diff --git a/hosts/istal/services/renovate.nix b/hosts/istal/services/renovate.nix
index 67efcb7..6049275 100644
--- a/hosts/istal/services/renovate.nix
+++ b/hosts/istal/services/renovate.nix
@@ -1,5 +1,21 @@
 { config, pkgs, ... }:
 
+let
+  latestRenovate = pkgs.unstable.renovate.overrideAttrs (finalAttrs: prevAttrs: {
+    version = "39.138.0";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "renovatebot";
+      repo = "renovate";
+      tag = finalAttrs.version;
+      hash = "sha256-kSN5rrVWBhko0MNLbaD/hHl7nJsLErfKsgxNT1/X79A=";
+    };
+    pnpmDeps = pkgs.pnpm_9.fetchDeps {
+      inherit (finalAttrs) pname version src;
+      hash = "sha256-yOKQjbU7PMUaBFBNsYQMSj1kT/f4FezdcNvjgeeXNNg=";
+    };
+  });
+in
 {
   age.secrets.renovate-gitea-token.file = ./renovate-gitea-token.age;
   age.secrets.renovate-github-token.file = ./renovate-github-token.age;
@@ -18,7 +34,7 @@
 
   services.renovate = {
     enable = true;
-    package = pkgs.unstable.renovate;
+    package = latestRenovate;
     schedule = "0..2,10..23:00";
     credentials = {
       RENOVATE_TOKEN = config.age.secrets.renovate-gitea-token.path;
@@ -49,7 +65,7 @@
         extends = [ "config:recommended" ];
         configMigration = true;
       };
-      globalExtends = ["npm:unpublishSafe"];
+      globalExtends = [ "npm:unpublishSafe" ];
 
       cacheHardTtlMinutes = 30;
       httpCacheTtlDays = 1;