Migrate from Dependabot to Renovate #297
Description
Migrate from Dependabot to Renovate
Summary
Replace GitHub Dependabot with Renovate Bot for automated dependency management across the monorepo.
Problem Statement
Current Limitations with Dependabot
-
Limited Configuration Flexibility
- YAML-based configuration with restricted options
- Cannot express complex conditional rules
- No support for custom model prefixes or regex patterns
-
No Automerge Capability
- All PRs require manual review and merge
- Creates bottleneck for low-risk updates (minor/patch of dev dependencies)
- Increases maintenance burden on the team
-
Poor Visibility into Dependency Status
- No centralized dashboard showing pending updates
- Difficult to track which dependencies are outdated across packages
- No way to see blocked or conflicting updates at a glance
-
Missing Lock File Maintenance
- Dependabot doesn't support periodic lock file refresh
- Dependency tree can become stale over time
- Sub-dependencies may have security vulnerabilities that go unnoticed
-
No Grouping Intelligence
- Limited grouping options compared to Renovate
- Cannot group monorepo packages together automatically
- Less control over PR batching strategies
Proposed Solution
Migrate to Renovate Bot which addresses all the above limitations:
| Feature | Dependabot | Renovate |
|---|---|---|
| Configuration | YAML (limited) | JSON5/JS (flexible) |
| Automerge | Not supported | Full support with CI conditions |
| Dashboard | None | Dependency Dashboard Issue |
| Lock file maintenance | Not supported | Scheduled maintenance |
| Grouping | Basic | Advanced with presets |
| Presets | None | Extensive preset library |
Scope
In Scope
- Configure Renovate for 3 npm packages:
apps/mcp-serverpackages/rulespackages/claude-code-plugin
- Configure Renovate for GitHub Actions workflows
- Enable automerge for low-risk updates (minor/patch)
- Enable Dependency Dashboard for visibility
- Enable monthly lock file maintenance
- Remove existing Dependabot configuration
Out of Scope
- Migration of existing Dependabot PRs (will be superseded)
- Changes to CI/CD pipeline
- Version pinning strategy changes
Acceptance Criteria
- Renovate configuration file (
renovate.json) created - Dependabot configuration (
.github/dependabot.yml) removed - Renovate GitHub App installed and activated
- Dependency Dashboard issue created by Renovate
- Minor/patch updates create PRs that automerge after CI passes
- Major updates create PRs requiring manual review
- Security updates are labeled and require manual review
- GitHub Actions updates limited to minor/patch automerge
Risk Assessment
| Risk | Level | Mitigation |
|---|---|---|
| Renovate App not installed | Medium | Verify installation before removing Dependabot |
| Configuration mismatch | Low | 1:1 mapping verified in plan document |
| Unexpected automerge | Low | CI must pass; major versions require manual review |
| Security updates auto-merged | Low | Security category explicitly requires manual review |