chore(deps): update devdependency renovate to v43

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
renovate (source)	^41.132.5 → ^43.0.5

---

Release Notes

renovatebot/renovate (renovate)

v43.0.5

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.8 (main) (#​40803) (a73b6e1)

v43.0.4

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.7 (main) (#​40801) (2b958f3)

v43.0.3

Compare Source

v43.0.2

Compare Source

v43.0.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.4 (main) (#​40788) (1e4f4d3)

Documentation

• opentelemetry: revamp documentation (#​40765) (18c7915), closes #​40126

v43.0.0

Compare Source

Breaking changes for 43

Allowlisting required for "unsafe commands" #​40684

[!NOTE]
This should only affect you if you work with repositories that have a Gradle Wrapper.

Prior to Renovate 43, when performing updates in a repository that used Gradle, Renovate would execute the Gradle Wrapper (./gradlew or gradlew.bat).

This is a well-documented "insider attack" risk that could lead to remote code execution in the context of the Renovate process, as execution of the Gradle buildscript:

• is controlled by the anyone with write access to the repository being processed
• can look for specific tasks to execute specific code
• can execute code from source-tracked scripts
• can execute code from third-party libraries

This can occur during updates to the Gradle wrapper or using Gradle's Dependency Verification Metadata when updating Gradle dependencies.

As of Renovate 43, this long-standing risk is disabled by default to make Renovate more "secure by default".

Self-hosted administrators can re-enable this using the global self-hosted configuration allowedUnsafeExecutions.

postUpgradeTasks will no longer run with shell mode by default #​40230

As noted in #​40403 and GHSA-pfq2-hh62-7m96, existing access to a repository could lead to remote code execution due to incorrectly quoted shell commands.

The fix for GHSA-pfq2-hh62-7m96 applied to commands invoked by Renovate, but did not cover postUpgradeTasks, which are allowlisted by a self-hosted administrator.

To provide a safer default, commands that run through postUpgradeTasks will no longer run inside a shell.

Self-hosted administrators can re-enable this using the global self-hosted configuration allowShellExecutorForPostUpgradeCommands=true.

binarySource=docker is officially deprecated #​40735

As noted in #​40747, we have now officially deprecated the binarySource=docker option.

There is no timeline decided on the removal of the functionality.

For more details and/or to provide feedback on your use case and why binarySource=install does not work for you, please see #​40747.

Renovate now ships as ESM (ECMAScript Modules) #​9890 / #​40756

This should not affect users, only cases where Renovate is imported as a library. Given our previous support of Node 22, ESM can still be imported from Common JS (CJS) files.

Out of caution and for visibility, this is part of the major release.

config:best-practices will now perform weekly lockfile maintenance #​40735

As part of the Renovate maintainers' opinionated "best practices" configuration, Renovate will now perform a weekly lockfile maintenance task, keeping your lockfiles updated.

This is due to an increase in package managers using lock files, but users not necessarily being aware of the need to enable this explicitly.

If this is not applicable to you, you can use ignorePresets, i.e.

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:best-practices"
  ],
  "ignorePresets": [
    ":maintainLockFilesWeekly"
  ]
}

JSON Schema split for repo or global configuration #​38619

Renovate now has separate JSON Schemas for repository configuration, repository configuration (and inherit config) for writing org-inherited-config.json, and global self-hosted configuration:

• https://docs.renovatebot.com/renovate-schema.json (repository configuration)
• https://docs.renovatebot.com/renovate-global-schema.json (global self-hosted configuration)
• https://docs.renovatebot.com/renovate-inherited-schema.json (repository configuration, including inherited config options)

This provides better validation for your editor/agent, as you now only see documentation for the relevant configuration type you're writing.

You can read more in the Renovate JSON Schema documentation.

This does not affect renovate-config-validator.

Replacements cannot be grouped with other updates #​40758

To prevent replacements being grouped in with other updates, which can sometimes lead to them failing to correctly replace a package, they will no longer be grouped.

This may lead to some PRs being modified/created when you upgrade to this version of Renovate.

Lock file maintenance cannot be grouped with other updates #​40781

To prevent lock file maintenance being grouped in with other updates, which can sometimes lead to them failing to perform the lock file maintenance.

This may lead to some PRs being modified/created when you upgrade to this version of Renovate.

Use wasm-java build of Bouncy Castle #​40678

To improve performance for encryption/decryption of secrets, as well as supporting AEAD, we have moved the default Bouncy Castle build to use wasm-java.

Renovate now requires a minimum of Node 24 #​40675

The existing requirements of Node 24.11.0 has not changed.

This only drops support for Node 22.x.

Package name for Node.JS in Mise has changed to node #​40466

To be more consistent with other package managers, the Node.JS package has been renamed to node.

This ensures that updates to NodeJS (when using Mise) are grouped with other package updates.

The useCloudMetadataServices configuration is now environment variable only #​40638

As a first step towards solving #​38604, we have migrated this configuration option to being environment variable configuration only.

Note that technically Renovate will still detect it if it's set in a config.js, but with changes in #​38604 it will not affect the execution.

Default tool version updates #​39100

For users of the upstream Renovate container images, the following tools have been updated to new major versions:

Tool	Version
Bundler	4.0.4
Dotnet	10.0.102
Helm	v4.1.0
PHP	8.5.2
Pipenv	2026.0.3
Ruby	4.0.1

Commentary for 43

There aren't any big changes as part of this release to call out - this is a fairly "routine" major version, where we're doing a little cleanup, making some improvements to be "secure by default", and updating our default tool versions.

Deprecations

As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 44:

• Removal of x-access-token: prefix for GitHub

⚠ BREAKING CHANGES

• deps: Update ghcr.io/renovatebot/base-image Docker tag to v13 (main) (#​40730)
• prevent grouping of lockfile maintenance updates (#​40781)
• Switch to ESM modules (#​40756)
• prevent grouping of replacement updates (#​40758)
• config: deprecate binarySource=docker (#​40754)
• presets: add maintainLockFilesWeekly to best-practices preset (#​40735)
• config: make useCloudMetadataServices environment-only (#​40638)
• self-hosted: don't allow any unsafe commands by default (#​40684)
• self-hosted: don't use shell: true for postUpgradeTasks (#​40230)
• json-schema: forbid global-only options in repo configuration (#​38619)
• presets: add hostType=github to :githubComToken (#​38975)
• use wasm-java build of Bouncy Castle (#​40678)
• mise: rename packageName from nodejs to node (#​40466)
• require node v24 (#​40675)

Features

• config: deprecate binarySource=docker (#​40754) (3644ac8), closes #​40747
• deps: Update ghcr.io/renovatebot/base-image Docker tag to v13 (main) (#​40730) (5a2107d)
• presets: add hostType=github to :githubComToken (#​38975) (0d912db), closes #​38961
• presets: add maintainLockFilesWeekly to best-practices preset (#​40735) (28dccba)
• require node v24 (#​40675) (dcdd1c3)
• Switch to ESM modules (#​40756) (2b0e80b)
• use wasm-java build of Bouncy Castle (#​40678) (4e19e7c)

Bug Fixes

• config: make useCloudMetadataServices environment-only (#​40638) (a630187), closes #​38604
• mise: rename packageName from nodejs to node (#​40466) (8dc1133)
• prevent grouping of lockfile maintenance updates (#​40781) (3ed1817)
• prevent grouping of replacement updates (#​40758) (c7222c6)
• self-hosted: don't allow any unsafe commands by default (#​40684) (b6ef3e1)
• self-hosted: don't use shell: true for postUpgradeTasks (#​40230) (cb49754)

Documentation

• add announcement bar for v43 (93423cf)

Miscellaneous Chores

• json-schema: forbid global-only options in repo configuration (#​38619) (192ae36), closes #​38728
• use updateType in log message (d1e3f13)

v42.95.1

Compare Source

Bug Fixes

• pnpm: don't update workspace when no pnpm-lock.yaml found (#​40780) (0c49124), closes #​40774

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.0.3 (main) (#​40783) (b2e1382)

Continuous Integration

• add auto reviewer (#​40782) (e55ad44)

v42.95.0

Compare Source

Features

• sidecar: use renovatebot/base-image instead of containerbase/sidecar (#​40772) (cd0426b)

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.2 (main) (#​40776) (dbe0cf7)

Build System

• deps: update opentelemetry-js-contrib monorepo (main) (#​40775) (a94398b)

v42.94.7

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.2 (main) (#​40773) (f1790af)

v42.94.6

Compare Source

Bug Fixes

• gerrit: not cloning submodules (#​40089) (5db0218)

v42.94.5

Compare Source

Bug Fixes

• presets: dockerfile globs (#​40770) (ca446fb)

v42.94.4

Compare Source

Build System

• deps: update opentelemetry-js monorepo (main) (#​40769) (e95089a)
• deps: update opentelemetry-js monorepo to v2.5.0 (main) (#​40768) (7c43e8f)

v42.94.3

Compare Source

Bug Fixes

• override tar (#​40766) (ce12e9f)

Miscellaneous Chores

• add proper imports from azure-devops-node-api (#​40762) (e36d080)
• deps: update containerbase/internal-tools action to v4.0.2 (main) (#​40767) (5ad49c3)
• deps: update dependency tar to v7.5.7 [security] (main) (#​40764) (cd2b768)
• fix type import (#​40760) (eaed53a)

Code Refactoring

• use named simpleGit imports (#​40759) (17a1bba)

v42.94.2

Compare Source

Bug Fixes

• config/validation: show deprecationMsg as a warning if present (#​40753) (e049e56)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4 (main) (#​40750) (60d733a)

Code Refactoring

• Remove decorators for ESM compatibility (#​40736) (c07814c)

Tests

• validation: add tests for custom deprecation messages (#​40752) (0daf184)

v42.94.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.31.1 (main) (#​40749) (fa7e075)

Code Refactoring

• tools: reduce noise in generate-imports script (#​40186) (69fedef)

v42.94.0

Compare Source

v42.93.1

Compare Source

Bug Fixes

• datasource/docker: treat empty string as no architecture (#​40715) (1db6be0)

v42.93.0

Compare Source

Features

• inherit support for onboardingAutoCloseAge (#​40086) (c58c16f)

Documentation

• json-schema: add separate documentation page (#​40722) (1edb6c3), closes #​40716

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v3.14.57 (main) (#​40727) (95958c6)
• replace URL.parse (#​40703) (e958373)

v42.92.14

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.4 (main) (#​40721) (33b0fcd)

Code Refactoring

• Extract decorator logic into standalone functions (#​40710) (ad47fd2)
• Remove constructor parameter properties (#​40712) (c5b0a74)

v42.92.13

Compare Source

Bug Fixes

• gradle-wrapper: don't execute when allowedUnsafeExecutions (#​40719) (3e70904)

v42.92.12

Compare Source

Bug Fixes

• workingDirTemplate must be relative to the repo root (#​40068) (bde55d5)

v42.92.11

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.3 (main) (#​40711) (c72d818)

Miscellaneous Chores

• deps: update dependency eslint-plugin-oxlint to v1.41.0 (main) (#​40707) (4d8e18a)

Code Refactoring

• Rewrite imports with .ts extensions (#​40700) (930cf66)

v42.92.10

Compare Source

v42.92.9

Compare Source

Bug Fixes

• sbt: consider html hrefs in absolute and root-relative format (#​39464) (e5c2caa)

v42.92.8

Compare Source

Miscellaneous Chores

• deps: update dependency typescript-eslint to v8.53.1 (main) (#​40698) (3106c46)

Code Refactoring

• replace nanoid with crypto.randomUUID (#​40695) (5c796e1)

Build System

• Switch to tsdown for .d.ts generation (#​40696) (98d0b0f)

v42.92.7

Compare Source

Bug Fixes

• json-schema: add a separate schema for Inherit Config (#​40683) (0b42055)

v42.92.6

Compare Source

Bug Fixes

• config: ensure that config options are immutable (#​40682) (13869dd)
• manager/bun: run bun from lock file directory (#​40274) (cd044ee)

Miscellaneous Chores

• deps: update linters to v1.40.0 (main) (#​40688) (e52ee4f)

Build System

• Switch to rolldown (#​40686) (42103c5)

v42.92.5

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.2 (main) (#​40687) (dfa3798)

Documentation

• update references to renovate/renovate (main) (#​40661) (3fe8d2c)

Miscellaneous Chores

• deps: lock file maintenance (main) (#​40662) (3f74931)
• deps: switch to @renovatebot/good-enough-parser (#​40623) (ae49b7a)
• deps: update containerbase/internal-tools action to v3.14.56 (main) (#​40663) (9c6abec)
• deps: update dependency @​containerbase/eslint-plugin to v1.1.28 (main) (#​40664) (a8ccae6)
• deps: update dependency @​containerbase/eslint-plugin to v1.1.29 (main) (#​40668) (8fd01c9)
• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.27 (main) (#​40666) (6ed83ca)
• deps: update dependency @​containerbase/semantic-release-pnpm to v1.3.16 (main) (#​40667) (36fa3ea)
• deps: update dependency memfs to v4.53.0 (main) (#​40655) (22c7e88)
• deps: update dependency memfs to v4.54.0 (main) (#​40658) (fa2a2b9)
• deps: update dependency memfs to v4.55.0 (main) (#​40680) (acd533e)
• deps: update dependency pnpm to v10.28.1 (main) (#​40685) (d3e9ada)
• deps: update dependency renovatebot/github-action to v44.2.6 (main) (#​40671) (b5ef5ed)
• deps: update vitest monorepo to v4.0.18 (main) (#​40654) (c3c30bf)

v42.92.4

Compare Source

Miscellaneous Chores

• deps: update dependency @​types/cacache to v20 (main) (#​40652) (2bb4cbe)
• deps: update dependency vite to v8.0.0-beta.8 (main) (#​40649) (394c1f8)

Build System

• deps: update dependency glob to v13 (main) (#​40651) (4b28934)

v42.92.3

Compare Source

Tests

• add coverage (part2) (#​40643) (0785d0b)

Build System

• deps: update dependency better-sqlite3 to v12.6.2 (main) (#​40648) (da9b543)

v42.92.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.1 (main) (#​40644) (9a81b2c)

Documentation

• bot-comparison: drop the "monthly" qualifier for the GitHub Pulse (#​40265) (7063c1a)
• config-validation: clarify reconfigure branch works only on base repo (#​40452) (89db243)

Miscellaneous Chores

• deps: update dependency @​containerbase/istanbul-reports-html to v1.1.25 (main) (#​40640) (2ffd3fc)
• types: document ProcessStatus (#​40637) (e799a4c)

Code Refactoring

• manager/gradle: rewrite reorderFiles() for performance (#​40318) (7440131)

Build System

• deps: update dependency @​opentelemetry/semantic-conventions to v1.39.0 (main) (#​40645) (0f863b0)

Continuous Integration

• use GitHub Actions annotations to log released version (#​40639) (166e870)

v42.92.1

Compare Source

Bug Fixes

• onboardingAutoCloseAge: mark repositories as "closed-onboarding" after close (#​40633) (0326bd6), closes #​40631

Miscellaneous Chores

• deps: update github/codeql-action action to v4.31.11 (main) (#​40634) (53eece5)

Tests

• add coverage (part1) (#​40636) (9fe353a)

v42.92.0

Compare Source

Features

• datasource/crate: use pubtime when available (#​40621) (69d80fd)
• versioning: Add rust-release-channel versioning scheme (#​39859) (b637846)

Bug Fixes

• datasource/cpan: Handle modules with missing version (#​40430) (b40c8f3)
• manager/mise: expand file patterns to match mise's config search (#​40094) (ace27f8)

Code Refactoring

• github-actions: Simplify line parsing (#​40096) (5e56e2a)

Continuous Integration

• never cancel in-progress release jobs (#​40630) (c7586ae)

v42.91.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.30.0 (main) (#​40622) (6b82b4d)
• flux: map Helm sourceRef names via registryAliases (#​40158) (2b6dbf4)

Bug Fixes

• onboardingAutoCloseAge: close PRs when onboarding cache is up-to-date (#​40629) (95efe12), closes #​40627

Tests

• onboarding: clarify that if cache is valid, no onboarding PR updates (#​40628) (8a9b119), closes #​40627

Continuous Integration

• Adjust coverage thresholds (#​40626) (aeb8bfc)

v42.90.2

Compare Source

Bug Fixes

• pnpm: de-duplicate version numbers in minimumReleaseAgeExclude (#​40613) (30eece1), closes #​40611

Documentation

• onboarding: mention what happens when closing the onboarding PR (#​40624) (3110c83)

v42.90.1

Compare Source

Bug Fixes

• onboardingAutoCloseAge: correctly handle partial days elapsed (#​40606) (9d5e9de), closes #​40604

Miscellaneous Chores

• tools: Add check script (#​40185) (015ce80)

v42.90.0

Compare Source

Features

• renovate-config-validator: detect global environment options (#​40534) (239b94f)

Miscellaneous Chores

• types: add missing ambient module setup (#​40546) (f20f74f)

v42.89.4

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.28.2 (main) (#​40618) (157018e)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v3.14.54 (main) (#​40617) (ae93155)

v42.89.3

Compare Source

Bug Fixes

• pnpm: use exact versions in minimumReleaseAgeExclude (#​40612) (8752c28), closes #​40610

Miscellaneous Chores

• deps: update actions/checkout action to v6.0.2 (main) (#​40614) (c812b72)
• deps: update dependency @​types/node to v22.19.7 (main) (#​40615) (4e64251)
• deps: update dependency memfs to v4.52.0 (main) (#​40603) (27d2b30)
• onboardingAutoCloseAge: log calculations (#​40600) (bab5935)

Tests

• onboardingAutoClose: add additional tests for isOnboarded (#​40602) (dcf8656)

v42.89.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.28.1 (main) (#​40599) (4c51d04)

v42.89.1

Compare Source

Miscellaneous Chores

• deps: update dependency pdm to v2.26.6 (main) (#​40596) (8568fd4)

Build System

• deps: update opentelemetry-js-contrib monorepo (main) (#​40597) (4420618)

v42.89.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.28.0 (main) (#​40588) (a562fb2)
• pnpm: update minimumReleaseAgeExclude for security updates (#​40020) (5922ab6)

Miscellaneous Chores

• deps: update docker/dockerfile docker tag to v1.21.0 (main) (#​40594) (a04941f)

v42.88.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.27.2 (main) (#​40585) (9db9a7d)

v42.88.1

Compare Source

Build System

• deps: update opentelemetry-js monorepo (main) (#​40583) (11de820)

v42.88.0

Compare Source

Features

• renovate-config-validator: add --no-global flag (#​40547) (9a4ae7a)

Documentation

• homebrew: fix typo (#​40569) (9a1a5e9)

Miscellaneous Chores

• deps: update dependency type-fest to v5.4.1 (main) (#​40570) (b4a8faf)
• deps: update python:3.14 docker digest to 17bc9f1 (main) (#​40582) (742854c)

v42.87.0

Compare Source

Features

• manager/mise: add support for caddy (#​40276) (d366df5)

v42.86.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.27.1 (main) (#​40566) ([8fef07b](https://redirect.github.com/renovatebot/renovate

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.