# renovate-config Shared [Renovate](https://docs.renovatebot.com/) presets used across my repositories. ## Usage In a repository's `renovate.json`: ```json { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "local>iac/renovate-config", "local>iac/renovate-config//automerge-common" ] } ``` - `local>iac/renovate-config` resolves to [`default.json`](default.json). - Add `//automerge-common` to opt the repository into the trusted auto-merge list. ## Update policy The goal is to stay current without being flooded by pull requests, while never auto-merging anything risky. | Kind of update | What happens | | --- | --- | | **In-range minor/patch** (npm) | No individual PR. Pulled in weekly by `lockFileMaintenance`, which auto-merges on green CI. | | **Security vulnerabilities** | A PR is opened immediately, bypassing the 5-day cooldown. | | **Majors / out-of-range / pinned** | A PR is opened so it can be reviewed. **Not** auto-merged... | | **...unless the package is a trusted exception** | Auto-merged, but only if CI passes (see below). | ### Why npm minor/patch have no PRs `default.json` disables individual npm/pnpm/yarn minor and patch updates. Those versions already satisfy the semver ranges in `package.json`, so `lockFileMaintenance` refreshes them in the lockfile once a week and auto-merges the result. Opening a PR per package would just be noise. > This relies on `package.json` using version *ranges* (e.g. `^1.2.3`). A > dependency pinned to an exact version cannot be moved by lock file > maintenance and will only update through a (reviewable) major/out-of-range PR. ### How auto-merge stays safe Every consuming repository has a CI pipeline. Auto-merge uses `automergeType: "branch"`: 1. Renovate pushes the update to a branch. 2. CI runs on that branch. 3. **CI passes** → merged silently, no PR. 4. **CI fails** → a PR is opened instead, so the failure is visible. An update can therefore only ever auto-merge on green CI. ### Supply-chain hardening - `minimumReleaseAge: "5 days"` — a freshly published release must age 5 days before it is considered, mitigating compromised-release attacks. - `vulnerabilityAlerts.minimumReleaseAge: "0"` — security fixes skip the cooldown so they land as fast as possible. - `osvVulnerabilityAlerts` + `:enableVulnerabilityAlerts` + merge-confidence scoring drive vulnerability detection. ## Presets | Preset | Purpose | | --- | --- | | [`default.json`](default.json) | Base configuration extended by every repo. | | [`automerge-common.json`](automerge-common.json) | Wires in all the auto-merge exception presets below. | | [`automerge-bootstrap.json`](automerge-bootstrap.json) | Trust `bootstrap`, `bootstrap-icons`. | | [`automerge-docker.json`](automerge-docker.json) | Trust `alpine`, `go` base images. | | [`automerge-go.json`](automerge-go.json) | Trust a curated set of Go modules (minor/patch); schedule AWS SDK bumps; run `go mod tidy`. | | [`automerge-sveltekit.json`](automerge-sveltekit.json) | Trust SvelteKit and related packages. | | [`automerge-typescript.json`](automerge-typescript.json) | Trust `typescript`. | | [`replacement-sveltestrap.json`](replacement-sveltestrap.json) | Migrate `sveltestrap` → `@sveltestrap/sveltestrap`. | | [`replacement-eslint-plugin-svelte.json`](replacement-eslint-plugin-svelte.json) | Migrate `eslint-plugin-svelte3` → `eslint-plugin-svelte`. | Trusted npm exceptions (typescript, sveltekit, bootstrap) auto-merge **all** update types including majors — their minor/patch bumps are already handled by lock file maintenance, so in practice the preset only fires for majors. Go and Docker presets are unaffected by the npm minor/patch policy and auto-merge as configured in their files.