Dependabot alternative: Renovate?

[richardebeling]

Things we don't like about dependabot:

• It can't create grouped pull requests (I think it would make sense to just get one pr per week per eco system)
• There is no (easy to find) way to prevent unnecessarily spammy lock file updates (I'd like to not have updates of poetry.lock unless there is a security issue -- but if there is a security issue, we should also pull up our version listed in pyproject.toml, so in general we could just have a "never update lock files only" policy)
• It's configuration might be spread across all comments on github, which isn't really comprehensive or searchable

@Kakadus what's you experience with Renovate? Do you expect these things to work (better)?

[Kakadus]

• Renovate supports grouped updates with their advantages and disadvantages. As we don't have such complex dependencies, we should not have problems with conflicting dependencies.
• lockfiles are not updated by default (concerning transitive dependencies)
• rangeStrategy=replace seems to be what we're after: https://docs.renovatebot.com/configuration-options/#rangestrategy
• renovate's per-repo config can be placed at .github/renovate.json5.
  • Renovate does not support elaborate @renovate commands, instead there is auto rebase, a checkbox for manual rebase. If the PR will be reopened when there is another package update.
  • There is the option for a dependency dashboard issue, which lists all dependencies detected by renovate at all times. Also, there is a way to access the job logs if in depth debugging is required.

Personally, when I used renovate, it felt better than working with dependabot.

[niklasmohrin]

Renovate also seems to support uv.lock, in case we move to uv2nix

[richardebeling]

Sounds good to me, I'm open to switching.