From a83d1737503b23fe3f341af8491afb339ed8cdf3 Mon Sep 17 00:00:00 2001 From: Robin Lungwitz Date: Mon, 11 May 2026 17:18:06 +0200 Subject: [PATCH] fix: 5d minimumReleaseAge for npm updates **WHY** The definition for minimumReleaseAge in the security:minimumReleaseAgeNpm preset overrode the global definition leading to unexpected behavior. **WHAT** Define a packageRule overriding definitions in security:minimumReleaseAgeNpm preset --- default.json | 3 --- renovate-presets/security.json5 | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/default.json b/default.json index 31d4e9a..de88a40 100644 --- a/default.json +++ b/default.json @@ -6,9 +6,6 @@ "github>leanix/.github//renovate-presets/security.json5" ], "rebaseWhen": "conflicted", - "internalChecksFilter": "strict", - "minimumReleaseAge": "5 days", - "minimumReleaseAgeBehaviour": "timestamp-optional", "reviewersFromCodeOwners": true, "packageRules": [ { diff --git a/renovate-presets/security.json5 b/renovate-presets/security.json5 index 52d5aea..4940883 100644 --- a/renovate-presets/security.json5 +++ b/renovate-presets/security.json5 @@ -4,6 +4,23 @@ // Enable OSV vulnerability alerts for all repositories (experimental feature) osvVulnerabilityAlerts: true, // Configuration for Security updates + + // Define minimumReleaseAge, to reduce the risk of supplyChain attacks + internalChecksFilter: "strict", + minimumReleaseAge: "5 days", + minimumReleaseAgeBehaviour: "timestamp-optional", + packageRules: [ + // Override minimumReleaseAge configured in packageRule in security:minimumReleaseAgeNpm + // preset that is more specific and overrides the global definition above + { + "internalChecksFilter": "strict", + "matchDatasources": [ + "npm" + ], + "minimumReleaseAge": "5 days" + }, + ], + vulnerabilityAlerts: { // no grouping groupName: null,