Package Health Score

86 / 100

security
Security review needed
popularity
Influential project
maintenance
Healthy
community
Active

Explore Similar Packages

Security

Security review needed

All security vulnerabilities belong to production dependencies of direct and indirect packages.

Security and license risk for significant versions

Version				Vulnerabilities	License Risk
42.58.4	\|	12/2025		0 C 0 H 0 M 0 L	0 H 0 M 0 L
42.59.1	\|	12/2025		0 C 0 H 0 M 0 L	0 H 0 M 0 L
42.8.1	\|	11/2025		0 C 0 H 0 M 0 L	0 H 0 M 0 L
41.173.1	\|	11/2025		0 C 0 H 0 M 0 L	0 H 0 M 0 L
39.264.1	\|	05/2025	Popular	0 C 0 H 0 M 0 L	0 H 0 M 0 L

License

AGPL-3.0

Non-Permissive License

We noticed that this project uses a license which requires less permissive conditions such as disclosing the source code, stating changes or redistributing the source under the same license. It is advised to further consult the license terms before use.

Security Policy

Yes

Is your project affected by vulnerabilities?

Scan your projects for vulnerabilities. Fix quickly with automated fixes. Get started with Snyk for free.

Get started free

Popularity

Influential project

Weekly Downloads (248,152)

GitHub Stars: 20.37K
Forks: 2.87K
Contributors: -

Direct Usage Popularity

The npm package renovate receives a total of 248,152 downloads a week. As such, we scored renovate popularity level to be Influential project.

Based on project statistics from the GitHub repository for the npm package renovate, we found that it has been starred 20,366 times.

Downloads are calculated as moving averages for a period of the last 12 months, excluding weekends and known missing data points.

Community

Active

Readme.md: Yes
Contributing.md: Yes
Code of Conduct: Yes
Contributors: 0
Funding: No

This project has seen only 10 or less contributors.

Embed Package Health Score Badge

Maintenance

Healthy

Commit Frequency

Open Issues: 739
Open PR: 155
Last Release: 2 days ago
Last Commit: 2 days ago

Further analysis of the maintenance status of renovate based on released npm versions cadence, the repository activity, and other data points determined that its maintenance is Healthy.

We found that renovate demonstrates a positive version release cadence with at least one new version released in the past 3 months.

As a healthy sign for on-going project maintenance, we found that the GitHub repository had at least 1 pull request or issue interacted with by the community.

Keep your project healthy

Check your package.json

Ensure all the packages you're using are healthy and well-maintained

Snyk Vulnerability Scanner

Get health score & security insights directly in your IDE

Package

Node.js Compatibility: ^22.13.0 || ^24.11.0

Age: 9 years
Dependencies: 119 Direct
Versions: 10.8K
Install Size: 14.4 MB
Dist-tags: 7
# of Files: 4.11K
Maintainers: 2
TS Typings: No

renovate has more than a single and default latest tag published for the npm package. This means, there may be other tags available for this package, such as next to indicate future releases, or stable to indicate stable releases.

Not sure how to use renovate?

To help you get started, we've collected the most common ways that renovate is being used within popular public projects.

artsy / renovate-config / lib / config.js View on Github

const getCommitMessageExtraDefault = () => {
  const { getOptions } = require("renovate/dist/config/definitions");
  const commitMessageExtra = getOptions().find(
    opt => opt.name === "commitMessageExtra"
  );
  return commitMessageExtra.default;
};

View more ways to use renovate

Docker Pulls

What is the Mend Renovate CLI?

Renovate is an automated dependency update tool. It helps to update dependencies in your code without needing to do it manually. When Renovate runs on your repo, it looks for references to dependencies (both public and private) and, if there are newer versions available, Renovate can create pull requests to update your versions automatically.

Features

Delivers update PRs directly to your repo
- Relevant package files are discovered automatically
- Pull Requests automatically generated in your repo
Provides useful information to help you decide which updates to accept (age, adoption, pass rates, merge confidence)
Highly configurable and flexible to fit in with your needs and repository standards
Largest collection of languages and platforms (listed below)
Connects with private repositories and package registries

Languages

Renovate can provide updates for most popular languages, platforms, and registries including: npm, Java, Python, .NET, Scala, Ruby, Go, Docker and more. Supports over 90 different package managers.

Platforms

Renovate updates code repositories on the following platforms: GitHub, GitLab, Bitbucket, Azure DevOps, AWS Code Commit, Gitea, Forgejo, Gerrit (experimental)

Ways to run Renovate

The most effective way to run Renovate is to use an automated job scheduling system that regularly runs Renovate on all enabled repositories and responds with priority to user activity. Mend offers cloud-hosted and self-hosted solutions. See the options below.

Mend Renovate Community (Cloud-Hosted)

Supports: GitHub.com, Bitbucket Cloud

Hosted by Mend.io. No setup is needed. Community plan available (Free)

GitHub Cloud: Install the Renovate Cloud-Hosted App on your GitHub org, then select the repos to enable
Bitbucket Cloud: Add the Mend App to your Workspace, then add the Mend Renovate user to the projects you want to enable

Mend Renovate Community (Self-hosted)

Supports: GitHub, GitLab, Bitbucket Data Center

Install and run your own Renovate server. Access internal packages.

Mend Renovate Community Self-Hosted (Free)
Mend Renovate Enterprise (Paid plan)

Other ways to run Renovate

If you can’t use a pre-built job scheduling system, or want to build your own, the following options are available:

Run Renovate on your Pipeline

Mend provides a GitHub Action or a GitLab Runner to help you run Renovate as a CI pipeline job.

GitHub Action: renovatebot/github-action.
GitLab Runner: Renovate Runner project
AzureDevOps action: Renovate Me extension
Note: This extension is created and maintained personally by a Renovate developer/user. Support requests for the extension will not be answered directly in the main Renovate repository.
Custom pipeline: You can create a custom pipeline with a yml definition that triggers npx renovate. More details on how to configure the pipeline.

Run Renovate CLI

There are several ways to run the Renovate CLI directly. See docs: Running Renovate for all options.

Supports: all platforms

Docs

More about Renovate

Renovate basics
Supported platforms and languages
- Supported platforms
- Supported languages / package managers
Advanced Renovate usage
- Accessing private packages
- Merge Confidence data

Renovate Docs

Comparisons

Get involved

Issues and Discussions

Please open a Discussion to get help, suggest a new feature, or to report a bug. We only want maintainers to open Issues.

GitHub Discussions for Renovate

Contributing

To contribute to Renovate, or run a local copy, please read the contributing guidelines.

Guidelines for Contributing
Items that need contribution: good first issues

Contact and Social Media

The Renovate project is proudly supported and actively maintained by Mend.io.

Contact Mend.io for commercial support questions.

Twitter: x.com/mend_io
LinkedIn: linkedin.com/company/mend-io

Security / Disclosure

If you find any bug with Renovate that may be a security problem, then e-mail us at: renovate-disclosure@mend.io. This way we can evaluate the bug and hopefully fix it before it gets abused. Please give us enough time to investigate the bug before you report it anywhere else.

Please do not create GitHub issues for security-related doubts or problems.

renovate dependencies

@aws-sdk/client-codecommit @aws-sdk/client-ec2 @aws-sdk/client-ecr @aws-sdk/client-eks @aws-sdk/client-rds @aws-sdk/client-s3 @aws-sdk/credential-providers @baszalmstra/rattler @breejs/later @cdktf/hcl2json @opentelemetry/api @opentelemetry/context-async-hooks @opentelemetry/exporter-trace-otlp-http @opentelemetry/instrumentation @opentelemetry/instrumentation-bunyan @opentelemetry/instrumentation-http @opentelemetry/instrumentation-redis @opentelemetry/resource-detector-aws @opentelemetry/resource-detector-azure @opentelemetry/resource-detector-gcp @opentelemetry/resource-detector-github @opentelemetry/resources @opentelemetry/sdk-trace-base @opentelemetry/sdk-trace-node @opentelemetry/semantic-conventions @pnpm/parse-overrides @qnighy/marshal @renovatebot/detect-tools @renovatebot/osv-offline @renovatebot/pep440 @renovatebot/pgp @renovatebot/ruby-semver @sindresorhus/is @yarnpkg/core @yarnpkg/parsers ae-cvss-calculator agentkeepalive async-mutex auth-header aws4 azure-devops-node-api bunyan cacache chalk changelog-filename-regex clean-git-ref commander conventional-commits-detector croner cronstrue deepmerge dequal detect-indent diff editorconfig email-addresses emoji-regex emojibase emojibase-regex extract-zip find-packages find-up fs-extra git-url-parse github-url-from-git glob global-agent good-enough-parser google-auth-library got graph-data-structure handlebars ignore ini json-dup-key-validator json-stringify-pretty-compact json5 jsonata jsonc-parser klona luxon markdown-it markdown-table minimatch moo ms nanoid neotraverse node-html-parser p-all p-map p-queue p-throttle parse-link-header prettier protobufjs punycode redis remark remark-gfm remark-github safe-stable-stringify sax semver semver-stable semver-utils shlex simple-git slugify source-map-support strip-json-comments toml-eslint-parser tslib upath url-join validate-npm-package-name xmldoc yaml zod

renovate development dependencies

@containerbase/eslint-plugin @containerbase/istanbul-reports-html @containerbase/semantic-release-pnpm @eslint/js @hyrious/marshal @ls-lint/ls-lint @openpgp/web-stream-tools @semantic-release/exec @smithy/util-stream @types/auth-header @types/aws4 @types/better-sqlite3 @types/breejs__later @types/bunyan @types/cacache @types/callsite @types/changelog-filename-regex @types/clean-git-ref @types/common-tags @types/conventional-commits-detector @types/eslint-config-prettier @types/fs-extra @types/github-url-from-git @types/global-agent @types/ini @types/js-yaml @types/json-dup-key-validator @types/linkify-markdown @types/lodash @types/luxon @types/markdown-it @types/marshal @types/mdast @types/moo @types/ms @types/node @types/parse-link-header @types/punycode @types/sax @types/semver @types/semver-stable @types/semver-utils @types/tar @types/tmp @types/validate-npm-package-name @vitest/coverage-v8 @vitest/eslint-plugin ajv ajv-formats aws-sdk-client-mock callsite common-tags conventional-changelog-conventionalcommits emojibase-data esbuild eslint eslint-config-prettier eslint-formatter-gha eslint-import-resolver-typescript eslint-plugin-import-x eslint-plugin-promise expect-more-jest globals graphql husky jest-extended lint-staged markdownlint-cli2 markdownlint-cli2-formatter-template memfs nock npm-run-all2 nyc rimraf semantic-release tar tmp-promise tsx type-fest typescript typescript-eslint unified vite vite-tsconfig-paths vitest vitest-mock-extended

FAQs

What is renovate?

Automated dependency updates. Flexible so you don't need to be. Visit Snyk Advisor to see a full health score report for renovate, including popularity, security, maintenance & community analysis.

Is renovate popular?

The npm package renovate receives a total of 248,152 weekly downloads. As such, renovate popularity was classified as an influential project. Visit the popularity section on Snyk Advisor to see the full health analysis.

Is renovate well maintained?

We found that renovate demonstrated a healthy version release cadence and project activity. It has a community of 0 open source contributors collaborating on the project. See the full package health analysis to learn more about the package maintenance status.

Is renovate safe to use?

While scanning the latest version of renovate, we found that a security review is needed. A total of 0 vulnerabilities or license issues were detected. See the full security scan results.

Last updated on 17 December-2025, at 20:30 (UTC).

Build a secure application checklist

Select a recommended open source package

Minimize your risk by selecting secure & well maintained open source packages

DONE

Scan your app for vulnerabilities

Scan your application to find vulnerabilities in your: source code, open source dependencies, containers and configuration files

SCAN NOW

Fix identified vulnerabilities

Easily fix your code by leveraging automatically generated PRs

AUTO FIX

Monitor for new issues

New vulnerabilities are discovered every day. Get notified if your application is affected

MONITOR APP