π Feature: Switch from Renovate to DependabotΒ #2274
Description
Feature Request Checklist
- I have pulled the latest
mainbranch of the repository. - I have searched for related issues and found none that matched my issue.
Overview
Renovate is an excellent action/bot/product for keeping. However:
- Renovate is a third-party product that advertises itself & its parent company
- The GitHub platform already has Dependabot built-in
I'd previously stuck with Renovate over Dependabot because of Renovate's minimumReleaseAge option. Dependabot didn't have an equivalent. Waiting a minimum number of days to update to a new package is IMO critical for security. Compromised packages typically only last a few hours, but can be devastating within those hours.
Additional Info
#26 had previously moved CTA from Dependabot to Renovate.
Dependabot's cooldown feature was added on July 1st, 2025: https://github.blog/changelog/2025-07-01-dependabot-supports-configuration-of-a-minimum-package-age
I'd missed this until @cylewaitforit had mentioned it in https://bsky.app/profile/cylewaitfor.it/post/3lydwfd5lws2f. Thanks Cyle!
π