"enabled": false
}
]
}
33. How does Renovate handle Maven (Java) dependency updates?
Renovate's maven manager updates version properties and dependency versions in pom.xml files.
<!-- pom.xml — Renovate updates these elements -->
<properties>
<spring.boot.version>3.2.2</spring.boot.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>${spring.boot.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.16.1</version>
</dependency>
</dependencies>{
"packageRules": [
{
"matchManagers": ["maven"],
"matchPackagePrefixes": ["org.springframework"],
"groupName": "Spring Framework",
"minimumReleaseAge": "7 days"
},
{
"matchManagers": ["maven"],
"matchUpdateTypes": ["major"],
"enabled": false
}
],
"hostRules": [
{
"matchHost": "nexus.mycompany.com",
"hostType": "maven",
"username": "{{ secrets.NEXUS_USER }}",
"password": "{{ secrets.NEXUS_PASS }}"
}
]
}
34. What is Renovate's 'postUpdateOptions' and what post-update actions does it support?
postUpdateOptions enables specific actions Renovate runs after updating a dependency — such as regenerating lockfiles or running deduplication.
| Value | What it does |
|---|---|
| npmDedupe | Run npm dedupe after updating package-lock.json |
| yarnDedupeHighest | Run yarn-deduplicate to resolve yarn.lock to highest versions |
| pnpmDedupe | Run pnpm dedupe after updating pnpm-lock.yaml |
| gomodTidy | Run go mod tidy after updating go.mod |
| gomodUpdateImportPaths | Update import paths in .go files when module path changes |
| helmUpdateSubChartArchives | Update subchart archives after Chart.yaml changes |
{
"postUpdateOptions": ["npmDedupe", "gomodTidy"],
"packageRules": [
{
"matchManagers": ["npm"],
"postUpdateOptions": ["npmDedupe"]
},
{
"matchManagers": ["gomod"],
"postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths"]
}
]
}
35. How do you use Renovate's 'extends' to create and share an organisation-wide preset?
Organisation presets allow a central team to define Renovate standards in one repository and have all repos inherit them with a single line.
// Step 1: Create "renovate-config" repo in your GitHub org
// Add default.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"schedule": ["after 9pm every weekday", "every weekend"],
"timezone": "Europe/London",
"prConcurrentLimit": 10,
"minimumReleaseAge": "3 days",
"labels": ["dependencies"],
"semanticCommits": "enabled",
"dependencyDashboard": true,
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"matchDepTypes": ["devDependencies"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"prCreation": "approval"
}
]
}// Step 2: Each repo's renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>myorg/renovate-config"],
// Only repo-specific overrides:
"ignoreDeps": ["legacy-package"]
}
36. What is Renovate's 'allowedVersions' configuration and how do you use it to restrict updates?
allowedVersions restricts which version ranges Renovate is permitted to update to. Any version outside the allowed range is silently ignored.
{
"packageRules": [
{
"matchPackageNames": ["node"],
"allowedVersions": "20"
},
{
"matchPackageNames": ["react", "react-dom"],
"allowedVersions": "<19"
},
{
"matchPackageNames": ["django"],
"allowedVersions": "/^(3\.2|4\.2)/"
},
{
"matchPackageNames": ["kubernetes"],
"allowedVersions": ">=28.0.0 <29.0.0"
}
]
}| Syntax | Meaning |
|---|---|
| 20 | Only versions matching major 20 (20.x.x) |
| <19 | Any version below 19.0.0 |
| >=4.2.0 <5.0.0 | Semver range |
| "/^4\.2/" | Regex match (wrapped in slashes) |
| !=1.0.0 | Anything except exactly 1.0.0 |
37. How do you configure Renovate to automatically add reviewers and assignees to pull requests?
Renovate can automatically request reviews and set assignees on PRs using configured usernames, team slugs, or randomised sample sizes.
{
"reviewers": ["alice", "bob"],
"assignees": ["carol"],
"reviewersSampleSize": 1,
"packageRules": [
{
"matchManagers": ["dockerfile", "helm-values", "terraform"],
"reviewers": ["team:platform"],
"labels": ["infrastructure"]
},
{
"matchUpdateTypes": ["major"],
"reviewers": ["team:security", "team:architecture"],
"reviewersSampleSize": 1
},
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["patch", "minor"],
"reviewers": [],
"automerge": true
}
],
"reviewersFromCodeOwners": true
}
38. What was Renovate's 'stabilityDays' setting and what is the recommended timing/stability configuration?
stabilityDays was renamed to minimumReleaseAge in Renovate v34. Combining timing controls gives teams precise risk-speed control per update category.
| Setting | What it controls |
|---|---|
| minimumReleaseAge | Minimum time a version must be published before Renovate raises a PR |
| schedule | Time windows during which Renovate may open new PRs |
| prConcurrentLimit | Max open PRs at one time — slows rate of change |
| automergeSchedule | Separate schedule window for when automerge may execute |
| prCreation: not-pending | Wait for CI on the branch before opening the PR |
{
"extends": ["config:recommended"],
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"minimumReleaseAge": "3 days",
"automerge": true,
"prCreation": "status-success"
},
{
"matchUpdateTypes": ["minor"],
"minimumReleaseAge": "5 days",
"schedule": ["every weekend"],
"automerge": false,
"prCreation": "not-pending"
},
{
"matchUpdateTypes": ["major"],
"minimumReleaseAge": "14 days",
"prCreation": "approval",
"dependencyDashboardApproval": true
}
],
"prConcurrentLimit": 5,
"prHourlyLimit": 2,
"timezone": "Europe/London"
}
