Use Renovate instead of Dependabot #355
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dependabot always updates the lower bounds `Cargo.toml`, instead of only `Cargo.lock` for compatible updates, while updating `Cargo.toml` for breaking updates , as we want it for a library. From https://docs.renovatebot.com/configuration-options/#rangestrategy: > replace: Replace the range with a newer one if the new version falls outside it, and update nothing otherwise > > update-lockfile: Update the lock file when in-range updates are available, otherwise replace for updates out of range. Additionally with this migration, I've pinned GitHub Actions to hashes, which unlike tags can't be changed. The basic Renovate config is smaller than the dependabot config, it uses autodiscovery and finds Cargo and GitHub Actions. There's a dashboard with the option to create and rebase PRs and with logs. You can see a demo of this change and the PRs renovate creates in https://github.com/konstin/pubgrub-renovate. To actually enable this change, we need to give the Renovate Mend GitHub app access to the repository.
|
This is how the dashboard looks like in my test repo 
|
Eh2406
approved these changes
Sep 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependabot always updates the lower bounds
Cargo.toml, instead of onlyCargo.lockfor compatible updates, while updatingCargo.tomlfor breaking updates , as we want it for a library.From https://docs.renovatebot.com/configuration-options/#rangestrategy:
Additionally with this migration, I've pinned GitHub Actions to hashes, which unlike tags can't be changed.
The basic Renovate config is smaller than the dependabot config, it uses autodiscovery and finds Cargo and GitHub Actions. There's a dashboard with the option to create and rebase PRs and with logs.
You can see a demo of this change and the PRs renovate creates in https://github.com/konstin/pubgrub-renovate.
To actually enable this change, we need to give the Renovate Mend GitHub app access to the repository.