diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..2c22b88
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,14 @@
+# Dependency management is handled by Renovate (see renovate.json).
+# This file intentionally disables Dependabot version updates so the two
+# bots do not produce duplicate PRs for the same dependency.
+#
+# Note: Dependabot *security* updates are configured separately and cannot
+# be disabled via this file. To turn them off, go to:
+#   Settings -> Code security -> Dependabot security updates
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 0
diff --git a/renovate.json b/renovate.json
index 3298442..68242ee 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,11 +1,30 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base",
-    ":semanticCommitsDisabled"
+    "config:recommended",
+    ":semanticCommitsDisabled",
+    ":dependencyDashboard"
   ],
-  "ignoreDeps": [],
-  "labels": ["Renovate"],
-  "rebaseWhen": "conflicted",
-  "schedule": ["on the first day of the month"]
-}
\ No newline at end of file
+  "labels": ["dependencies", "Renovate"],
+  "rebaseWhen": "behind-base-branch",
+  "schedule": ["before 6am on the first day of the month"],
+  "prConcurrentLimit": 10,
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 6am on the first day of the month"]
+  },
+  "packageRules": [
+    {
+      "groupName": "patch updates",
+      "matchUpdateTypes": ["patch"]
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "addLabels": ["major-update"],
+      "dependencyDashboardApproval": true
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "labels": ["security"]
+  }
+}