search

renovatebot / config-help

Please use the Discussions feature of https://github.com/renovatebot/renovate instead
https://github.com/renovatebot/renovate/discussions
MIT License
27 stars 16 forks source link

Update dependencies for vulnerability alerts only #138

Closed Waldo000000 closed 5 years ago

Waldo000000 commented 5 years ago

Is there a way to configure renovate to raise PRs for vulnerability alerts only? I've tried this:

{
  "extends": [
    "config:base"
  ],
  "enabled": "false",
  "vulnerabilityAlerts": {
    "enabled": "true"
  }
}

But from the logs that results in Repository is disabled - skipping.

Waldo000000 commented 5 years ago

~Managed to sort of achieve this via:~

{
  "extends": [
    "config:base"
  ],
  "schedule": "before 3am on the first day of the year"
}

~This ensures that renovate will only raise PRs for vulnerability alerts (which are the only ones -- except for pinning PRs -- to bust through the schedule) at least until Jan 1 2020.~

~Hoping for a more intuitive solution though :-)~

EDIT: Actually this doesn't work as renovate ignores the day of year filter in the schedule.

rarkins commented 5 years ago

Hi,

Can you try this?

{
  "packageRules": [
    "packagePatterns": ["*"],
    "enabled": false
  ],
  "vulnerabilityAlerts": {
    "enabled": "true"
  }
}
rarkins commented 5 years ago

"enabled": false at the top of a config is really a "go away, do not renovate this repository" instruction, so that's why it immediately shortcuts and quits. My goal with the above is to disable all packages so that (a) we still extract/discover them all, but (b) the the vulnerability alerts takes over. BTW I don't think the vulnerabilityAlerts enabling is even necessary because it's enabled by default: https://github.com/renovatebot/renovate/blob/827e9de100b7b0b15227c184554fd7d662b85726/lib/config/definitions.js#L809

But you can leave it in to make your config more "readable".

Waldo000000 commented 5 years ago

Thanks @rarkins. I've made that update and will see what happens.

prestonvanloon commented 5 years ago

@rarkins, we've also made the same change here: https://github.com/prysmaticlabs/website/blob/master/renovate.json

If anyone is looking for an example ^

Waldo000000 commented 5 years ago

@rarkins I've tried that out (as we've recently had a GitHub alert pop up) and this was the result:

  1. Initially we had a schedule:monthly preset, and this suppressed the PR (it was there just in case, in future, we decide to enable PRs for some other packages)
  2. I removed the schedule:monthly preset, and this resulted in a PR being raised to address the vulnerability :tada: However, it just looked like a regular renovate PR and was missing the commitMessageSuffix.

Are those two above behaviors expected?

rarkins commented 5 years ago

@Waldo000000 can you give me a basic package.json and renovate.json that would reproduce the issue? I assume it's a public package if GitHub are alerting you about it.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed soon if no further activity occurs.