Web Dev Tools
Categories

Dependency Updates

Keeping packages, lockfiles, and CVEs from rotting.

PR-based update bots

  • Renovate (Mend) — far more powerful than Dependabot; group rules, auto-merge, custom schedules, monorepo-aware. The default for any non-trivial project. Free as a GitHub App, self-hostable as a CLI / Docker image.
  • Dependabot (GitHub) — built into GitHub, zero setup; less configurable than Renovate. Fine for small repos.
  • Snyk — commercial; security-focused dependency PRs.
  • Mend Bolt — Mend's free GitHub App; layered with their security data.
  • Greenkeeper — sunset; absorbed into Snyk.

Manual / CLI

  • npm-check-updates (ncu) — show / update outdated packages; the most-used CLI tool.
  • pnpm outdated -r / pnpm update -r --interactive — interactive monorepo updates.
  • bun outdated — Bun's built-in.
  • Yarn yarn upgrade-interactive — same idea on Yarn.
  • tazencu-shaped, ESM-first.
  • @better-tools/depcheck — find unused deps.
  • knip — find unused files / exports / dependencies; includes update suggestions.

Lockfile management

  • pnpm dedupe / npm dedupe — collapse duplicate transitive deps.
  • lockfile-lint — enforce registry / integrity hashes in lockfiles.
  • socket.dev — security analysis on PRs that touch lockfiles.
  • GitHub's "Dependency review" check — built-in PR check.

Vulnerability scanning

  • See Security Scanning — Snyk, Socket, GitGuardian, npm audit, OSV-Scanner, Trivy.

Patterns to adopt

  • Group updates by ecosystem and severity. Renovate's default groupings are good.
  • Auto-merge patch + minor updates after CI passes. Major updates always need eyes.
  • Schedule "dependency days" — bots open PRs Monday morning so you handle them once weekly.
  • Pin dev deps — exact versions for eslint, prettier, typescript to avoid sudden style churn.
  • Don't let the queue grow — > 30 open update PRs and humans tune them out.
  • Audit transitivelynpm audit / pnpm audit regularly; treat critical CVEs as P1.

Renovate config presets worth using

  • config:base or config:recommended as the foundation.
  • :disableMajorUpdates to require manual majors.
  • group:allNonMajor to consolidate noise.
  • schedule:weekly to throttle traffic.
  • :automergeStableNonMajor once your CI is solid.

Adjacent

  • bun-engines, engines.node in package.json — pin runtime versions; bots respect them.
  • packageManager field — pin pnpm / yarn / bun version (Corepack).
  • .tool-versions / mise.toml — see Dev Environments.

Pick this if…

  • Default for any real project: Renovate.
  • Smallest setup, GitHub-only: Dependabot.
  • Manual CLI: ncu (or pnpm outdated -r if you're on pnpm).
  • Security-first: Snyk + Renovate together.
  • Monorepo: Renovate with group:monorepos and extends:["config:recommended","group:monorepos"].

Previous

CI / CD

Next

Security Scanning (SAST / DAST / SCA)

On this page