Skip to content

Configure Renovate to disable major version bumps on indirect Go dependencies #1609

Description

@fullsend-ai-retro

What happened

Renovate opened PR #1598 to bump github.com/cenkalti/backoff/v5 to v6 in go.mod. This is an indirect dependency pulled in by go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc. In Go modules, v5 and v6 are distinct module paths — the bump cannot succeed until the upstream consumer (OTel) migrates to v6. Renovate's own post-update step (gomodVendor) failed with an inconsistent vendoring error. The review agent ran 3 times over 6 days, each time correctly flagging the same critical issue. The PR was autoclosed without merge after 8 days. The existing renovate.json groups Go minor, patch, and digest updates but has no rule for major updates, allowing this broken PR to be created.

What could go better

This PR was never going to be valid — major version bumps on indirect Go dependencies with versioned import paths (v2+) can only succeed when the direct dependency that imports them also bumps. The current Renovate config does not distinguish between direct and indirect dependencies for major version handling, and does not account for Go's module path versioning semantics. Confidence: high — this is a well-understood Go modules constraint. The only uncertainty is whether Renovate's matchDepTypes filter for indirect works reliably with the gomod manager, but Renovate documentation confirms support for this.

Proposed change

Add a package rule to renovate.json that disables major version bumps for indirect Go dependencies:

{
  "description": "Disable major version bumps for indirect Go deps (versioned module paths make these unfixable without upstream changes)",
  "matchManagers": ["gomod"],
  "matchDepTypes": ["indirect"],
  "matchUpdateTypes": ["major"],
  "enabled": false
}

This prevents Renovate from creating PRs that will always fail for indirect deps. Direct dependency major bumps remain enabled since those can be acted on.

Validation criteria

After the config change, Renovate should no longer create PRs for major version bumps on indirect Go dependencies. Verify by checking that no new PRs are opened for indirect dep major bumps over the next 30 days. If a legitimate indirect major bump is needed (because the direct consumer has already migrated), it will be pulled in transitively when the direct dependency is updated.


Generated by retro agent from #1598

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions