Skip to content

build: update dependency renovate to v42 #3237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 13, 2025
Merged

build: update dependency renovate to v42 #3237

merged 1 commit into from
Nov 13, 2025

Conversation

@angular-robot
Copy link
Contributor

@angular-robot angular-robot commented Nov 12, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
renovate (source) 41.173.1 -> 42.7.0 age adoption passing confidence

Release Notes

renovatebot/renovate (renovate)

v42.7.0

Compare Source

Features
Bug Fixes
Miscellaneous Chores
Tests

v42.6.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.7 (main) (#​39253) (c505dd6)
Miscellaneous Chores

v42.6.2

Compare Source

Miscellaneous Chores
Build System

v42.6.1

Compare Source

Build System

v42.6.0

Compare Source

Features
  • manager/gradle: add support for variables in plugin names (#​39002) (96a7d27)

v42.5.4

Compare Source

Bug Fixes
  • deps: update dependency mkdocs-material to v9.7.0 (main) (#​39227) (50b4d13)

v42.5.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.6 (main) (#​39224) (684ce89)

v42.5.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.5 (main) (#​39220) (808029c)
Miscellaneous Chores
  • deps: update actions/dependency-review-action action to v4.8.2 (main) (#​39219) (a17245c)

v42.5.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/containerbase/sidecar docker tag to v13.24.1 (main) (#​39218) (909e043)
Miscellaneous Chores
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.24.1 (main) (#​39217) (4532ddd)
  • deps: update linters to v9.39.1 (main) (#​39216) (b607128)

v42.5.0

Compare Source

Features
  • add configValidationError option to log config validation errors as errors instead of warnings (#​39177) (83d6464)
Miscellaneous Chores
  • deps: update dependency typescript-eslint to v8.46.3 (main) (#​39209) (39b7896)
Build System

v42.4.1

Compare Source

Bug Fixes
  • ignore .npmrc when the npmrc configuration is being used (#​39205) (67b256a)
Documentation
Code Refactoring

v42.4.0

Compare Source

Features
Miscellaneous Chores

v42.3.0

Compare Source

Features
  • argocd: support OCI Helm charts without explicit chart field (#​39149) (82c09ba)
Documentation
Miscellaneous Chores

v42.2.0

Compare Source

Features
  • manager/npm: use volta node pin as node version constraint (#​38816) (3b81143)
Miscellaneous Chores
Build System

v42.1.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.4 (main) (#​39174) (1216402)
Build System

v42.1.2

Compare Source

Bug Fixes

v42.1.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.3 (main) (#​39172) (0ffd324)

v42.1.0

Compare Source

Features
Code Refactoring
  • deb: Split DebDatasource in smaller pieces and prepare for mutli-compression feature (#​38254) (5d36cf1)
  • presets: add type for presets with global-only configuration (#​39166) (8348930)
Build System
Continuous Integration

v42.0.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.2 (main) (#​39164) (534a686)
Documentation

v42.0.2

Compare Source

Bug Fixes
Miscellaneous Chores

v42.0.1

Compare Source

Documentation
Miscellaneous Chores
Build System
  • deps: update dependency google-auth-library to v10.5.0 (main) (#​39146) (748a623)

v42.0.0

Compare Source

Breaking changes for 42

Using minimumReleaseAge will now require a release timestamp #​38843

When specifying minimumReleaseAge, Renovate will look for a release timestamp to determine the age of the release, and whether it matched the minimumReleaseAge configuration.

Before Renovate 42, if a release timestamp was not present, Renovate would treat the dependency update as if the release timestamp was present and the dependency had passed that lifetime.

This means that users with artifact proxies, or in cases that the release timestamp wasn't consistently present could lead to dependencies "slipping through", and being updated before Renovate's policy enforced it to.

As of Renovate 42, the configuration minimumReleaseAgeBehaviour (added in 41.150.0) requires the release timestamp to be present.

If the release timestamp isn't present, Renovate will mark it as "awaiting schedule", and will output a debug log message to explain why.

You can revert to the existing behaviour by setting minimumReleaseAgeBehaviour=timestamp-optional.

Note that not all datasources support this functionality, nor do custom registries (such as Artifactory, etc).
For more details on how to verify support for your repository, check out the Minimum Release Age documentation

minimumReleaseAge: 3 days will now be set by default for npm in config:best-practices #​37967

For users of config:best-practices, the Minimum Release Age functionality will now apply by default for the npm ecosystem.

This will introduce a delay of 3 days between package publishing and Renovate suggesting an update for the release, so:

  • there is time for malware researchers and scanners to (possibly) detect any malicious behaviour in new releases, before your CI infrastructure or developers receive a malicious version upgrade
  • you are not at risk of the package being unpublished in the 3 day window that the npm registry allows

This will be enforced by default for packages using the npm datasource via the security:minimumReleaseAgeNpm preset.

[!NOTE]
This may require additional configuration if using a custom registry, or you have packages that you wish to not have minimum release age checks.

For more details on this functionality, check out the Minimum Release Age documentation.

Renovate now defaults to using Node.JS 24 #​38939

With Node 24 now in Long Term Support (LTS) release status, we have moved to target Node.JS 24 (^24.11.0) as our default engine for Node, and retain support for Node 22.

The pre-built Docker containers have been updated to use Node 24.

If you self-host without using our Docker image, you should be able to continue running Renovate with Node 22, for instance if you build your own image, or run the renovate npm package.

Redis clusters now authenticate to all nodes in the cluster with the provided credentials

When running Renovate against a Redis cluster with authentication, it was possible that a NOAUTH Authentication required error may appear:

DEBUG: Redis cache init
DEBUG: Redis cache connected
...
 WARN: Error while setting Redis cache value (repository=jcl-test/example)
       "err": {"message": "NOAUTH Authentication required."}

Renovate will now use the same authentication for all nodes in a cluster.

Support Yarn Catalogs #​38215

We now support the official Yarn Catalog functionality.

As part of this, we have removed support for the yarn-plugin-catalogs community plugin.

If you are using the yarn-plugin-catalogs community plugin, you will need to migrate your catalogs to the official Yarn Catalog functionality before Renovate 42 will update your dependencies.

Remove versioning modules needing to implement rangeStrategy=pin #​36261

This is an internal refactor to make it easier for creating and maintaining versioning modules.

This should not be a non-breaking change, as the versioning modules will have defaults available.

However, we're releasing it as part of this major release, and highlighting it, in case it does lead to breaking changes.

PGP encryption is now performed using Bouncy Castle #​39032

GPG encryption is no longer performed using kbpgp Keybase's PGP for JavaScript), and has been replaced with a Bouncy Castle version.

Some users have found license compliance issues with the kbpgp package, so this will now resolve them.

Legacy RSA encryption has been removed #​39111

Deprecated since 37.315.0 (2024-04-21), the legacy RSA encryption is now no longer available.

Change to the default User Agent #​37535

The user-agent header for Renovate's outgoing HTTP calls has changed the default to Renovate/${version}.

Default tool version updates #​39100

For users of the upstream Renovate container images, the following tools have been updated to new major versions:

Tool Version
Erlang 28
Gradle 9
Java 25
Node 24
Python 3.14.0

Commentary for 42

Focus on minimumReleaseAge

You'll notice that there are a number of big features here - and in recent minor releases - that focus on Minimum Release Age.

With recent supply chain attacks, the Renovate team have been hard at work improving the support we've had in Renovate (since 2019!) for this functionality, and making it as predictable as possible, so we can then enable it by default for users of config:best-practices.

You can read more about this focus in a blog post we've written on the Mend blog.

We're starting with the enabling of the npm datasource, but will look to extend this functionality in future major releases, based on community feedback, and ecosystem support.

Deprecations

As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 43:

42.0.0 (2025-11-06)

⚠ BREAKING CHANGES
  • deps: Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) (#​39100)
  • deps: Needs NodeJS v24.11.0 instead of v24.10.0. NodeJS v22 is still supported.
  • npm: communit plugin yarn-catalogs-plugin is not supported anymore
  • drop legacy rsa encryption (#​39111)
  • remove rangeStrategy=pin from versioning modules (#​36261)
  • minimumReleaseAge: require a release timestamp by default (#​38843)
  • best-practices: provide default minimumReleaseAge for npm (#​37967)
  • redis: add default auth to redis clusters (#​37337)
  • remove the "Bot" from user-agent header (#​37535)
Features
Bug Fixes
Code Refactoring
Build System

Configuration

📅 Schedule: Branch creation - "after 6am and before 10am on Wednesday" in timezone Europe/Rome, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@angular-robot angular-robot added action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project target: automation This PR is targeted to only merge into the branch defined in Github [bot use only] labels Nov 12, 2025
@angular-robot angular-robot force-pushed the ng-renovate/renovate-42-x branch 2 times, most recently from e8ef08d to 918e801 Compare November 12, 2025 14:40
@alan-agius4 alan-agius4 self-requested a review November 12, 2025 15:29
@alan-agius4 alan-agius4 self-assigned this Nov 12, 2025
@angular-robot angular-robot force-pushed the ng-renovate/renovate-42-x branch 3 times, most recently from 8640cdd to 4bef151 Compare November 13, 2025 04:09
@angular-robot
build: update dependency renovate to v42
5475d8f 
See associated pull request for more information.
@angular-robot angular-robot force-pushed the ng-renovate/renovate-42-x branch from 4bef151 to 5475d8f Compare November 13, 2025 08:07
@alan-agius4 alan-agius4 merged commit 854a507 into angular:main Nov 13, 2025
8 checks passed
@alan-agius4
Copy link
Contributor

alan-agius4 commented Nov 13, 2025

This PR was merged into the repository. The changes were merged into the following branches:

@angular-robot angular-robot deleted the ng-renovate/renovate-42-x branch November 13, 2025 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alan-agius4 alan-agius4 alan-agius4 approved these changes

Assignees

@alan-agius4 alan-agius4

Labels

action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project target: automation This PR is targeted to only merge into the branch defined in Github [bot use only]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@angular-robot @alan-agius4