Renovate vs Dependabot vs Updatecli: Self-Hosted Dependency Automation Guide 2026

Keeping dependencies up to date is one of the most tedious yet critical tasks in software development. Outdated packages introduce security vulnerabilities, miss performance improvements, and create technical debt that compounds over time. Manual dependency updates are error-prone and don’t scale across teams with dozens of repositories.

Dependency automation tools solve this problem by scanning your projects for outdated packages, testing new versions, and creating pull requests with changelogs and release notes. The three leading tools in this space are Renovate, Dependabot, and Updatecli. Each takes a different approach to the problem, with varying degrees of self-hosting support and ecosystem coverage.

This guide compares all three tools, shows you how to self-host them with docker, and helps you choose the right dependency automation pipeline for your infrastructure.

Why Automate Dependency Updates?

Before diving into tool comparisons, it’s worth understanding why dependency automation matters:

• Security patches arrive daily — CVEs are published for popular packages every week. Without automated updates, your projects remain vulnerable until someone manually checks and updates each dependency.
• Manual reviews don’t scale — A team managing 50+ repositories cannot realistically review and update dependencies by hand. Automation reduces this to reviewing auto-generated pull requests.
• Breaking changes are caught early — Automated tools create pull requests as soon as new versions are released, letting your CI pipeline catch incompatibilities before they affect production.
• Audit trails are automatic — Every dependency change goes through version control with a clear trail of what changed, why, and when.
• SBOM generation improves with fresh dependencies — Keeping packages current makes your SBOM and dependency tracking more accurate and actionable.

Tool Overview

Renovate — The Self-Hosted Powerhouse

Renovate, maintained by Mend.io, is the most widely adopted open-source dependency automation tool. Written in TypeScript, it supports over 40 package ecosystems including npm, pip, Go modules, Maven, Gradle, Docker, Helm, Terraform, and many more.

Key stats: 21,318 GitHub stars, actively maintained (last pushed April 2026), TypeScript.

Renovate’s biggest advantage is its self-hosting capability. You can run it on your own infrastructure via Docker, connecting it to GitHub, GitLab, Bitbucket, Gitea, or Azure DevOps. This gives you full control over scheduling, rate limiting, and which repositories are scanned.

Dependabot — GitHub’s Built-In Solution

Dependabot is GitHub’s native dependency update tool, acquired in 2019. Written in Ruby, it powers the dependency update PRs you see across millions of GitHub repositories.

Key stats: 5,539 GitHub stars, actively maintained (last pushed April 2026), Ruby.

Dependabot is deeply integrated into the GitHub ecosystem. It supports GitHub-native features like dependency graphs, security advisories, and version updates. However, Dependabot cannot be self-hosted. It runs exclusively on GitHub’s infrastructure. If you use GitLab, Gitea, or an on-premises Git server, Dependabot is not an option.

Updatecli — The Declarative Policy Engine

Updatecli takes a fundamentally different approach. Rather than being a dedicated dependency updater, it’s a declarative update policy engine written in Go. You define policies in YAML that specify what to check, where to find the latest version, and what action to take.

Key stats: 895 GitHub stars, actively maintained (last pushed April 2026), Go.

Updatecli is not limited to package dependencies. It can update Docker image tags, Terraform module verskubernetes chart versions, Kubernetes manifests, GitHub Actions versions, and virtually anything that has a version number. This makes it more flexible but also more complex to configure.

Feature Comparison

Self-Hosting Renovate with Docker

Renovate’s self-hosted mode is the most mature option for teams that want full control over their dependency automation pipeline.

Prerequisites

• A running Docker host
• A GitHub/GitLab/Gitea personal access token with repo scope
• Access to the target repositories

Docker Compose Configuration

Create a docker-compose.yml to run Renovate as a persistent service:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

version: '3.8'

services:
  renovate:
    image: ghcr.io/renovatebot/renovate:latest
    container_name: renovate
    restart: unless-stopped
    environment:
      - LOG_LEVEL=debug
      - RENOVATE_PLATFORM=github
      - RENOVATE_ENDPOINT=https://api.github.com
      - RENOVATE_TOKEN=${GITHUB_TOKEN}
      - RENOVATE_GIT_AUTHOR=Renovate Bot <renovate@your-domain.com>
      - RENOVATE_REPOSITORIES=org/repo1,org/repo2
      - RENOVATE_SCHEDULE=after 10pm and before 5am
      - RENOVATE_DRY_RUN=false
      - RENOVATE_AUTOMERGE=true
      - RENOVATE_AUTOMERGE_TYPE=branch
    volumes:
      - ./renovate-config.js:/usr/src/app/renovate.json:ro

Renovate Configuration File

Create renovate-config.js (or renovate.json) to define your update policies:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":dependencyDashboard",
    ":semanticCommits"
  ],
  "labels": ["dependencies"],
  "packageRules": [
    {
      "matchUpdateTypes": ["minor", "patch"],
      "matchCurrentVersion": "!/^0/",
      "automerge": true
    },
    {
      "matchUpdateTypes": ["major"],
      "labels": ["dependencies", "major-update"]
    },
    {
      "matchPackagePatterns": ["^docker/"],
      "enabled": false
    },
    {
      "matchManagers": ["github-actions"],
      "automerge": true
    }
  ],
  "timezone": "UTC",
  "prConcurrentLimit": 10,
  "prHourlyLimit": 2,
  "separateMajorMinor": true,
  "separateMultipleMajor": true
}

This configuration enables:

• Automatic merging for minor and patch updates (excluding pre-1.0 packages)
• Label-based categorization for major updates
• Concurrent PR limits to avoid overwhelming reviewers
• GitHub Actions auto-updates with auto-merge

Running with GitHub Apps (Advanced)

For production deployments, using a GitHub App is more secure than personal access tokens:

1
2
3
4
5

docker run -e RENOVATE_PLATFORM=github \
  -e RENOVATE_APP_ID=123456 \
  -e RENOVATE_APP_PRIVATE_KEY="$(cat private-key.pem)" \
  -e RENOVATE_INSTALLATION_ID=789012 \
  ghcr.io/renovatebot/renovate:latest

The GitHub App approach grants Renovate access to specific repositories without needing per-user tokens.

Self-Hosting Updatecli

Updatecli runs as a CLI tool that you can schedule with cron or run as a container. Its configuration uses a policy-based approach.

Installation

1
2
3
4
5
6
7

# Install via script
curl -sfL https://get.updatecli.io | sh

# Or via Homebrew
brew install updatecli

# Or download binary from GitHub releases

Updatecli Compose Configuration

Updatecli uses its own updatecli-compose.yaml format (different from Docker Compose):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

policies:
  - name: Dependency Updates
    config:
      - ./policies/dependencies/
    values:
      - ./values/scm.yaml

  - name: Docker Image Updates
    config:
      - ./policies/docker/
    values:
      - ./values/docker.yaml

Example Policy: Update Go Dependencies

Create a policy file at policies/dependencies/go-modules.yaml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

name: "Update Go module dependencies"

scms:
  github:
    kind: "github"
    spec:
      user: "your-org"
      email: "ci@your-domain.com"
      username: "${GITHUB_ACTOR}"
      token: "${GITHUB_TOKEN}"
      owner: "your-org"
      repository: "my-go-project"
      branch: "main"

sources:
  latestGinVersion:
    name: "Get latest gin version"
    kind: "githubrelease"
    spec:
      owner: "gin-gonic"
      repository: "gin"
      token: "${GITHUB_TOKEN}"
      versionfilter:
        kind: "semver"
        pattern: ">=1.9.0"

targets:
  updateGinInGoMod:
    name: "Update gin version in go.mod"
    kind: "shell"
    spec:
      command: "go get github.com/gin-gonic/gin@{{ source \"latestGinVersion\" }}"
      environments:
        - name: PATH
        - name: HOME
    sourceid: latestGinVersion

actions:
  default:
    kind: "github/pullrequest"
    spec:
      automerge: false
      mergemethod: squash
      parent: false
      title: "chore: update gin to {{ source \"latestGinVersion\" }}"

This policy checks for the latest gin release and creates a pull request when a newer version is available. The semver version filter ensures only compatible versions are considered.

Running Updatecli

1
2
3
4
5

# Preview changes without modifying anything
updatecli diff --config updatecli-compose.yaml

# Apply changes and create pull requests
updatecli apply --config updatecli-compose.yaml

Scheduling with Cron

1
2

# Run daily at 2 AM UTC
0 2 * * * cd /opt/updatecli && ./updatecli apply --config updatecli-compose.yaml >> /var/log/updatecli.log 2>&1

Dependabot Configuration (GitHub-Only)

While Dependabot cannot be self-hosted, understanding its configuration is useful for comparison and for teams that operate exclusively on GitHub.

Enabling Dependabot

Create .github/dependabot.yml in your repository:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "06:00"
      timezone: "UTC"
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
    reviewers:
      - "dev-team"
    commit-message:
      prefix: "chore(deps):"
    groups:
      production-deps:
        patterns:
          - "*"
        exclude-patterns:
          - "@types/*"
          - "eslint*"
        update-types:
          - "minor"
          - "patch"

  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
      - "docker"

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

Dependabot Security Updates

GitHub provides a separate security-focused update stream:

1
2
3

# Enable in repository settings:
# Settings → Code security → Dependabot alerts → Enable
# Settings → Code security → Dependabot security updates → Enable

This automatically creates PRs for vulnerable dependencies, even if your regular update schedule hasn’t triggered. For teams using self-hosted tools, consider complementing your dependency updates with vulnerability scanning tools like Trivy, Grype, or OpenVAS to detect issues in container images and system packages that dependency managers don’t cover.

When to Choose Each Tool

Choose Renovate When:

• You need self-hosted dependency automation with full control
• Your team uses multiple Git platforms (GitHub + GitLab + Gitea)
• You want the broadest ecosystem support out of the box
• You need fine-grained scheduling and rate limiting
• Your organization requires data to stay on-premises
• You manage 50+ repositories and need centralized configuration

Choose Dependabot When:

• Your team operates exclusively on GitHub
• You want zero-configuration setup (enabled per-repo with a single YAML file)
• You need deep integration with GitHub security features (dependency graph, advisories)
• You prefer a managed solution without maintaining infrastructure
• Your security team requires GitHub-native audit trails

Choose Updatecli When:

• You need to update more than just package dependencies (Docker tags, Terraform, Helm, Kubernetes)
• You want a declarative policy engine that can handle arbitrary version checks
• Your infrastructure uses custom versioning schemes not covered by dedicated tools
• You prefer Go-based tooling with single-binary deployment
• You want to unify all update automation under one configuration format

Real-World Deployment Scenarios

Scenario 1: Multi-Platform Enterprise

A company with 200 repositories split across GitHub Enterprise, GitLab, and Gitea would struggle with Dependabot (GitHub-only). Updatecli could work but would require writing individual policies for each ecosystem. Renovate is the clear choice here — one configuration file covers all platforms and all package managers. Pair this with a self-hosted CI/CD pipeline like Woodpecker or Drone to automatically test and merge dependency updates.

Scenario 2: Small GitHub-Only Startup

A 10-person team with 20 repositories on GitHub.com has minimal infrastructure overhead concerns. Dependabot requires zero additional servers and integrates natively with their existing workflow. The time saved not managing a Renovate instance outweighs its feature advantages.

Scenario 3: Infrastructure-as-Code Heavy Team

A platform engineering team managing Terraform modules, Docker images, Helm charts, and Kubernetes manifests across multiple environments needs to update more than just npm and pip dependencies. Updatecli excels here because its policy engine can target any versioned artifact, not just package manager dependencies.

Scenario 4: Regulated Industry (Finance, Healthcare)

Organizations with strict data residency requirements cannot send repository metadata to external services. Self-hosted Renovate keeps all scanning and PR creation within the organization’s network perimeter. No repository content or dependency metadata leaves your infrastructure.

Migration Strategies

From Dependabot to Renovate

If you’re moving from Dependabot to self-hosted Renovate:

1. Install Renovate on your infrastructure
2. Map your dependabot.yml settings to Renovate’s packageRules
3. Enable Renovate on repositories one at a time
4. Monitor for duplicate PRs during the transition
5. Disable Dependabot once Renovate is stable

Key mapping:

• package-ecosystem → matchManagers
• schedule.interval → schedule
• open-pull-requests-limit → prConcurrentLimit
• labels → labels
• groups → group rules in packageRules

From Manual Updates to Automation

If you currently update dependencies manually:

1. Start with Dependabot on GitHub repos for quick wins (zero setup)
2. Deploy Renovate for non-GitHub repos
3. Configure auto-merge for patch updates first
4. Gradually enable minor update auto-merge after building confidence
5. Add Updatecli policies for infrastructure updates (Docker, Terraform)

FAQ

Can Dependabot be self-hosted?

No. Dependabot runs exclusively on GitHub’s infrastructure. There is no self-hosted version or Docker image available. If you need self-hosted dependency automation, Renovate or Updatecli are the alternatives.

Does Renovate work with self-hosted GitHub Enterprise?

Yes. Renovate supports GitHub Enterprise Server (self-hosted GitHub). Set RENOVATE_ENDPOINT to your GHE API URL (e.g., https://github.your-company.com/api/v3) and provide a token with appropriate repository access.

How does Updatecli differ from Renovate?

Renovate is a dedicated dependency update tool with built-in support for 40+ package ecosystems. Updatecli is a general-purpose declarative policy engine that can update dependencies but also Docker tags, Terraform modules, Helm charts, and any other versioned artifact. Updatecli requires writing policies; Renovate works out of the box with minimal configuration.

Can these tools automatically merge pull requests?

Yes. Renovate supports auto-merge via automerge: true in configuration, with options for branch-level or PR-level merging. Dependabot supports auto-merge through GitHub’s native auto-merge feature. Updatecli does not have built-in auto-merge but can be combined with GitHub Actions or shell scripts to merge PRs programmatically.

How often should dependency updates run?

For most teams, weekly updates strike a good balance between staying current and avoiding PR fatigue. High-security projects (e.g., internet-facing services) may benefit from daily security-only updates. Renovate supports granular scheduling via cron-like syntax, while Dependabot uses weekly or daily intervals.

What happens when a dependency update breaks the build?

All three tools create pull requests that trigger your CI pipeline. If tests fail, the PR is marked accordingly and won’t be auto-merged. Renovate and Dependabot both include test results in the PR description, making it easy to identify and fix breaking changes. You can also configure tools to group related updates so multiple dependency changes are tested together.

Is there a cost to using these tools?

All three tools are open source and free to use. Renovate is licensed under AGPLv3, Dependabot core is MIT, and Updatecli is Apache 2.0. However, running self-hosted Renovate requires compute resources (a Docker container or VM), while Dependabot’s compute is provided by GitHub at no additional cost.

Conclusion

Dependency automation is no longer optional for teams managing more than a handful of repositories. The choice between Renovate, Dependabot, and Updatecli comes down to your platform requirements and scope of updates:

• Renovate is the most versatile self-hosted option with the widest ecosystem support and multi-platform compatibility. It’s the go-to choice for teams that need centralized dependency management across diverse infrastructure.
• Dependabot offers the simplest setup for GitHub-only teams with zero infrastructure overhead. Its native integration with GitHub security features makes it compelling for organizations already invested in the GitHub ecosystem.
• Updatecli provides unmatched flexibility for teams that need to update more than just package dependencies. Its policy engine approach can handle any versioned artifact, making it ideal for infrastructure-heavy workflows.

For most self-hosting teams, we recommend starting with Renovate. It covers the broadest range of use cases, runs on any Git platform, and scales from small teams to enterprise deployments. Add Updatecli policies later if you need to automate updates for Docker images, Terraform modules, or other non-package artifacts.