What happened
Renovate opened PR #1598 to bump github.com/cenkalti/backoff/v5 to v6 in go.mod. This is an indirect dependency pulled in by go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. In Go modules, v5 and v6 are distinct module paths — the bump cannot succeed until the upstream consumer (OTel) migrates to v6. Renovate's own post-update step (gomodVendor) failed with an inconsistent vendoring error. The review agent ran 3 times over 6 days, each time correctly flagging the same critical issue. The PR was autoclosed without merge after 8 days. The existing renovate.json groups Go minor, patch, and digest updates but has no rule for major updates, allowing this broken PR to be created.
What could go better
This PR was never going to be valid — major version bumps on indirect Go dependencies with versioned import paths (v2+) can only succeed when the direct dependency that imports them also bumps. The current Renovate config does not distinguish between direct and indirect dependencies for major version handling, and does not account for Go's module path versioning semantics. Confidence: high — this is a well-understood Go modules constraint. The only uncertainty is whether Renovate's matchDepTypes filter for indirect works reliably with the gomod manager, but Renovate documentation confirms support for this.
Proposed change
Add a package rule to renovate.json that disables major version bumps for indirect Go dependencies:
{
"description": "Disable major version bumps for indirect Go deps (versioned module paths make these unfixable without upstream changes)",
"matchManagers": ["gomod"],
"matchDepTypes": ["indirect"],
"matchUpdateTypes": ["major"],
"enabled": false
}
This prevents Renovate from creating PRs that will always fail for indirect deps. Direct dependency major bumps remain enabled since those can be acted on.
Validation criteria
After the config change, Renovate should no longer create PRs for major version bumps on indirect Go dependencies. Verify by checking that no new PRs are opened for indirect dep major bumps over the next 30 days. If a legitimate indirect major bump is needed (because the direct consumer has already migrated), it will be pulled in transitively when the direct dependency is updated.
Generated by retro agent from #1598
What happened
Renovate opened PR #1598 to bump
github.com/cenkalti/backoff/v5tov6ingo.mod. This is an indirect dependency pulled in bygo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. In Go modules, v5 and v6 are distinct module paths — the bump cannot succeed until the upstream consumer (OTel) migrates to v6. Renovate's own post-update step (gomodVendor) failed with an inconsistent vendoring error. The review agent ran 3 times over 6 days, each time correctly flagging the same critical issue. The PR was autoclosed without merge after 8 days. The existingrenovate.jsongroups Go minor, patch, and digest updates but has no rule for major updates, allowing this broken PR to be created.What could go better
This PR was never going to be valid — major version bumps on indirect Go dependencies with versioned import paths (v2+) can only succeed when the direct dependency that imports them also bumps. The current Renovate config does not distinguish between direct and indirect dependencies for major version handling, and does not account for Go's module path versioning semantics. Confidence: high — this is a well-understood Go modules constraint. The only uncertainty is whether Renovate's
matchDepTypesfilter forindirectworks reliably with the gomod manager, but Renovate documentation confirms support for this.Proposed change
Add a package rule to
renovate.jsonthat disables major version bumps for indirect Go dependencies:{ "description": "Disable major version bumps for indirect Go deps (versioned module paths make these unfixable without upstream changes)", "matchManagers": ["gomod"], "matchDepTypes": ["indirect"], "matchUpdateTypes": ["major"], "enabled": false }This prevents Renovate from creating PRs that will always fail for indirect deps. Direct dependency major bumps remain enabled since those can be acted on.
Validation criteria
After the config change, Renovate should no longer create PRs for major version bumps on indirect Go dependencies. Verify by checking that no new PRs are opened for indirect dep major bumps over the next 30 days. If a legitimate indirect major bump is needed (because the direct consumer has already migrated), it will be pulled in transitively when the direct dependency is updated.
Generated by retro agent from #1598