Renovate updates major updates as patch updates and merges them automatically

[Chumper]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitHub - 40.49.1

Please tell us more about your question or problem

Renovate mislabels update types causing auto merge of major updates.

In this screenshot Renovate labels this as patch dependency but actually it seems to be a major version.

This is the package.json:

And this the lock file change:

The logs show that Renovate declares this wrongfully as patch already (dependending on how you look at it. if the lockfile is already at 2.0.1 then patch is correct).

{
  "depType": "dependencies",
  "depName": "@opentelemetry/sdk-trace-base",
  "currentValue": "^1.30.1",
  "datasource": "npm",
  "prettyDepType": "dependency",
  "lockedVersion": "2.0.1",
  "updates": [
    {
      "bucket": "major",
      "newVersion": "2.0.1",
      "newValue": "^2.0.1",
      "releaseTimestamp": "2025-05-15T18:16:24.856Z",
      "newVersionAgeInDays": 25,
      "newMajor": 2,
      "newMinor": 0,
      "newPatch": 1,
      "updateType": "patch",
      "isBreaking": false,
      "isRange": true,
      "libYears": 0.33253399505327247,
      "branchName": "renovate/opentelemetry-js-monorepo"
    }
  ],
  "packageName": "@opentelemetry/sdk-trace-base",
  "versioning": "npm",
  "warnings": [],
  "sourceUrl": "https://github.com/open-telemetry/opentelemetry-js",
  "registryUrl": "https://artifactory.corp.company.com/artifactory/api/npm/npmjs-remote",
  "homepage": "https://github.com/open-telemetry/opentelemetry-js/tree/main/packages/opentelemetry-sdk-trace-base",
  "mostRecentTimestamp": "2025-05-15T18:16:24.856Z",
  "currentVersion": "2.0.1",
  "currentVersionTimestamp": "2025-01-14T09:16:32.788Z",
  "currentVersionAgeInDays": 147,
  "isSingleVersion": false,
  "fixedVersion": "2.0.1"
}

I think the reason it is labeled as patch is that the lock file contains many other @opentelemetry/sdk-trace-base entries in other modules or transitive dependencies.

E.g. an excerpt from the package-lock.json:

"node_modules/@opentelemetry/otlp-transformer": {
      "version": "0.202.0",
      "resolved": "https://artifactory.corp.company.com/artifactory/api/npm/npmjs-remote/@opentelemetry/otlp-transformer/-/otlp-transformer-0.202.0.tgz",
      "integrity": "sha512-5XO77QFzs9WkexvJQL9ksxL8oVFb/dfi9NWQSq7Sv0Efr9x3N+nb1iklP1TeVgxqJ7m1xWiC/Uv3wupiQGevMw==",
      "license": "Apache-2.0",
      "dependencies": {
        "@opentelemetry/api-logs": "0.202.0",
        "@opentelemetry/core": "2.0.1",
        "@opentelemetry/resources": "2.0.1",
        "@opentelemetry/sdk-logs": "0.202.0",
        "@opentelemetry/sdk-metrics": "2.0.1",
        "@opentelemetry/sdk-trace-base": "2.0.1",
        "protobufjs": "^7.3.0"
      },

and this one

"node_modules/@opentelemetry/sdk-trace-node": {
      "version": "1.30.1",
      "resolved": "https://artifactory.corp.company.com/artifactory/api/npm/npmjs-remote/@opentelemetry/sdk-trace-node/-/sdk-trace-node-1.30.1.tgz",
      "integrity": "sha512-cBjYOINt1JxXdpw1e5MlHmFRc5fgj4GW/86vsKFxJCJ8AL4PdVtYH41gWwl4qd4uQjqEL1oJVrXkSy5cnduAnQ==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
        "@opentelemetry/context-async-hooks": "1.30.1",
        "@opentelemetry/core": "1.30.1",
        "@opentelemetry/propagator-b3": "1.30.1",
        "@opentelemetry/propagator-jaeger": "1.30.1",
        "@opentelemetry/sdk-trace-base": "1.30.1",
        "semver": "^7.5.2"
      },
      "engines": {
        "node": ">=14"
      },
      "peerDependencies": {
        "@opentelemetry/api": ">=1.0.0 <1.10.0"
      }
    },

Here it is already at 2.0.1, it seems Renovate gets confused if there are multiple of the specific packages in the lock file.

In the dashboard I see that it is also 1.30.1:

I have three packages in the lock file:

"packages/miso/node_modules/@opentelemetry/sdk-trace-base": {
  "version": "1.30.1",
  "resolved": "https://artifactory.corp.company.com/artifactory/api/npm/npmjs-remote/@opentelemetry/sdk-trace-base/-/sdk-trace-base-1.30.1.tgz",
  "integrity": "sha512-jVPgBbH1gCy2Lb7X0AVQ8XAfgg0pJ4nvl8/IiQA6nxOsPvS+0zMJaFSs2ltXe0J6C8dqjcnpyqINDJmU30+uOg==",
  "license": "Apache-2.0",
  "dependencies": {
    "@opentelemetry/core": "1.30.1",
    "@opentelemetry/resources": "1.30.1",
    "@opentelemetry/semantic-conventions": "1.28.0"
  },
  "engines": {
    "node": ">=14"
  },
  "peerDependencies": {
    "@opentelemetry/api": ">=1.0.0 <1.10.0"
  }
},
...
"node_modules/@opentelemetry/sdk-trace-node/node_modules/@opentelemetry/sdk-trace-base": {
  "version": "1.30.1",
  "resolved": "https://artifactory.corp.company.com/artifactory/api/npm/npmjs-remote/@opentelemetry/sdk-trace-base/-/sdk-trace-base-1.30.1.tgz",
  "integrity": "sha512-jVPgBbH1gCy2Lb7X0AVQ8XAfgg0pJ4nvl8/IiQA6nxOsPvS+0zMJaFSs2ltXe0J6C8dqjcnpyqINDJmU30+uOg==",
  "dev": true,
  "license": "Apache-2.0",
  "dependencies": {
    "@opentelemetry/core": "1.30.1",
    "@opentelemetry/resources": "1.30.1",
    "@opentelemetry/semantic-conventions": "1.28.0"
  },
  "engines": {
    "node": ">=14"
  },
  "peerDependencies": {
    "@opentelemetry/api": ">=1.0.0 <1.10.0"
  }
},
...
"node_modules/@opentelemetry/sdk-trace-base": {
  "version": "2.0.1",
  "resolved": "https://artifactory.corp.comany.com/artifactory/api/npm/npmjs-remote/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.0.1.tgz",
  "integrity": "sha512-xYLlvk/xdScGx1aEqvxLwf6sXQLXCjk3/1SQT9X9AoN5rXRhkdvIFShuNNmtTEPRBqcsMbS4p/gJLNI2wXaDuQ==",
  "license": "Apache-2.0",
  "dependencies": {
    "@opentelemetry/core": "2.0.1",
    "@opentelemetry/resources": "2.0.1",
    "@opentelemetry/semantic-conventions": "^1.29.0"
  },
  "engines": {
    "node": "^18.19.0 || >=20.6.0"
  },
  "peerDependencies": {
    "@opentelemetry/api": ">=1.3.0 <1.10.0"
  }
},

What is the expected behavior in this specific case?
I would expect Renovate either to only update one package, e.g. 1.30.1 to 2.0.1 or 2.0.1 to 2.0.1.
Or if it updates direct and transitive dependencies, then it should label it as major.

Logs (if relevant)

No response

[rarkins]

Renovate bases it's updateType on the locked version. Ie the "actual" change. It seems that the problem here is incorrect identification of the lockedVersion during extract phase

[Chumper]

Sorry @rarkins, I edited the question after you already answered.
If there are three packages in the lock file, do we expect Renovate to update all three dependencies?

I was working under the impression that Renovate updates direct dependencies, so that it updates packages/miso/package.json makes sense to me, because the package in the root module is already on that version.

[rarkins]

Renovate should find and update only direct dependencies. But maybe it's confused by the combination you have with a direct dependency of a workspace. Additionally, npm itself might "go rogue" and update something we don't expect it to when it's a lock file only update, but I don't think that's the case here

[Chumper]

Makes sense, someone from the product will probably add some more information tomorrow, then maybe we can narrow it down.

[beatriceo]

Hi @rarkins, it was not a lock file only update. We have the bump rangeStrategy enabled and have the set the default preset of :maintainLockFilesDisabled to disable lockFile only updates.

For more context, we follow a monorepo setup using npm workspaces that looks like this below, with a single lockFile at the root:

.
├── package-lock.json
├── package.json
└── packages
    ├── packageA
    │   └── package.json
    ├── packageB
    │   └── package.json
    └── packageC
        └── package.json

We observed that Renovate had first updated the @opentelemetry/sdk-trace-base package from 1.30.1 to 2.0.1 via a transitive dependency in a previous PR:

The npm view and npm ls output shows that version 2.0.1 @opentelemetry/sdk-trace-base is a requirement of @opentelemetry/otlp-transformer@0.202.0, which is a requirement of @opentelemetry/exporter-metrics-otlp-http@0.202.0.

npm ls @opentelemetry/sdk-trace-base

some-package@1.0.0 /path/to/some-package
├─┬ @opentelemetry/sdk-trace-node@1.30.1
│ └── @opentelemetry/sdk-trace-base@1.30.1
├─┬ @company/metrics@1.2.1 -> ./packages/metrics
│ └─┬ @opentelemetry/exporter-metrics-otlp-http@0.202.0
│   └─┬ @opentelemetry/otlp-transformer@0.202.0
│     └── @opentelemetry/sdk-trace-base@2.0.1
└─┬ @company/miso@0.2.0 -> ./packages/miso
  └── @opentelemetry/sdk-trace-base@1.30.1

npm view @opentelemetry/otlp-transformer@0.202.0 dependencies."@opentelemetry/sdk-trace-base"

2.0.1

Regarding the problematic update in the miso package where @opentelemetry/sdk-trace-base@1.30.1 was upgraded to 2.0.1 , my expectation is that Renovate should have still marked this as a major update instead of a patch update even though version 2.0.1 was already introduced via a transitive dependency elsewhere in the lockFile.

As @Chumper mentioned, we are wanting to automerge non-major package updates and the miscategorization of update types would be a barrier for us.

[rarkins]

Is there any chance you are able to create a public reproduction of this problem? That would be the fastest way for us to debug and fix it.

[beatriceo]

Thanks, I'll try to create a public reproduction