npm minor/patch updates are disabled and handled by weekly lockFileMaintenance, so the eslint/sass automerge presets (scoped to minor/patch only) could never fire. Remove them; their updates still auto-merge via the lockfile PR, and their majors now surface as reviewable PRs per policy. Wire the missing automerge-typescript preset into automerge-common so TypeScript majors auto-merge on green CI as intended. Add a README documenting the update policy, auto-merge safety model, and supply-chain hardening. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| automerge-bootstrap.json | ||
| automerge-common.json | ||
| automerge-docker.json | ||
| automerge-go.json | ||
| automerge-sveltekit.json | ||
| automerge-typescript.json | ||
| default.json | ||
| README.md | ||
| replacement-eslint-plugin-svelte.json | ||
| replacement-sveltestrap.json | ||
renovate-config
Shared Renovate presets used across my repositories.
Usage
In a repository's renovate.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>iac/renovate-config",
"local>iac/renovate-config//automerge-common"
]
}
local>iac/renovate-configresolves todefault.json.- Add
//automerge-commonto opt the repository into the trusted auto-merge list.
Update policy
The goal is to stay current without being flooded by pull requests, while never auto-merging anything risky.
| Kind of update | What happens |
|---|---|
| In-range minor/patch (npm) | No individual PR. Pulled in weekly by lockFileMaintenance, which auto-merges on green CI. |
| Security vulnerabilities | A PR is opened immediately, bypassing the 5-day cooldown. |
| Majors / out-of-range / pinned | A PR is opened so it can be reviewed. Not auto-merged... |
| ...unless the package is a trusted exception | Auto-merged, but only if CI passes (see below). |
Why npm minor/patch have no PRs
default.json disables individual npm/pnpm/yarn minor and patch updates. Those
versions already satisfy the semver ranges in package.json, so
lockFileMaintenance refreshes them in the lockfile once a week and auto-merges
the result. Opening a PR per package would just be noise.
This relies on
package.jsonusing version ranges (e.g.^1.2.3). A dependency pinned to an exact version cannot be moved by lock file maintenance and will only update through a (reviewable) major/out-of-range PR.
How auto-merge stays safe
Every consuming repository has a CI pipeline. Auto-merge uses
automergeType: "branch":
- Renovate pushes the update to a branch.
- CI runs on that branch.
- CI passes → merged silently, no PR.
- CI fails → a PR is opened instead, so the failure is visible.
An update can therefore only ever auto-merge on green CI.
Supply-chain hardening
minimumReleaseAge: "5 days"— a freshly published release must age 5 days before it is considered, mitigating compromised-release attacks.vulnerabilityAlerts.minimumReleaseAge: "0"— security fixes skip the cooldown so they land as fast as possible.osvVulnerabilityAlerts+:enableVulnerabilityAlerts+ merge-confidence scoring drive vulnerability detection.
Presets
| Preset | Purpose |
|---|---|
default.json |
Base configuration extended by every repo. |
automerge-common.json |
Wires in all the auto-merge exception presets below. |
automerge-bootstrap.json |
Trust bootstrap, bootstrap-icons. |
automerge-docker.json |
Trust alpine, go base images. |
automerge-go.json |
Trust a curated set of Go modules (minor/patch); schedule AWS SDK bumps; run go mod tidy. |
automerge-sveltekit.json |
Trust SvelteKit and related packages. |
automerge-typescript.json |
Trust typescript. |
replacement-sveltestrap.json |
Migrate sveltestrap → @sveltestrap/sveltestrap. |
replacement-eslint-plugin-svelte.json |
Migrate eslint-plugin-svelte3 → eslint-plugin-svelte. |
Trusted npm exceptions (typescript, sveltekit, bootstrap) auto-merge all update types including majors — their minor/patch bumps are already handled by lock file maintenance, so in practice the preset only fires for majors. Go and Docker presets are unaffected by the npm minor/patch policy and auto-merge as configured in their files.