← Back to context

Comment by rmunn

2 days ago

Had not come across renovate before; thanks for the tip. I see on https://www.mend.io/renovate/ that they have a "Community" edition that includes both cloud and self-hosting, but the cloud hosting is free. Should I be concerned that their loss-leader offering is expensive and will drag the company down, or is their cloud resource usage for the Community edition so lightweight that it's costing them almost nothing in server costs?

Second question: could you expand a little bit on why you like renovate better than dependabot? I can see how the regex handler could be useful for a lot of custom scenarios, but what else makes you say that renovate is the better product?

3 comments

rmunn

Reply
jamietanna  1 day ago

Renovate maintainer and Community manager here

Before I joined Mend to work on Renovate, I wrote https://docs.renovatebot.com/bot-comparison/ for a high level comparison between the two

Re costs / why giving things away for free - @rarkins (Rhys Arkins, who created Renovate) has worked very hard over the years to give as much good stuff away to the community, and make it more straightforward for folks to run Renovate

The core (Mend Renovate CLI (AGPL-3.0-only)) is free to use and run as you want, and many folks do - it's very flexible and scales well as-is

But if you want things like real-time webhook processing of "rebase this PR" (and/or a few other features) then Mend Renovate Self-Hosted Community (commercial-but-free) Edition is a nice packaging and layer on top of the CLI for that

Running the CLI itself on a schedule against your repos is also absolutely viable as a solution, and we have many users who do that and are super happy with it

baby_souffle  2 days ago

> or is their cloud resource usage for the Community edition so lightweight that it's costing them almost nothing in server costs?

The bigger concern is that you're effectively letting them (shallow) clone your repo. I prefer to self-host but that's not anywhere near as quick/easy as clicking the "integrate with GitHub" button.

> Second question: could you expand a little bit on why you like renovate better than dependabot?

They both do the same thing in about the same way... Dependabot is meant to be run at _massive_ scale across all of github so it has good support for the basic / common places people pin versions. It is quite slow to get support for newer conventions that are not ubiquitous across all of github. Easy example: k8s manifests where you might have "use $thisVersion of HelmChart" buried somewhere in yaml instead of in a clear-cut place like `requirements.txt`

Renovate has optional web UI and can be integrated with GitHub as an "app" for some interactive features but that's not worth the setup for small scale.

Renovate is _much_ more robust / the number of $things that it can detect and is a lot more extensible; as mentioned elsewhere in this thread, the regex feature is delightful. It's a pain to debug, but once you grock it / figure out how the custom regex stuff works, it's really nice.

I have more than a few scripts where the only versioned dependency is embedded in some URL:

``` wget http://github.com/some-repo/releases/v1.2.3/the-tool.tar.gz ```

And after a bit of regex work, renovate now knows to check that repos release page for updated versions and when it finds one, it updates the URL and pings me with a PR.

esafak  2 days ago

I self-host their community edition. It does not feel heavy.

I particularly like its ability to synchronize updates to packages across ecosystems. You can sync a tool's version in Docker, mise, and GHA, for example. You can run arbitrary post-upgrade tasks.