Update renovate configs to enable updates for CVE on release branches#129
Merged
Conversation
Signed-off-by: Lan Luo <lan.luo@broadcom.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| isVulnerabilityAlert: true, | ||
| enabled: true, | ||
| }, | ||
|
|
There was a problem hiding this comment.
Package-specific disable rule overrides vulnerability re-enable
High Severity
The package-specific disable rule for k8s.io/, sigs.k8s.io/, and other packages appears after the vulnerability re-enable rules (lines 41-45, 55-60). Since Renovate applies rules in order with later rules overriding earlier ones, this rule will disable vulnerability updates for these packages on release branches, contradicting the PR's intent to enable CVE updates on release branches. The rule should either be moved before the vulnerability re-enable rules or explicitly exclude vulnerability alerts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Low Risk
Configuration-only changes to Renovate automation with no impact on runtime code or security posture.
Overview
Enables security vulnerability updates for active release branches (release-2.5, release-2.4, release-2.3) and indirect Go dependencies that were previously disabled.
Adds two new
packageRulesinrenovate.json5withisVulnerabilityAlert: trueto re-enable CVE updates for release branches and indirect Go modules. Updates thehack/update-renovate-baseBranches.shscript to replace all occurrences ofmatchBaseBranches(instead of just the first) when updating release branch versions, ensuring the new security rules stay synchronized with the active release branches.Written by Cursor Bugbot for commit e06218a. This will update automatically on new commits. Configure here.