Prev Next

AI / RenovateBot Interview Questions

1. What is Renovate and what problem does it solve for software teams? 2. How does Renovate work at a high level — what is its execution flow? 3. How do you install and enable Renovate on a GitHub repository? 4. What is renovate.json and what are the most important top-level configuration options? 5. What are Renovate presets and how do you use them? 6. What are packageRules in Renovate and how do you use them to customise update behaviour per package? 7. How does Renovate scheduling work and what schedule syntax does it support? 8. How does Renovate's grouping feature work and how do you configure it? 9. What is automerge in Renovate and what are the different automerge strategies? 10. What is the Renovate Dependency Dashboard and how does it work? 11. How do you configure Renovate pull request titles, commit messages, and branch names? 12. How do you configure Renovate to work with private npm registries and other private package sources? 13. How does Renovate handle versioning and range strategies for different package ecosystems? 14. How do you run Renovate self-hosted using Docker? 15. How does Renovate support GitLab and what differences exist compared to GitHub? 16. What package managers does Renovate support and how are they detected? 17. How does Renovate handle npm lockfiles and what is lockFileMaintenance? 18. How does Renovate update Docker image versions in Dockerfiles? 19. How does Renovate handle Helm chart updates? 20. How does Renovate handle security vulnerability updates and CVE patching? 21. How do you configure Renovate for a monorepo with multiple packages? 22. What is the minimumReleaseAge setting and why is it recommended? 23. How do you debug Renovate when it is not creating expected PRs? 24. What is Renovate's prCreation setting and what are the available options? 25. How does Renovate handle Terraform and infrastructure-as-code updates? 26. How do you configure Renovate for GitHub Actions workflow updates? 27. What is the difference between Renovate's 'pin' and 'digest' update types? 28. How do you configure Renovate to rebase or update pull requests when the base branch changes? 29. How does Renovate work with Python dependency management (pip, Poetry, pip-compile)? 30. What are Renovate's prHourlyLimit and prConcurrentLimit and how do they work together? 31. How do you configure Renovate to support Azure DevOps repositories? 32. What is Renovate's 'ignorePaths' and 'includePaths' and when do you need them? 33. How does Renovate handle Maven (Java) dependency updates? 34. What is Renovate's 'postUpdateOptions' and what post-update actions does it support? 35. How do you use Renovate's 'extends' to create and share an organisation-wide preset? 36. What is Renovate's 'allowedVersions' configuration and how do you use it to restrict updates? 37. How do you configure Renovate to automatically add reviewers and assignees to pull requests? 38. What was Renovate's 'stabilityDays' setting and what is the recommended timing/stability configuration?
Could not find what you were looking for? send us the question and we would be happy to answer your question.

1. What is Renovate and what problem does it solve for software teams?

Renovate (also called RenovateBot) is an open-source automated dependency update tool created by Mend (formerly WhiteSource). It monitors a repository's dependency files and automatically raises pull requests whenever newer versions of dependencies are available, keeping software supply chains up to date without manual effort.

Renovate at a glance
FeatureDetail
LicenseGNU Affero GPL v3 (self-hosted) / commercial hosted
LanguageNode.js / TypeScript
PlatformsGitHub, GitLab, Bitbucket, Azure DevOps, Gitea, Forgejo
Managers90+ (npm, pip, Maven, Docker, Helm, Terraform, and more)
Config formatrenovate.json / .renovaterc / package.json
Hosted optionMend Renovate App (free for public and private repos)

Key differentiators from Dependabot: Renovate supports far more package managers, offers rich grouping and scheduling configuration, supports monorepos natively, and can be fully self-hosted with identical behaviour to the cloud version.

What is Renovate's primary function?
Which company maintains and develops Renovate?

2. How does Renovate work at a high level — what is its execution flow?

Renovate follows a repeatable discover-evaluate-act cycle each time it runs.

Renovate execution flow
StepWhat happens
1. Discover reposConnects to platform API and lists accessible repositories
2. Clone and scanEach repo is cloned; dependency files are detected
3. Extract dependenciesFiles are parsed by the relevant manager to extract current versions
4. Look up updatesRegistries (npm, PyPI, Docker Hub) are queried for newer versions
5. Filter and apply configSchedules, ranges, and ignore rules filter which updates to action
6. Create/update PRsBranches and PRs are raised for each actionable update
7. Automerge (optional)If enabled and CI passes, Renovate merges the PR automatically

Renovate is stateless between runs — it re-discovers everything from scratch each time. The only persistent state is the PRs and branches on the platform. Rerunning Renovate is always safe and idempotent.

What makes Renovate's execution model stateless?
In the Renovate execution flow, what happens immediately after dependencies are extracted from files?

3. How do you install and enable Renovate on a GitHub repository?

There are two main ways: the Mend Renovate GitHub App (hosted, easiest) and self-hosted Renovate. Both result in the same behaviour once configured.

# .github/workflows/renovate.yml — self-hosted on GitHub Actions
name: Renovate
on:
  schedule:
    - cron: "0 2 * * 1-5"
  workflow_dispatch:
jobs:
  renovate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: renovatebot/github-action@v40
        with:
          token: ${{ secrets.RENOVATE_TOKEN }}
# renovate.json — placed in repo root
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"]
}

When Renovate first accesses a repository with no renovate.json, it raises an onboarding PR proposing a default configuration. Merging this PR activates Renovate for that repository.

What is the Renovate onboarding PR?
What GitHub secret is required when running self-hosted Renovate via GitHub Actions?

4. What is renovate.json and what are the most important top-level configuration options?

renovate.json is the primary configuration file placed in the repository root. It is JSON (or JSON5 with comments) controlling every aspect of how Renovate behaves.

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "enabledManagers": ["npm", "pip_requirements", "dockerfile"],
  "ignoreDeps": ["lodash"],
  "schedule": ["after 10pm every weekday", "before 5am every weekday", "every weekend"],
  "prConcurrentLimit": 5,
  "minimumReleaseAge": "3 days",
  "labels": ["dependencies", "automated"],
  "automerge": false
}
Key renovate.json fields
FieldPurpose
extendsInherit configuration from one or more presets
enabledManagersRestrict which package managers Renovate processes
ignoreDepsNever raise PRs for these specific packages
packageRulesApply different settings to subsets of packages
scheduleTime windows when Renovate may create PRs
prConcurrentLimitCap on open Renovate PRs at any one time
minimumReleaseAgeWait N days after a release before raising a PR
automergeAutomatically merge passing PRs
What does the 'extends' field in renovate.json do?
What is the purpose of prConcurrentLimit in renovate.json?

5. What are Renovate presets and how do you use them?

Presets are named, reusable configuration bundles that can be extended in renovate.json. Renovate ships dozens of built-in presets covering common use cases.

{
  "extends": [
    "config:recommended",
    "schedule:weekly",
    "group:allNonMajor",
    ":automergeMinor",
    ":timezone(Europe/London)",
    ":prHourlyLimit2",
    "helpers:pinGitHubActionDigests"
  ]
}
Important built-in presets
PresetEffect
config:recommendedSensible defaults: semantic commits, rangeStrategy, common ignores
:automergeMinorAutomerge all minor version updates that pass CI
:automergePatchAutomerge all patch updates
group:allNonMajorCombine all minor and patch updates into a single PR
schedule:weeklyRun only at weekends
helpers:pinGitHubActionDigestsPin GitHub Actions to immutable SHA256 digests
:dependencyDashboardEnable a dashboard issue tracking all updates

Custom organisation presets: host a renovate-config repo in your org and reference it as "github>myorg/renovate-config".

How do you share a common Renovate configuration across all repositories in a GitHub organisation?
What does the 'config:recommended' preset provide?

6. What are packageRules in Renovate and how do you use them to customise update behaviour per package?

packageRules is an array of rule objects combining match criteria (which packages to target) with action settings. Rules are evaluated in order and all matching rules are merged.

{
  "packageRules": [
    {
      "matchPackagePatterns": ["^@myorg/"],
      "automerge": true,
      "automergeType": "branch"
    },
    {
      "matchManagers": ["dockerfile"],
      "matchUpdateTypes": ["major"],
      "labels": ["docker", "major-update"],
      "reviewers": ["team:platform"]
    },
    {
      "matchDepTypes": ["devDependencies"],
      "matchUpdateTypes": ["patch", "minor"],
      "groupName": "Dev dependency updates",
      "automerge": true
    },
    {
      "matchPackageNames": ["node"],
      "enabled": false
    }
  ]
}
packageRules match fields
Match fieldWhat it matches
matchPackageNamesExact package name strings
matchPackagePatternsRegex patterns against package names
matchManagersPackage manager type (npm, pip, dockerfile…)
matchDepTypesDependency type (dependencies, devDependencies…)
matchUpdateTypesUpdate type: major, minor, patch, pin, digest
matchCurrentVersionOnly if current version matches this range
In packageRules, what happens when multiple rules match the same package?
How would you disable Renovate updates for a specific package called 'legacy-sdk'?

7. How does Renovate scheduling work and what schedule syntax does it support?

The schedule field controls when Renovate is allowed to create PRs. Outside the window, Renovate detects updates but does not open new PRs. Schedules use a human-readable string format.

{
  "schedule": ["after 10pm every weekday", "before 5am every weekday", "every weekend"],
  "timezone": "Europe/London",
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "schedule": ["at any time"]
    },
    {
      "matchUpdateTypes": ["major"],
      "schedule": ["on monday"]
    }
  ]
}
Common schedule examples
Schedule stringMeaning
at any timeNo restriction — run whenever Renovate runs
"after 9pm on friday"Friday nights
"every weekend"Saturday and Sunday any time
"before 5am every weekday"Weekday nights before 5am
"every 2 weeks on sunday"Bi-weekly on Sundays
If Renovate's schedule is 'every weekend' but the GitHub Actions cron only runs on weekdays, what happens?
What does the schedule value 'at any time' mean in a Renovate packageRule?

8. How does Renovate's grouping feature work and how do you configure it?

The groupName setting combines multiple updates into a single PR. Built-in group presets provide common patterns.

{
  "packageRules": [
    {
      "matchPackagePatterns": ["^@aws-sdk/"],
      "groupName": "AWS SDK packages"
    },
    {
      "matchUpdateTypes": ["patch", "minor"],
      "matchDepTypes": ["devDependencies"],
      "groupName": "Dev non-major updates"
    }
  ],
  "extends": [
    "group:allNonMajor",
    "group:linters",
    "group:test",
    "group:monorepos"
  ]
}
Grouping considerations
ConcernDetail
PR titleGroup PRs get a generated title listing the group name
ChangelogsRenovate includes changelogs for every package in the group body
Partial failureIf one package causes test failure, all packages in the group are blocked
group:monoreposAuto-groups packages from the same source monorepo
What is the risk of grouping too many dependencies into a single Renovate PR?
How do you tell Renovate to combine all updates from packages matching '^@myorg/' into a single PR?

9. What is automerge in Renovate and what are the different automerge strategies?

Automerge allows Renovate to merge a PR automatically once all status checks pass. This is most useful for patch updates and trusted packages where CI provides sufficient confidence.

{
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true,
      "automergeType": "pr"
    },
    {
      "matchDepTypes": ["devDependencies"],
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true,
      "automergeStrategy": "squash"
    },
    {
      "matchDepTypes": ["dependencies"],
      "matchUpdateTypes": ["major"],
      "automerge": false
    }
  ]
}
automergeType values
ValueBehaviour
pr (default)Creates a normal PR; merges it when all checks pass
branchCommits directly to the default branch without creating a PR
pr-commentPosts a comment to trigger automerge via a bot comment
What is the difference between automergeType 'pr' and 'branch'?
Which type of updates is safest to enable automerge for as a starting point?

10. What is the Renovate Dependency Dashboard and how does it work?

The Dependency Dashboard is a GitHub/GitLab issue maintained by Renovate providing a single-pane view of all pending, open, and blocked updates. Maintainers can trigger actions by checking checkboxes in the issue.

{
  "dependencyDashboard": true,
  "dependencyDashboardTitle": "Dependency Dashboard",
  "dependencyDashboardAutoclose": true
}
Dependency Dashboard sections
SectionContent
Rate-LimitedUpdates held back by prConcurrentLimit or prHourlyLimit
Pending ApprovalUpdates needing manual approval before a PR is created
Awaiting ScheduleUpdates detected but outside the configured schedule window
OpenPRs currently open and awaiting review or CI
Ignored or BlockedUpdates ignored or blocked by branch protection or conflicts
How can a developer trigger Renovate to immediately create a PR for an update awaiting its schedule window?
What does the 'Rate-Limited' section in the Dependency Dashboard indicate?

11. How do you configure Renovate pull request titles, commit messages, and branch names?

Renovate generates PR titles, commit messages, and branch names from configurable Handlebars-like templates.

{
  "prTitle": "chore(deps): update {{depName}} {{#if isMajor}}(MAJOR) {{/if}}to {{newVersion}}",
  "commitMessage": "chore(deps): {{commitMessageAction}} {{commitMessageTopic}}",
  "branchPrefix": "renovate/",
  "semanticCommits": "enabled",
  "semanticCommitType": "chore",
  "semanticCommitScope": "deps"
}
Available template variables
VariableValue
{{depName}}The package name (e.g. lodash)
{{currentVersion}}The version currently in the file
{{newVersion}}The version Renovate wants to update to
{{updateType}}major, minor, patch, pin, digest
{{manager}}The package manager (npm, pip, dockerfile…)
{{isMajor}}Boolean: true if this is a major version bump
What syntax does Renovate use for template variables in prTitle and commitMessage?
What does setting 'semanticCommits': 'enabled' do to Renovate's commit messages?

12. How do you configure Renovate to work with private npm registries and other private package sources?

Credentials for private registries are stored in hostRules or environment variables — never directly in renovate.json (which is committed to source control).

// renovate.json — reference private registry (no credentials here!)
{
  "npmrc": "@myorg:registry=https://npm.pkg.github.com",
  "hostRules": [
    {
      "matchHost": "npm.pkg.github.com",
      "hostType": "npm",
      "token": "{{ secrets.GITHUB_TOKEN }}"
    },
    {
      "matchHost": "myartifactory.example.com",
      "hostType": "npm",
      "username": "{{ secrets.ARTIFACTORY_USER }}",
      "password": "{{ secrets.ARTIFACTORY_PASS }}"
    }
  ]
}
# Self-hosted: provide credentials via environment variables
export RENOVATE_TOKEN=ghp_xxx
export NPM_TOKEN=npm_xxx

docker run \
  -e RENOVATE_TOKEN="${RENOVATE_TOKEN}" \
  -e NPM_TOKEN="${NPM_TOKEN}" \
  renovate/renovate:latest \
  --token="${RENOVATE_TOKEN}" myorg/myrepo
Why should authentication credentials never be placed directly in renovate.json?
What is a Renovate hostRule used for?

13. How does Renovate handle versioning and range strategies for different package ecosystems?

Renovate's rangeStrategy controls how it modifies version constraints when an update is available.

rangeStrategy values
ValueBehaviourExample
auto (default)Picks the best strategy per managernpm → replace; pip → pin
pinConvert ranges to exact pinned versions^1.2.0 → 1.3.0
bumpBump the range to include the new version^1.2.0 → ^1.3.0
replaceReplace with a new equivalent range>=1.0.0 <2.0.0 → >=1.3.0 <2.0.0
widenWiden the range to include the new version^1.2.0 → >=1.2.0 <3.0.0
update-lockfileOnly update the lockfile, keep range unchangedpackage.json unchanged
{
  "rangeStrategy": "pin",
  "packageRules": [
    {
      "matchFileNames": ["packages/*/package.json"],
      "rangeStrategy": "bump"
    },
    {
      "matchFileNames": ["apps/*/package.json"],
      "matchDepTypes": ["dependencies"],
      "rangeStrategy": "update-lockfile"
    }
  ]
}
What does rangeStrategy 'pin' do to a version constraint like '^1.2.0'?
What is the practical difference between rangeStrategy 'pin' and 'update-lockfile'?

14. How do you run Renovate self-hosted using Docker?

The official renovate/renovate Docker image contains the complete Renovate CLI.

# Basic Docker run for a single repository
docker run --rm \
  -e RENOVATE_TOKEN="${GITHUB_TOKEN}" \
  renovate/renovate:latest \
  --token="${GITHUB_TOKEN}" \
  myorg/myrepo

# With a global config file
docker run --rm \
  -e RENOVATE_TOKEN="${GITHUB_TOKEN}" \
  -e LOG_LEVEL="debug" \
  -v "$(pwd)/config.js:/usr/src/app/config.js" \
  renovate/renovate:latest
// config.js — global Renovate config
module.exports = {
  platform: "github",
  token: process.env.RENOVATE_TOKEN,
  autodiscover: true,
  autodiscoverFilter: ["myorg/*"],
  logLevel: "info",
  onboarding: true,
  extends: ["config:recommended"],
  prConcurrentLimit: 10,
}
Key Renovate Docker image tags
TagPurpose
latestMost recent stable release
slimSmaller image without some infrequent managers
fullAll managers including heavy native deps (Gradle, etc.)
x.y.zPinned specific version for reproducibility
What is the purpose of 'autodiscover: true' in a self-hosted Renovate global config?
Which Docker image tag should you use in production for predictable, reproducible runs?

15. How does Renovate support GitLab and what differences exist compared to GitHub?

Renovate has first-class GitLab support. The core functionality is identical — differences are in configuration keys, token requirements, and MR (merge request) vs PR terminology.

// config.js — GitLab self-hosted
module.exports = {
  platform: "gitlab",
  endpoint: "https://gitlab.com/api/v4/",
  token: process.env.RENOVATE_TOKEN,
  repositories: ["mygroup/myrepo"],
}
# .gitlab-ci.yml
renovate:
  image: renovate/renovate:latest
  variables:
    RENOVATE_TOKEN: $RENOVATE_TOKEN
    LOG_LEVEL: info
  script:
    - renovate
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
GitHub vs GitLab Renovate differences
FeatureGitHubGitLab
TerminologyPull Request (PR)Merge Request (MR)
Token typePAT or GitHub App tokenPersonal Access Token or Project token
Pipeline triggerGitHub Actions / cronGitLab CI schedules
Self-hosted configplatform: githubplatform: gitlab
What does Renovate call 'pull requests' when working with GitLab?
What is the correct platform value in a self-hosted Renovate config for GitLab?

16. What package managers does Renovate support and how are they detected?

Renovate supports over 90 package managers (called managers), auto-detected by scanning for known file patterns.

Key Renovate managers by ecosystem
EcosystemManagerFiles detected
JavaScriptnpmpackage.json, package-lock.json, yarn.lock
Pythonpip_requirements / poetryrequirements.txt, pyproject.toml, Pipfile
Javamaven / gradlepom.xml, build.gradle
Dockerdockerfile / docker-composeDockerfile, docker-compose.yml
Kuberneteshelm-values / kubernetesvalues.yaml, Chart.yaml, *.yaml
Terraformterraform*.tf, .terraform.lock.hcl
Gogomodgo.mod, go.sum
RubybundlerGemfile, Gemfile.lock
GitHub Actionsgithub-actions.github/workflows/*.yml
.NETnuget*.csproj, packages.config
{
  "enabledManagers": ["npm", "dockerfile", "github-actions"],
  "packageRules": [
    {
      "matchManagers": ["gradle"],
      "enabled": false
    }
  ]
}
How does Renovate decide which package managers to activate for a repository?
Which Renovate manager handles updates to GitHub Actions workflow files?

17. How does Renovate handle npm lockfiles and what is lockFileMaintenance?

Renovate distinguishes between the manifest (package.json) and the lockfile. lockFileMaintenance periodically regenerates the entire lockfile to update transitive dependencies.

{
  "lockFileMaintenance": {
    "enabled": true,
    "schedule": ["before 5am on monday"]
  },
  "packageRules": [
    {
      "matchManagers": ["npm"],
      "rangeStrategy": "pin"
    }
  ]
}
Lockfile update scenarios
Scenariopackage.json changed?Lockfile changed?
rangeStrategy: pin (patch update)Yes — 1.2.x → 1.3.0Yes
rangeStrategy: update-lockfileNo — range unchangedYes
Lock file maintenance runNoYes — full regeneration
New major dep (out of range)Yes — range updatedYes
What does Renovate's lockFileMaintenance feature do?
Why does lockfile maintenance matter for transitive dependencies?

18. How does Renovate update Docker image versions in Dockerfiles?

Renovate's dockerfile manager extracts FROM image references and raises PRs when newer tags are available. It supports both tag-based and digest-based pinning.

# Dockerfile — Renovate parses FROM lines
FROM node:20.11.0-alpine3.19
# → PR to update to node:20.12.0-alpine3.19

# Digest pinning (immutable)
FROM node:20@sha256:a1b2c3d4...  # Renovate updates digest when node:20 changes
{
  "packageRules": [
    {
      "matchManagers": ["dockerfile"],
      "matchPackageNames": ["node"],
      "allowedVersions": "20",
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    }
  ],
  "digest": {
    "enabled": true,
    "automerge": true
  }
}
What is the benefit of using digest-pinned Docker images with Renovate?
How do you restrict Renovate to only raise PRs for Node.js patch and minor updates within the Node 20 LTS line?

19. How does Renovate handle Helm chart updates?

Renovate supports Helm via two managers: helmv3 (Chart.yaml dependencies) and helm-values (image tags in values.yaml).

# Chart.yaml — Renovate updates chart dependency versions
dependencies:
  - name: postgresql
    version: "13.2.0"
    repository: "https://charts.bitnami.com/bitnami"

# values.yaml — Renovate updates image tags
image:
  repository: myorg/myapp
  tag: "1.2.3"
{
  "helmv3": { "fileMatch": ["(^|/)Chart\.yaml$"] },
  "helm-values": { "fileMatch": ["(^|/)values.*\.ya?ml$"] },
  "packageRules": [
    {
      "matchManagers": ["helmv3"],
      "matchPackageNames": ["postgresql"],
      "allowedVersions": ">=13.0.0 <14.0.0",
      "groupName": "Helm database charts"
    }
  ]
}
Which two Renovate managers handle Helm-related updates?
What does Renovate update in a values.yaml file?

20. How does Renovate handle security vulnerability updates and CVE patching?

Renovate integrates with the GitHub Security Advisory database (GHSA) and OSV to detect vulnerable dependency versions and can be configured to treat security updates differently from routine updates.

{
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security", "vulnerability"],
    "assignees": ["@security-team"],
    "prPriority": 10,
    "schedule": ["at any time"],
    "automerge": false
  },
  "schedule": ["after 9am and before 5pm every weekday"],
  "packageRules": [
    {
      "matchDepTypes": ["dependencies"],
      "matchUpdateTypes": ["patch"],
      "schedule": ["at any time"],
      "prPriority": 5
    }
  ]
}
Renovate security update behaviour
FeatureDetail
vulnerabilityAlertsSeparate config block for security-flagged updates
Data sourcesGitHub Advisory Database (GHSA), OSV
prPriorityHigher numbers appear first in the Dependency Dashboard
LimitationOnly catches packages with published advisories — pair with dedicated SCA tools
What does setting 'schedule': ['at any time'] for vulnerabilityAlerts accomplish?
What advisory database does Renovate use as its primary source for vulnerability data on GitHub?

21. How do you configure Renovate for a monorepo with multiple packages?

Renovate supports monorepos natively — it detects multiple manifest files across subdirectories and groups packages from the same source via group:monorepos.

{
  "extends": ["config:recommended", "group:monorepos"],
  "includePaths": ["packages/**", "apps/**", "libs/**"],
  "ignorePaths": ["**/node_modules/**", "legacy/**"],
  "packageRules": [
    {
      "matchPackagePatterns": ["^@myorg/"],
      "groupName": "Internal workspace packages",
      "automerge": true
    },
    {
      "matchFileNames": ["packages/*/package.json"],
      "groupName": "Package dependencies"
    }
  ]
}
What does the 'group:monorepos' preset do?
How do you restrict Renovate to only scan specific subdirectories in a monorepo?

22. What is the minimumReleaseAge setting and why is it recommended?

minimumReleaseAge tells Renovate to wait a specified number of days after a package version is published before raising a PR, guarding against bad releases that are quickly patched.

{
  "minimumReleaseAge": "3 days",
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "minimumReleaseAge": "0 days"
    },
    {
      "matchUpdateTypes": ["major"],
      "minimumReleaseAge": "7 days"
    },
    {
      "matchPackagePatterns": ["^@myorg/"],
      "minimumReleaseAge": "0 days"
    }
  ]
}
Why minimumReleaseAge matters
RiskHow waiting helps
Accidental publishAuthors sometimes publish then immediately unpublish bad releases within hours
Post-publish patchA bug discovered after release often gets a patch within 24-72 hours
Registry propagationSome private registries take time to sync a new release
Community vettingPopular packages get rapid community testing — known-good releases emerge within days
What is the primary reason to set minimumReleaseAge to '3 days'?
For which type of update would you typically set minimumReleaseAge to 0?

23. How do you debug Renovate when it is not creating expected PRs?

When Renovate appears to have missed an update, most issues fall into a handful of root causes: schedule restrictions, rate limits, config rules filtering the update out, or the update being in an unexpected state.

Debugging checklist
CheckHow to investigate
Dependency DashboardCheck which section the update is in (Rate-Limited, Awaiting Schedule, Pending Approval)
Log outputSet LOG_LEVEL=debug and re-run — grep for the package name
Schedule conflictEnsure the runner cron and renovate.json schedule window overlap
prConcurrentLimitIf limit is reached, new PRs are held in Rate-Limited section
ignoreDeps / enabled:falseCheck if a rule is explicitly disabling the package
Manager disabledVerify enabledManagers includes the relevant manager
minimumReleaseAgeThe version might not be old enough yet
# Debug with verbose logging
docker run --rm \
  -e RENOVATE_TOKEN="${GITHUB_TOKEN}" \
  -e LOG_LEVEL="debug" \
  renovate/renovate:latest \
  --token="${GITHUB_TOKEN}" \
  myorg/myrepo 2>&1 | grep -i "lodash"

# Dry run — shows what Renovate WOULD do without making changes
npx renovate --token="${GITHUB_TOKEN}" --dry-run=full myorg/myrepo
What is the quickest way to check why a specific update is not appearing as a PR?
What does the --dry-run=full flag do when running Renovate?

24. What is Renovate's prCreation setting and what are the available options?

prCreation controls when Renovate actually opens a PR after detecting an update.

prCreation values
ValueBehaviour
immediate (default)Open the PR as soon as an update is detected
not-pendingWait until all branch status checks are complete before opening the PR
status-successOnly open the PR if branch CI checks pass — never opens if tests fail
approvalWait for a maintainer to check the box in the Dependency Dashboard
{
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "prCreation": "approval",
      "dependencyDashboardApproval": true
    },
    {
      "matchUpdateTypes": ["patch"],
      "prCreation": "status-success",
      "automerge": true
    },
    {
      "matchUpdateTypes": ["minor"],
      "prCreation": "not-pending"
    }
  ]
}
What does prCreation: 'status-success' do?
What is the practical benefit of prCreation: 'approval' for major updates?

25. How does Renovate handle Terraform and infrastructure-as-code updates?

Renovate's terraform manager updates provider versions, module versions, and the Terraform core version in .tf files.

# main.tf — Renovate detects and updates these
terraform {
  required_version = ">= 1.5.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.1.2"
}
{
  "packageRules": [
    {
      "matchManagers": ["terraform"],
      "matchPackageNames": ["hashicorp/aws"],
      "matchUpdateTypes": ["major"],
      "enabled": false
    },
    {
      "matchManagers": ["terraform"],
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    }
  ]
}
What types of version constraints does Renovate update in Terraform .tf files?
How does Renovate update a Terraform module sourced from GitHub with a ref= tag?

26. How do you configure Renovate for GitHub Actions workflow updates?

Renovate's github-actions manager detects uses: references and raises PRs when new action versions are available. The helpers:pinGitHubActionDigests preset pins actions to immutable SHA digests.

# .github/workflows/ci.yml — Renovate manages these
steps:
  - uses: actions/checkout@v4
  - uses: actions/setup-node@v4.0.2

# After digest pinning:
  - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
{
  "extends": ["config:recommended", "helpers:pinGitHubActionDigests"],
  "packageRules": [
    {
      "matchManagers": ["github-actions"],
      "matchUpdateTypes": ["major"],
      "labels": ["github-actions", "major"],
      "reviewers": ["team:devops"]
    },
    {
      "matchManagers": ["github-actions"],
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    }
  ]
}
Why does 'helpers:pinGitHubActionDigests' improve supply chain security?
What does Renovate do when an action tag like 'actions/checkout@v4' points to a new commit?

27. What is the difference between Renovate's 'pin' and 'digest' update types?

Renovate classifies PRs with update types beyond major/minor/patch. Understanding pin and digest helps configure automerge correctly.

All Renovate update types
TypeMeaningExample
majorBreaking change1.x.x → 2.0.0
minorNew features, backward-compatible1.2.x → 1.3.0
patchBug fixes, backward-compatible1.2.3 → 1.2.4
pinConvert range to exact pinned version^1.2.0 → 1.2.3
digestUpdate a SHA digest — same tag, new underlying contentsha256:abc → sha256:def
replacementA package has been renamed by its authorrequest → node-fetch
{
  "packageRules": [
    {
      "matchUpdateTypes": ["pin"],
      "automerge": true,
      "groupName": "Pin dependencies"
    },
    {
      "matchUpdateTypes": ["digest"],
      "automerge": true,
      "schedule": ["at any time"]
    },
    {
      "matchUpdateTypes": ["replacement"],
      "labels": ["dependency-replacement"],
      "automerge": false
    }
  ]
}
What is the difference between a 'patch' and 'digest' update type in Renovate?
Why is it safe to automerge 'pin' update type PRs?

28. How do you configure Renovate to rebase or update pull requests when the base branch changes?

Renovate's rebaseWhen setting controls when it automatically rebases update branches.

rebaseWhen values
ValueBehaviour
auto (default)Rebase when PR is behind the base branch OR has conflicts
neverNever rebase — leave branch as-is even if conflicts exist
conflictedOnly rebase if there are merge conflicts
behind-base-branchRebase whenever PR is behind the base branch, even without conflicts
{
  "rebaseWhen": "auto",
  "rebaseLabel": "rebase",
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true,
      "rebaseWhen": "behind-base-branch"
    }
  ]
}
What does rebaseWhen: 'auto' (the default) do for Renovate pull requests?
How can a developer manually trigger Renovate to rebase a specific PR?

29. How does Renovate work with Python dependency management (pip, Poetry, pip-compile)?

Renovate supports several Python dependency tools, each as a separate manager.

Python manager coverage
ManagerFilesNotes
pip_requirementsrequirements*.txtSimple requirements files; exact version pins
pip-compilerequirements*.inUpdates .in files and regenerates .txt
poetrypyproject.toml + poetry.lockFull Poetry support including lockfile
pep621pyproject.tomlPEP 621 [project.dependencies] without Poetry
pipenvPipfile + Pipfile.lockPipenv support
{
  "packageRules": [
    {
      "matchManagers": ["pip_requirements", "poetry"],
      "matchPackageNames": ["django"],
      "allowedVersions": "<5",
      "minimumReleaseAge": "7 days"
    },
    {
      "matchManagers": ["pip_requirements"],
      "rangeStrategy": "pin",
      "automerge": false
    }
  ]
}
Which Renovate manager should you use for a project using pip-tools with .in and .txt files?
What happens to poetry.lock when Renovate updates a dependency version in pyproject.toml?

30. What are Renovate's prHourlyLimit and prConcurrentLimit and how do they work together?

These two settings prevent Renovate from overwhelming a repository with pull requests, working at different time scales.

PR limiting settings
SettingControlsDefault
prHourlyLimitMaximum new PRs opened in a single Renovate run2
prConcurrentLimitMaximum total open Renovate PRs at any one time10
branchConcurrentLimitMaximum open Renovate branchesFollows prConcurrentLimit
{
  "prHourlyLimit": 5,
  "prConcurrentLimit": 15,
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "prConcurrentLimit": 2,
      "prPriority": -1
    },
    {
      "matchUpdateTypes": ["patch", "minor"],
      "prPriority": 1
    }
  ]
}
// Setting to 0 removes the limit entirely (unlimited)
What is the difference between prHourlyLimit and prConcurrentLimit?
What happens to detected updates when prConcurrentLimit is reached?

31. How do you configure Renovate to support Azure DevOps repositories?

Renovate supports Azure DevOps for both Azure Repos (Git) and Azure Artifacts. Self-hosted deployment is the primary approach.

# Azure DevOps Pipeline — renovate.yml
trigger: none
schedules:
  - cron: "0 2 * * 1-5"
    displayName: "Nightly Renovate"
    branches:
      include: ["main"]
    always: true
pool:
  vmImage: ubuntu-latest
steps:
  - task: NodeTool@0
    inputs:
      versionSpec: "20.x"
  - script: npx renovate
    env:
      RENOVATE_TOKEN: $(RENOVATE_TOKEN)
      RENOVATE_PLATFORM: azure
      RENOVATE_ENDPOINT: https://dev.azure.com/myorg/
      RENOVATE_REPOSITORIES: "myproject/myrepo"
Azure DevOps Renovate specifics
ItemDetail
platform value"azure"
Token typePAT with Code (read/write) and Pull Request scopes
Endpoint formathttps://dev.azure.com/{org}/
Repository format"project/repo" — not "org/repo" like GitHub
Azure ArtifactsUse hostRules with matchHost: "pkgs.dev.azure.com"
How is the repository identifier format different in Azure DevOps vs GitHub when configuring Renovate?
What Azure DevOps PAT scopes are required for Renovate to create pull requests?

32. What is Renovate's 'ignorePaths' and 'includePaths' and when do you need them?

By default Renovate scans every file matching a known dependency pattern. ignorePaths excludes specific paths; includePaths restricts scanning to only specific paths.

{
  "ignorePaths": [
    "**/node_modules/**",
    "vendor/**",
    "legacy/**",
    "docs/**",
    "**/test/fixtures/**"
  ],
  "includePaths": [
    "src/**",
    "packages/*/package.json",
    ".github/workflows/**"
  ],
  "packageRules": [
    {
      "matchFileNames": ["docs/example/package.json"],
      "enabled": false
    }
  ]
}
What is the difference between ignorePaths and includePaths in Renovate?
Why would you use includePaths in a large monorepo?

33. How does Renovate handle Maven (Java) dependency updates?

Renovate's maven manager updates version properties and dependency versions in pom.xml files.

<!-- pom.xml — Renovate updates these elements -->
<properties>
  <spring.boot.version>3.2.2</spring.boot.version>
</properties>
<dependencies>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <version>${spring.boot.version}</version>
  </dependency>
  <dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.16.1</version>
  </dependency>
</dependencies>
{
  "packageRules": [
    {
      "matchManagers": ["maven"],
      "matchPackagePrefixes": ["org.springframework"],
      "groupName": "Spring Framework",
      "minimumReleaseAge": "7 days"
    },
    {
      "matchManagers": ["maven"],
      "matchUpdateTypes": ["major"],
      "enabled": false
    }
  ],
  "hostRules": [
    {
      "matchHost": "nexus.mycompany.com",
      "hostType": "maven",
      "username": "{{ secrets.NEXUS_USER }}",
      "password": "{{ secrets.NEXUS_PASS }}"
    }
  ]
}
What does Renovate update in a Maven pom.xml file?
How do you configure Renovate to access a private Nexus Maven repository?

34. What is Renovate's 'postUpdateOptions' and what post-update actions does it support?

postUpdateOptions enables specific actions Renovate runs after updating a dependency — such as regenerating lockfiles or running deduplication.

Common postUpdateOptions values
ValueWhat it does
npmDedupeRun npm dedupe after updating package-lock.json
yarnDedupeHighestRun yarn-deduplicate to resolve yarn.lock to highest versions
pnpmDedupeRun pnpm dedupe after updating pnpm-lock.yaml
gomodTidyRun go mod tidy after updating go.mod
gomodUpdateImportPathsUpdate import paths in .go files when module path changes
helmUpdateSubChartArchivesUpdate subchart archives after Chart.yaml changes
{
  "postUpdateOptions": ["npmDedupe", "gomodTidy"],
  "packageRules": [
    {
      "matchManagers": ["npm"],
      "postUpdateOptions": ["npmDedupe"]
    },
    {
      "matchManagers": ["gomod"],
      "postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths"]
    }
  ]
}
What does the 'gomodTidy' postUpdateOption do after a Go dependency update?
Why might you enable 'npmDedupe' as a postUpdateOption?

35. How do you use Renovate's 'extends' to create and share an organisation-wide preset?

Organisation presets allow a central team to define Renovate standards in one repository and have all repos inherit them with a single line.

// Step 1: Create "renovate-config" repo in your GitHub org
// Add default.json:
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "schedule": ["after 9pm every weekday", "every weekend"],
  "timezone": "Europe/London",
  "prConcurrentLimit": 10,
  "minimumReleaseAge": "3 days",
  "labels": ["dependencies"],
  "semanticCommits": "enabled",
  "dependencyDashboard": true,
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "matchDepTypes": ["devDependencies"],
      "automerge": true
    },
    {
      "matchUpdateTypes": ["major"],
      "prCreation": "approval"
    }
  ]
}
// Step 2: Each repo's renovate.json
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["github>myorg/renovate-config"],
  // Only repo-specific overrides:
  "ignoreDeps": ["legacy-package"]
}
How do you reference an organisation-wide preset from a repo in 'myorg/renovate-config'?
What is the main operational benefit of an organisation-wide Renovate preset?

36. What is Renovate's 'allowedVersions' configuration and how do you use it to restrict updates?

allowedVersions restricts which version ranges Renovate is permitted to update to. Any version outside the allowed range is silently ignored.

{
  "packageRules": [
    {
      "matchPackageNames": ["node"],
      "allowedVersions": "20"
    },
    {
      "matchPackageNames": ["react", "react-dom"],
      "allowedVersions": "<19"
    },
    {
      "matchPackageNames": ["django"],
      "allowedVersions": "/^(3\.2|4\.2)/"
    },
    {
      "matchPackageNames": ["kubernetes"],
      "allowedVersions": ">=28.0.0 <29.0.0"
    }
  ]
}
allowedVersions syntax
SyntaxMeaning
20Only versions matching major 20 (20.x.x)
<19Any version below 19.0.0
>=4.2.0 <5.0.0Semver range
"/^4\.2/"Regex match (wrapped in slashes)
!=1.0.0Anything except exactly 1.0.0
What is the difference between ignoreDeps and allowedVersions in Renovate?
How would you configure Renovate to only allow updates to Node.js versions within the 20.x LTS line?

37. How do you configure Renovate to automatically add reviewers and assignees to pull requests?

Renovate can automatically request reviews and set assignees on PRs using configured usernames, team slugs, or randomised sample sizes.

{
  "reviewers": ["alice", "bob"],
  "assignees": ["carol"],
  "reviewersSampleSize": 1,
  "packageRules": [
    {
      "matchManagers": ["dockerfile", "helm-values", "terraform"],
      "reviewers": ["team:platform"],
      "labels": ["infrastructure"]
    },
    {
      "matchUpdateTypes": ["major"],
      "reviewers": ["team:security", "team:architecture"],
      "reviewersSampleSize": 1
    },
    {
      "matchDepTypes": ["devDependencies"],
      "matchUpdateTypes": ["patch", "minor"],
      "reviewers": [],
      "automerge": true
    }
  ],
  "reviewersFromCodeOwners": true
}
What does reviewersSampleSize: 2 do when reviewers is set to a list of 5 people?
How do you prevent a globally configured reviewer list from applying to automerged devDependency patch updates?

38. What was Renovate's 'stabilityDays' setting and what is the recommended timing/stability configuration?

stabilityDays was renamed to minimumReleaseAge in Renovate v34. Combining timing controls gives teams precise risk-speed control per update category.

Timing and stability controls
SettingWhat it controls
minimumReleaseAgeMinimum time a version must be published before Renovate raises a PR
scheduleTime windows during which Renovate may open new PRs
prConcurrentLimitMax open PRs at one time — slows rate of change
automergeScheduleSeparate schedule window for when automerge may execute
prCreation: not-pendingWait for CI on the branch before opening the PR
{
  "extends": ["config:recommended"],
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "minimumReleaseAge": "3 days",
      "automerge": true,
      "prCreation": "status-success"
    },
    {
      "matchUpdateTypes": ["minor"],
      "minimumReleaseAge": "5 days",
      "schedule": ["every weekend"],
      "automerge": false,
      "prCreation": "not-pending"
    },
    {
      "matchUpdateTypes": ["major"],
      "minimumReleaseAge": "14 days",
      "prCreation": "approval",
      "dependencyDashboardApproval": true
    }
  ],
  "prConcurrentLimit": 5,
  "prHourlyLimit": 2,
  "timezone": "Europe/London"
}
What was 'stabilityDays' renamed to in modern versions of Renovate?
What combination of settings gives the most conservative approach to major dependency updates?
«
»

Comments & Discussions