Joined on Discord to discuss 👀

Renovate CLI Check end-of-life, release policy and support schedule for Renovate CLI.

Renovate is now on endoflife.date/renovate so its even easier to have an at-a-glance way to check whether you're running a supported version or not 🤓

My workflow for testing Renovate config changes (2026 edition) · Jamie Tanna | Software Engineer A runthrough of my process for testing more complex Renovate config changes where I want confidence up-front.

Learn how #Renovate maintainer @www.jvt.me.web.brid.gy debugs Renovate config changes in this post: www.jvt.me/posts/2026/0...

Package Managers Need to Cool Down A survey of dependency cooldown support across package managers and update tools.

Requested post by @sethmlarson.dev: Package Managers Need to Cool Down

nesbitt.io/2026/03/04/p...

Feedback wanted: what's on your wishlist? · renovatebot renovate · Discussion #41413 We (the Renovate maintainers) are looking to get an additional gauge of what's important to the community in terms of planned features/bug fixes. In addition to our understanding of the needs of th...

What's on your wishlist? github.com/renovatebot/...

Feedback wanted: complexity in Renovate · renovatebot renovate · Discussion #41412 We (the Renovate maintainers) are seeking community feedback on complexity you may feel when working with Renovate. We're aware that there are areas that both new and experienced folks can find dif...

What areas you find introduce complexity: github.com/renovatebot/...

Feedback wanted: Getting started + "week 1" problems · renovatebot renovate · Discussion #41411 We (the Renovate maintainers) are looking to understand the point-of-view for early users of Renovate. (if you have some feedback from the first few weeks of using Renovate, that's also welcome!) F...

How you find being a new user: github.com/renovatebot/...

Feedback wanted: Renovate's monorepo support · renovatebot renovate · Discussion #41410 We (the Renovate maintainers) are seeking community feedback on how Renovate makes updates to monorepos. We're looking to understand: how you're using Renovate what package ecosystems you're using ...

What you find good and bad about our monorepo support: github.com/renovatebot/...

Feedback wanted: monorepos, getting started + "week 1" problems, complexity, and what's on your wishlist? · renovatebot renovate · Discussion #41414 We (the Renovate maintainers) are seeking community feedback on some specific areas, and we'd love y'all to comment on the Discussions: #41410 #41411 #41412 #41413

The #Renovate maintainers would like to get some speciifc feedback on a few areas - we'd love to hear from you: github.com/renovatebot/...

Breaking free from GitHub Discussions' limitations · Jamie Tanna | Software Engineer How we built our own interface on top of GitHub Discussions to improve triage for Renovate's Open Source community.

Learn how we're breaking free from @github.com Discussions' limitations for our community triage, in this post from @www.jvt.me.web.brid.gy

www.jvt.me/posts/2026/0...

There are patched versions available for Renovate 42.x and 43.x, and the Mend Renovate Self-Hosted Community and Enterprise edtions (CE and EE)

Today we've announced a Moderate security advisory, GHSA-8wc6-vgrq-x6cf

*Child processes spawned by Renovate incorrectly have full access to environment variables*

github.com/renovatebot/...

The Mend Developer Platform is now running #Renovate 43! Happy upgrading everyone 🎉

Release 43.0.0 · renovatebot/renovate 43.0.0 (2026-01-29) Breaking changes for 43 Allowlisting required for "unsafe commands" #40684 NoteThis should only affect you if you work with repositories that have a Gradle Wrapper. Prior to Re...

Reminder that #Renovate 43 came out yesterday! We landed a few breaking changes, so check out the release notes: github.com/renovatebot/...

The first 100 days as a Renovate maintainer: the shocking inside view of a popular Open Source project · Jamie Tanna | Software Engineer Lessons learned from the first 100 days as my role as a Renovate maintainer, and a sneak peek into how the project works behind the scenes.

Renovate maintainer @www.jvt.me.web.brid.gy writes about some of the things he's learned in the last 100 days since joining #Renovate - some good behind-the-scenes tidbits in here 👀 www.jvt.me/posts/2026/0...

Fixes have been available for 5/6 of them since 2025-05-27, and the final advisory was resolved on 2025-12-31

[SECURITY]: possible remote code execution (with existing access to a repository) · renovatebot renovate · Discussion #40403 Today we are announcing 6 related security advisories: Arbitrary command injection via Gradle Wrapper and malicious distributionUrl (2025-12-28) Arbitrary command injection via kustomize manager an...

We've announced 6 Moderate Security Advisories, which allow for possible remote code execution, when an attacker has access to a repository's default branch

More info: github.com/renovatebot/...

Why do we use GitHub Discussions as our triage process? · renovatebot renovate · Discussion #40306 Over the weekend, there has been some good discussion on Hacker News about how the Ghostty project uses GitHub Discussions for triage purposes, and then promotes the feature request/bug reports int...

Why does #Renovate use GitHub Discussions for our user support? Community Manager @www.jvt.me.web.brid.gy took the opportunity to look into the history, off the back of recent discussion around #Ghostty, and wrote an in-depth post about it: github.com/renovatebot/...

Mind raising a Discussion to track it? Looks like it might be the fact you're hitting memory limits

Are you self-hosting or using Mend's hosted platform?

Almost 9 years to the day of creating our first Issue (github.com/renovatebot/...), we've hit our 40,000th Issue/Discussion/PR (github.com/renovatebot/...) on the Renovate GitHub project 🎂

Changes to default `GOSUMDB` environment variable on the Mend Developer Platform (and what it means for private Go modules) · renovatebot renovate · Discussion #40041 NoteThis only affects Renovate Cloud on developer.mend.io (Mend Developer Platform), and does not modify anything for users of the Renovate CLI deployed as part of any self-hosted usage. This also ...

FYI: We've changed the `GOSUMDB` environment variable on the Mend-hosted Renovate Cloud infrastructure, which may lead to impact to users with private Go modules. As we've noted in github.com/renovatebot/..., this is due to previously used settings leaving users open to supply chain attacks

Updating open source dependencies with Jamie Tanna Josh discusses updating open source dependencies with Jamie Tanna. Jamie works on Renovate which gives them a lot of insight into the challenges of keeping your open source updated. We discuss the cha...

Renovate maintainer and community manager @www.jvt.me.web.brid.gy recently spoke to Josh Bressers on the #OpenSourceSecurity podcast all about #Renovate, the "fun" of updating dependencies, and more! opensourcesecurity.io/2025/2025-12...

We very much agree with this 💜 Safer, slower, upgrades is best!

Improving the ecosystem's supply chain security with Mend Renovate 42 Discover how Mend Renovate 42 is strengthening npm ecosystem security with “minimum release age” enforcement and best-practice defaults.

Relatedly, hear how Renovate 42 is improving the supply chain security of projects in the npm ecosystem (to start with!) www.mend.io/blog/secure-...

Today we've released #Renovate v42 onto the Mend Developer Platform (developer.mend.io) so y'all will start being protected by some of the big changes we've made - check out the details below:

renovatebot renovate · Discussions Explore the GitHub Discussions forum for renovatebot renovate. Discuss code, ask questions & collaborate with the developer community.

Mind raising a Discussion (github.com/renovatebot/...) so we can help take a look? 👀

Release 42.0.0 · renovatebot/renovate 42.0.0 (2025-11-06) Breaking changes for 42 Using minimumReleaseAge will now require a release timestamp #38843 When specifying minimumReleaseAge, Renovate will look for a release timestamp to dete...

The full release notes can be found at github.com/renovatebot/...

We've also now got support for #Yarn catalogs (and remove support for the community plugin)

Minimum Release Age is also enabled for the #npm datasource for users of `config:best-practices`, significantly reducing the supply chain impact of malicious dependencies