Dependency tracking on GitLab projects in 2025
GiHub users have Dependabot to help manage never-ending updates to their dependencies. What do GitLab users use? Apparently, Renovate Bot.
In a previous job, we used GitHub, and I got used to use Dependabot (owned by GitHub) to manage semi-automatically dependencies for our projects.
The bot would create a PR whenever a package in our package-lock.json (for Javascript dependencies) or composer.lock (for PHP dependencies) got a new version available.
For my own open source project, I prefer using GitLab and I was looking for a way to get the same mechanism. Although there is a community effort1 to ingegrate Dependabot with GitLab, I don't like that approach, as it it feels like a hack, and the project hasn't been updated in some times anyways.
It seems that many GitLab users have turned to a project called Renovate, which seems quite powerful. There are several blogs that wrote about setting up for GitLab, but there are not recent, and it seems the procedure got simpler over time.
So this post is going to be short. Head over to their documentation page2.
It will tell you to use the renovate-bot/renovate-runner project on GitLab3. The README on that project actually contains all the steps needed to get started.
The only departure I took from those steps is to start by creating a dedicated GitLab user for renovabot. Because I don't like bots to run on my regular account, and because I want to distinguish at a glance the MRs created by the bot from mine (and other contributors).
Tip
I found useful to enable automated onboarding, this will have the bot analyse my projects and create a MR in my GitLab projects with appropriate configuration for each project without me having to figure out the configuration syntax for all the types of trackable dependencies I have in my projects. The MR the bot creates is also detailed and informative.
Tip
Later on, when all my projects have a .renovate.json file, I can turn off automated onboarding for extra security with --onboarding=false.