Safeguard
Open Source Security

Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs

Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.

Safeguard Research Team
Research
7 min read

GitHub shipped a feature in February 2026 that lets Dependabot consolidate updates to the same dependency across multiple directories in a monorepo into a single pull request, instead of one PR per directory per package. It's a small change, but it's the third distinct anti-noise feature GitHub has added to Dependabot in under three years — after grouped version updates went to public beta in June 2023 and grouped security updates reached general availability in March 2024. Renovate, the tool Rhys Arkins built and which WhiteSource (later renamed Mend.io) acquired in November 2019, had offered comparable grouping via packageRules years earlier. The pattern across both tools' changelogs is the same: dependency-update automation solved the problem of forgotten upgrades and then created a new one — teams muting bot notifications or auto-approving PRs without reading them because the volume became unmanageable. This piece compares how Dependabot and Renovate approach scheduling, grouping, and security-vs-routine prioritization, and where the defaults still leave security-relevant updates buried under version churn that could safely wait. It also looks at where shallow dependency resolution — not just PR volume — causes bots to miss the transitive updates that actually matter.

What is "PR fatigue" and why do both tools name it explicitly?

PR fatigue is the state where a repository receives so many automated update pull requests that engineers stop reviewing them individually — merging in bulk, ignoring them, or disabling the bot outright. Both GitHub and Mend document this as the specific motivation behind their grouping features, not a hypothetical: GitHub's own release notes for grouped version updates and grouped security updates frame them as the fix for repositories that were "receiving too many pull requests." Renovate's documentation has offered a "dependency dashboard" — a single tracking issue summarizing pending updates instead of individual PRs — for years, precisely because a Node.js project with a few hundred dependencies can generate dozens of update PRs in a single week under default one-PR-per-dependency settings. The risk of unmanaged fatigue is not just annoyance; it's that a critical security patch arrives looking identical to a cosmetic patch-version bump, and both get the same thirty seconds of attention — or none.

How do Dependabot and Renovate differ in scope and configuration model?

Dependabot is natively built into GitHub — alerts, security updates, and version updates all run on GitHub's infrastructure with configuration in a single .github/dependabot.yml file controlling schedule, open-pull-requests-limit, groups, and ignore rules. Renovate, whether self-hosted or run via the Mend Renovate GitHub App, supports a substantially longer list of ecosystems and manifest formats, and its packageRules array allows matching on package name patterns, dependency type, update type (major/minor/patch), and current version ranges simultaneously — a more expressive grouping model than Dependabot's groups key, which matches primarily on name patterns and dependency type. Renovate also reached automerge, scheduling windows, and the dependency-dashboard issue years before Dependabot's grouped updates existed at all, which is part of why security teams migrating off Dependabot for noise reasons have historically landed on Renovate. Dependabot's advantage is zero-setup native integration; Renovate's is configuration depth.

Should security updates and routine version updates be tuned differently?

Yes — because they answer different questions. A version update answers "is there a newer release," while a security update answers "is the version we're running the subject of a known advisory," and conflating their scheduling defeats the purpose of prioritization. Dependabot separates these internally: security updates are triggered by GitHub's advisory database independent of the schedule block, while version updates run on the cadence you configure (daily, weekly, monthly). The tuning mistake teams make is setting open-pull-requests-limit low enough to avoid noise, then discovering the limit throttles security PRs alongside routine ones because both draw from the same pool. The fix is treating them as separate policies: routine version updates can be weekly, grouped by minor/patch level, and automerged if CI passes; security updates should bypass grouping and scheduling entirely and open immediately, since the entire point of an advisory-driven update is that the exposure window matters.

What does automerge actually make safe to automate?

Automerge is safe for updates with a low blast radius and a verifiable safety signal — not for every green checkmark. Both tools support automerging patch and minor updates once CI passes, but "CI passes" is only as strong as the test suite behind it; a dependency bump that changes runtime behavior without breaking a unit test will merge cleanly and ship a regression. The more defensible automerge policy scopes by semver level and dependency type: automerge patch-level updates to devDependencies broadly, require review for any major-version bump to a runtime dependency, and never automerge a security update to a package your code has no test coverage for. Renovate's packageRules let you express this as a matrix — automerge condition per package pattern and update type — while Dependabot's coarser grouping means teams often approximate it by grouping "all patch updates" separately from "all major updates" and applying branch protection rules only to the latter group.

Why does update depth matter as much as PR volume?

A dependency bot that only reduces PR count without also reasoning about the dependency graph's depth can still miss the updates that matter most. Dependabot's update suggestions are strongest at the direct-dependency level and shallow transitive hops; most SCA tools on the market stop well short of walking the full resolved dependency graph. Real supply-chain incidents — the xz-utils backdoor and numerous npm malware campaigns among them — have sat several levels deep in a dependency tree, well past where a one-level bot would surface an available fix. Safeguard's dependency scanning walks the full resolved graph to depth 100, tying each node to reachability analysis so a security team can see not just that a transitive package has a fix available, but what other transitive changes upgrading to that version would introduce — the exact context a human needs to decide whether an automerge policy should apply to that particular bump.

Where does AI-assisted remediation fit next to bot-generated PRs?

AI-assisted remediation adds a triage layer on top of what Dependabot and Renovate already open, rather than replacing the update mechanism itself. Both bots are good at detecting that a fixed version exists; neither reasons deeply about whether upgrading will break your specific codebase beyond what CI catches. Safeguard's Griffin AI, through the AI Remediate capability, analyzes a flagged vulnerability against the actual codebase and classifies the expected impact as Safe, Minor, Major, or Critical before generating a pull request, which gives teams a second, code-aware signal to layer on top of a bot's semver-based grouping — a Dependabot PR labeled "patch" and a Griffin classification of "Safe" is a much stronger automerge candidate than a patch-labeled PR the classifier flags as behavior-changing. Used together, the bots handle detection and PR mechanics; the classification layer handles the judgment call bots weren't designed to make.

How Safeguard Helps

Safeguard doesn't replace Dependabot or Renovate — it makes their output more trustworthy to automate against. Deep dependency scanning to level 100 catches vulnerable transitive packages both bots' shallower resolution can miss, and reachability analysis tells you whether your code can actually execute the vulnerable path before a PR is even worth opening. When a fix is available, Griffin AI's breaking-change classification (Safe, Minor, Major, Critical) gives security and platform teams a code-aware second opinion to layer on top of semver-based grouping rules, so automerge policies can be based on actual behavioral risk rather than version-number conventions alone. The result is fewer PRs treated as noise and more confidence that the ones flagged urgent actually are.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.