Update manager¶
We want to build a secure and up-to-date software. Therefore, we have to update out code regularly. To make this process as easy as possible, we want to use an update manager.
This eval compares 2 different update managers: Renovate and Dependabot.
Requirements¶
Following requirements are important for us:
- group dependencies by type (e.g.
go-Dependencies,python-Dependencies) - easy to use
- minimal overhead to maintain
Renovate¶
Renovate is tool, build by Mend and can be
self-hosted or used as a service. For configuration, it uses a renovate.json
file in the repository.
To use Renovate, we can either host a server and deploy Renovate or install the Renovate GitHub App (for the entire Organization).
Dependabot¶
Dependabot is a tool, build by GitHub and can
be used as a service. For configuration, it uses a .github/dependabot.yml file
in the repository.
To use Dependabot, we have to enable it in the repository settings.
Comparison¶
| Feature | Renovate | Dependabot |
|---|---|---|
| Hosting |  as service, connected via GitHub App (self hosted is possible, but no option for us) |
 native in GitHub |
| Configuration | endless configuration via JSON and Environment Variables |
 limited, but simple configuration via YAML |
| Cost | free |
free |
| Security | hosted by Mend (write access from an app) |
native in GitHub, no rights needed |
| Grouping | via packageRules |
via groups |
Conclusion¶
We use Dependabot as our update manager
We have a very simple setup and don't need a lot of configuration. Therefore, Dependabot is the better choice for us. It is native integrated in GitHub and has no overhead to maintain.