Renovate Bot in Practice — How to Cut Dependency PR Noise by 80% with groupName, schedule, and automerge
When I introduced Renovate with its default settings, I experienced firsthand how 30 PRs a day could be generated. My teammates' first reaction was "Can you just turn this bot off?", and it took several days of picking through the configuration one setting at a time.
The core is a combination of three parameters: grouping related packages with groupName to reduce PR count, aligning PR creation timing with the team's review cycle using schedule, and delegating low-risk updates to CI for post-verification handling with automerge. When you properly understand and use these settings, you can reduce dependency PR noise by up to 80%, and the effect is even more pronounced in monorepos with dozens of scattered packages.
What is Renovate Bot
Renovate Bot is an open-source dependency auto-update tool developed and maintained by Mend.io (formerly WhiteSource). Its biggest differentiator from competing tools is the ability to manage dozens of package managers — npm, pip, Maven, Gradle, Cargo, Helm, Dockerfile, GitHub Actions, and more — through a single configuration file. The full list of supported managers can be found in the official docs: Supported Managers.
It supports GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea, and offers two modes of operation. The managed approach of installing the GitHub Marketplace App lets you get started immediately without running a separate server, while the self-hosted approach runs directly in GitHub Actions or GitLab CI for full control in line with enterprise security policies.
The default configuration file is renovate.json at the repository root. For monorepos, a single file at the root centrally controls all sub-packages.
Renovate vs Dependabot
The selection criteria commonly recommended across many real-world cases are fairly clear. Choose Renovate for monorepos, multi-platform setups, and fine-grained grouping policies; choose Dependabot for simple, single GitHub repositories.
| Comparison | Renovate | Dependabot |
|---|---|---|
| Supported platforms | GitHub, GitLab, Bitbucket, Azure DevOps, Gitea | GitHub only |
| Grouping | Fine-grained control with groupName + glob/regex |
Limited |
| Monorepo support | Powerful (matchFileNames, additionalBranchPrefix) |
Basic |
| Supported package managers | Dozens or more | Some, e.g. npm, pip |
| automerge granularity | Per-package and per-update-type control | Limited |
| Learning curve | High | Low |
Using both tools simultaneously will cause duplicate PRs for the same package, so you must choose only one. To disable Dependabot, remove .github/dependabot.yml or turn off only version updates in the Security tab.
How It Works
When Renovate runs, it goes through three stages.
In the detection stage, all dependency files in the repository are parsed and current versions are compared against the latest. In the grouping and filtering stage, groupName, matchPackageNames, matchUpdateTypes, and other packageRules are applied to bundle related packages together. Finally, in the creation and auto-merge stage, PRs or branches are created only within the configured time window, and they are automatically merged when conditions are met.
Three Core Control Parameters
Honestly, if you properly understand just these three, 80% of the problems are solved.
groupName
groupName is a label that bundles multiple packages into a single PR and branch. When react, react-dom, and @types/react each have updates, it groups them into one "React ecosystem" PR instead of three separate PRs.
{
"packageRules": [
{
"groupName": "React ecosystem",
"matchPackageNames": ["react", "react-dom", "@types/react", "@types/react-dom"]
}
]
}In the packageRules array, rules declared later override earlier ones. For example, even if you set automerge: true on the Testing tools group, declaring automerge: false for major updates at the end of the array means major updates will always go through manual review. Changing the rule order changes the outcome, so be intentional about ordering when composing the array.
schedule
Specifies the time window during which PR creation and rebasing are allowed. The default is to create PRs at any time, so without a schedule configured, a PR can open whenever a dependency change is detected.
{
"schedule": ["before 6am on Monday"]
}Natural language expressions like "after 10pm and before 5am", "every weekend", and "on the first day of the month" are supported.
automerge
A flag that allows Renovate to merge directly when CI tests pass. Behavior varies depending on automergeType.
{
"automerge": true,
"automergeType": "branch"
}Supply chain risk defense: When enabling
automerge, you must always setminimumReleaseAgealongside it. This is the key setting for defending against supply chain attacks where a package with malicious code injected immediately after release gets automatically merged. A wait of 3–14 days is recommended depending on the nature of the package.
The behavioral difference by automergeType can be seen in the diagram below.
automergeType: "branch" skips the PR creation step entirely, so no PR notification is generated. A PR is only created — and the team notified — if CI fails. This is suitable for low-risk packages like linting and type-checking tools.
Practical Application
The scenarios below are configurations meant to be combined into a single renovate.json. Scenario 1 is the base skeleton; Scenarios 2–4 are added to the packageRules array or top-level settings as needed.
Scenario 1 — Reduce Frontend Monorepo PRs by Up to 80%
Group React, ESLint, and Testing-related packages under separate groupNames, and automerge minor/patch updates for linting and test tools. Limit concurrent PRs with prConcurrentLimit to distribute CI load, and override major updates with automerge: false at the end of the array to always require manual review.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended", "group:monorepos"],
"schedule": ["before 6am on Monday"],
"prConcurrentLimit": 5,
"packageRules": [
{
"groupName": "React ecosystem",
"matchPackageNames": ["react", "react-dom", "@types/react", "@types/react-dom"]
},
{
"groupName": "ESLint and Prettier",
"matchPackageNames": ["eslint", "eslint-*", "@eslint/*", "prettier", "prettier-*"],
"automerge": true,
"automergeType": "branch",
"minimumReleaseAge": "3 days"
},
{
"groupName": "Testing tools",
"matchPackageNames": ["jest", "jest-*", "@jest/*", "vitest", "@testing-library/*"],
"automerge": true,
"minimumReleaseAge": "5 days"
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"labels": ["major-update", "needs-review"]
}
]
}The "group:monorepos" preset automatically groups already-known monorepo packages (e.g., Babel plugin bundles), so it's convenient to include in extends.
Scenario 2 — Security Updates Immediately, Regular Updates After 5-Day Wait
Add the following to the top level of the Scenario 1 configuration.
Separating vulnerabilityAlerts into its own block means CVE response PRs are created immediately without the minimumReleaseAge restriction, while regular updates wait 5 days before being processed.
{
"minimumReleaseAge": "5 days",
"prHourlyLimit": 10,
"prConcurrentLimit": 50,
"vulnerabilityAlerts": {
"minimumReleaseAge": "0 days",
"labels": ["security"]
}
}Setting prConcurrentLimit high at 50 is an intentional choice to accommodate situations where security PRs are generated in bulk. In a typical operating environment, starting at 3–5 and increasing gradually is better for distributing CI load.
The impact of security PRs generated by vulnerabilityAlerts on prConcurrentLimit and prHourlyLimit may vary depending on configuration conditions. Refer to the Vulnerability Alerts section in the official docs for detailed behavior.
Scenario 3 — Isolating PRs by Team in a Multi-Team Monorepo
Add to the packageRules array in Scenario 1.
Use matchFileNames to delineate team territories and additionalBranchPrefix to isolate branch namespaces. additionalBranchPrefix prepends a prefix to branch names Renovate generates. For example, with "frontend/" configured, the renovate/react-18.x branch is created as frontend/renovate/react-18.x. This means the frontend team only sees frontend/renovate/... branches, and the backend team only reviews backend/renovate/... branches.
{
"packageRules": [
{
"matchFileNames": ["apps/frontend/**"],
"additionalBranchPrefix": "frontend/",
"reviewers": ["team:frontend"]
},
{
"matchFileNames": ["apps/backend/**"],
"additionalBranchPrefix": "backend/",
"reviewers": ["team:backend"]
}
]
}This works particularly well in nx or Turborepo-based monorepos where sub-project boundaries are clearly defined.
Scenario 4 — Unified Management of Android Gradle Dependencies
Add to the packageRules array in Scenario 1.
Gradle, Kotlin plugins, and the Android Gradle Plugin (AGP) have intertwined version compatibility, making individual updates prone to breaking builds. Grouping them under a groupName lets you upgrade them all at once to avoid this issue.
{
"packageRules": [
{
"groupName": "Android build tools",
"matchPackageNames": [
"com.android.tools.build:gradle",
"org.jetbrains.kotlin:kotlin-gradle-plugin",
"com.android.application"
],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"minimumReleaseAge": "7 days"
}
]
}"com.android.tools.build:gradle" uses Maven coordinate format, while "com.android.application" uses Gradle plugin ID format — the notation differs. How Renovate's Gradle manager detects these two formats can vary depending on project configuration, so it is recommended to validate actual behavior with renovate-config-validator before applying.
Pros and Cons
Advantages
| Item | Description |
|---|---|
| Unified multi-package-manager support | Manage npm, pip, Maven, Gradle, Cargo, Helm, Dockerfile, and more with a single tool |
| Fine-grained grouping | Precise control using combinations of matchPackageNames glob/regex, matchUpdateTypes, and matchFileNames |
| Platform independence | Operate with the same configuration across GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea |
lockFileMaintenance |
Periodically refreshes the entire lock file in a separate PR to prevent transitive dependency version drift. Enable with "lockFileMaintenance": {"enabled": true} in renovate.json; refer to the official docs for scheduling |
| Onboarding PR | On first install, provides a preview PR listing all detected dependencies and their current versions for review before activation |
| Automatic changelog insertion | PR body automatically includes upstream release notes and changelog links |
| Renovate Dashboard Issue | View all pending updates at a glance and trigger on-demand runs from the repository's Issues tab |
Disadvantages and Considerations
| Item | Description |
|---|---|
| Initial configuration complexity | Steeper learning curve compared to Dependabot; using defaults as-is can actually generate more PRs |
| Overly broad groupName scope | If matchPackageNames is too broad, unrelated packages get bundled into the same PR, making review difficult |
| automerge supply chain risk | Enabling without minimumReleaseAge risks auto-merging malicious packages; a minimum 3–14 day wait is recommended |
| prConcurrentLimit | Default value varies by preset and version; for large monorepos, start at 3–5 and increase gradually |
| self-hosted operational burden | Self-hosted GitHub App setup involves complex initial configuration and secret key management |
| Transitive dependency limitations | There are known limitations where transitive dependency vulnerabilities cannot be detected in some ecosystems such as poetry.lock |
Three Common Mistakes
① Setting matchPackageNames scope too broadly
// Risky: the "/test/" regex bundles unexpected packages as well
{
"groupName": "All test packages",
"matchPackageNames": ["/test/"]
}
// Recommended: use specific globs or regex prefixes
{
"groupName": "Testing tools",
"matchPackageNames": ["jest", "jest-*", "@jest/*", "vitest", "@testing-library/*"]
}Using patterns that are too short or too broad in matchPackageNames will pull unexpected packages into the same PR. Use specific expressions like prefix globs or scope patterns.
② Enabling automerge without setting minimumReleaseAge
Real-world cases of malicious code injected into packages shortly after release do occur. This is exactly why enterprise projects like Camunda explicitly declare wait periods of 1–14 days per package manager.
③ Using Dependabot and Renovate simultaneously
Both tools will generate PRs for the same packages, causing branch conflicts and notification noise. You must choose only one.
Closing
The combination of three things is the key. Group related packages with groupName to reduce PR count, align when PRs appear with the team's review cycle using schedule, and delegate low-risk updates to CI for post-verification handling with automerge. You must always pair automerge with minimumReleaseAge to defend against supply chain risks.
Here is the recommended order to get started:
- Install the Mend Renovate App from the GitHub Marketplace. The onboarding PR will automatically list all dependencies in the repository and their current versions.
- Set
scheduleandprConcurrentLimitinrenovate.jsonfirst. Controlling when and how many PRs are created alone will significantly reduce noise. - Add 1–2
groupNameentries topackageRules. Starting with package bundles that are typically updated together, like React or ESLint, keeps the barrier low.
Validating your renovate.json syntax locally with the renovate-config-validator CLI before pushing can prevent a flood of PRs from misconfigured settings.
References
- Renovate Official Docs — Noise Reduction
- Renovate Official Docs — Automerge Configuration and Troubleshooting
- Renovate Official Docs — Configuration Options
- Renovate Official Docs — Group Presets
- Renovate Official Docs — Supported Managers
- Renovate Official Docs — Self-Hosting Examples
- Mend.io — Common Practices for Renovate Configuration
- Jamie Tanna — Tips for optimising Renovate for multi-team monorepos (2025.07)
- DEV Community — 5+1 tips to reduce the noise of Renovate Bot
- DEV Community — Renovate vs. Dependabot: Which Bot Will Rule Your Monorepo?
- DevOpsBoys — Renovate vs Dependabot 2026
- Securimancy — Renovate rangeStrategy + vulnerabilityAlerts
- Christian Emmer — Keep Lerna Monorepos Updated with Renovate
- Renovate Bot GitHub Repository — Releases
- Augmented Mind — Renovate Bot Cheat Sheet