chore: add Renovate for frontend and backend dependency updates#34
Conversation
Configure Renovate to keep the npm frontend and uv/pep621 backend dependencies up to date. Enables GitHub vulnerability alerts (Dependabot alerts) and OSV alerts, and enforces a 3-day minimum release age across both ecosystems as a supply-chain safeguard. Extends the CI changelog guard to skip renovate[bot] as it already does for dependabot[bot].
✅ Deploy Preview for climate-ref canceled.
|
📝 WalkthroughWalkthroughAdds a ChangesRenovate configuration and CI exclusion
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
renovate.json (1)
3-7: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueRedundant preset.
config:recommendedalready enables the Dependency Dashboard by default, so explicitly extending:dependencyDashboardis redundant (harmless, just unnecessary).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 3b3dfda4-d646-4af3-aba1-466790f0602d
📒 Files selected for processing (3)
.github/workflows/ci.ymlchangelog/34.trivial.mdrenovate.json
Summary
Adds Renovate to keep both the frontend (npm) and backend (uv /
pep621) dependencies up to date, wired into GitHub's Dependabot/Advisory vulnerability alerts, with a 3-day release-age standdown as a supply-chain safeguard.What's included
renovate.jsonpackage-lock.json) and pep621 (backend,uv.lock) — Renovate updates both lockfiles natively.minimumReleaseAge: "3 days"applied globally so it covers both npm and uv, withinternalChecksFilter: "strict"so PRs are held back until a release is 3 days old rather than opened immediately. This is the standdown against freshly-published malicious/compromised releases.vulnerabilityAlertsreads GitHub's Dependabot alerts, plusosvVulnerabilityAlertsfor OSV coverage.frontend non-major/backend non-major) to reduce noise; majors stay separate. WeeklylockFileMaintenance, labels, and a dependency dashboard..github/workflows/ci.yml— extends thecheck-changelogguard to also skiprenovate[bot](it already skipsdependabot[bot]). Without this, every Renovate PR would fail CI on the missing-changelog gate.Follow-up required (repo settings, not in this PR)
vulnerabilityAlertshas a data source.Note on the standdown vs. security fixes
The 3-day standdown currently also applies to vulnerability-alert PRs (conservative, supply-chain-first). If you'd prefer security fixes to bypass the wait, set
minimumReleaseAge: "0"inside thevulnerabilityAlertsblock.Summary by CodeRabbit