fix(renovate): bump lower-bound ranges on CVEs + simplify custom regex#248
fix(renovate): bump lower-bound ranges on CVEs + simplify custom regex#248JacobPEvans wants to merge 1 commit intomainfrom
Conversation
Renovate's vulnerabilityAlerts flow defaulted rangeStrategy to update-lockfile, which only edits committed lockfiles, never manifest ranges. Repos using `>=X` constraints with no committed lockfile (e.g. mlx-benchmarks `pyproject.toml`, `space/requirements.txt`) silently skipped CVE-driven bumps because `>=14` was already considered satisfied by the patched 17.0.0. Result: critical vulns sat unaddressed until manual PRs (mlx-benchmarks#28). Changes: - Add `rangeStrategy: "update-lockfile"` at root (locks current default, prevents drift across Renovate versions). - Override `rangeStrategy: "bump"` + `vulnerabilityFixStrategy: "highest"` inside `vulnerabilityAlerts` so security PRs widen lower bounds to the latest fixed version (matches the manual mlx-benchmarks#28 behavior). - Enable the built-in `pep723` manager with `**/*.py` scope so PEP 723 inline-metadata scripts (e.g. mlx-benchmarks `harness/framework-eval/eval_*.py`) get tracked. Renovate skips files lacking the `# /// script` block, so the broad pattern is safe. - Consolidate the 5 uv/uvx custom-regex matchStrings into one (alternation in the trigger group). Verified to match all 5 historical case shapes: `uvx --from`, `uv run --with`, `uv tool install`, and multi-line `"--from"`/`"--with"` argument forms. - Replace imprecise version capture (`[\d][^\s"]*`) across all custom managers with a PEP 440 / semver pattern that rejects trailing garbage. - Tighten the npm-in-Nix scope regex to npm spec lowercase rules. Existing behavior preserved: the "never auto-merge majors" rule still applies, so security-major bumps (e.g. pyarrow 14→17) land for human review rather than auto-merge. (claude)
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request improves Renovate's dependency management capabilities by refining how security vulnerabilities are handled and enhancing the precision of custom regex-based dependency detection. These changes ensure that security updates are more effective at modifying manifest ranges rather than just lockfiles, and they standardize version parsing across various configuration files to improve reliability. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The regex was long and quite wide, With patterns all scattered inside. Now consolidated and clean, The best code that I've ever seen, With versioning logic applied. Footnotes
|
There was a problem hiding this comment.
Pull request overview
Updates the org-wide Renovate preset to improve security remediation behavior (especially for repos without lockfiles), enable tracking of PEP 723 inline-metadata scripts, and simplify/harden custom-regex dependency detection.
Changes:
- Configure vulnerability alert PRs to bump lower bounds and select the highest fixed version.
- Enable the built-in
pep723manager with custom file targeting. - Consolidate uv/uvx matchers and tighten version-capture regexes across custom managers.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "timezone": "America/Chicago", | ||
| "rangeStrategy": "update-lockfile", | ||
| "pep723": { | ||
| "managerFilePatterns": ["/\\.py$/"] |
| ], | ||
| "minimumReleaseAge": "3 days", | ||
| "timezone": "America/Chicago", | ||
| "rangeStrategy": "update-lockfile", |
| "\"(?<depName>@[a-z0-9][a-z0-9-]*/[a-z0-9][a-z0-9._-]*)@(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)\"", | ||
| "bunx\\s+--bun\\s+(?<depName>(?:@[^@/]+\\/)?[^@\\s]+)@(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)" |
| "\"--from\"\\r?\\n\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\"", | ||
| "\"--with\"\\r?\\n\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\"", | ||
| "\\buv\\S*\\s+tool\\s+install\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\"" | ||
| "(?:uvx\\s+--from\\s+|uv\\s+run[^\"]*--with\\s+|\\buv\\S*\\s+tool\\s+install\\s+|\"--(?:from|with)\"\\r?\\n\\s+)\"(?<depName>[A-Za-z0-9][A-Za-z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)\"" |
| "fileMatch": ["\\.github/workflows/.*\\.ya?ml$"], | ||
| "matchStrings": [ | ||
| "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)[\\r\\n]+[\\s\\S]*?\\bnpx\\b\\s+(?:--yes\\s+|-y\\s+)?\\S+@(?<currentValue>[^\\s\"']+)" | ||
| "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)[\\r\\n]+[\\s\\S]*?\\bnpx\\b\\s+(?:--yes\\s+|-y\\s+)?\\S+@(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)" |
Summary
>=Xlower bounds (rangeStrategy: bump+vulnerabilityFixStrategy: highestinsidevulnerabilityAlerts).pep723manager so PEP 723 inline-metadata scripts get tracked org-wide (e.g. mlx-benchmarksharness/framework-eval/eval_*.py).matchStringsinto 1 (alternation in the trigger group). All 5 historical case shapes still match — verified locally.[\d][^\s\"]*) across all custom managers with a PEP 440 / semver pattern.Net diff: +11 / -9 lines, single file (
renovate-presets.json).Why mlx-benchmarks#28 was manual
vulnerabilityAlertsdefaultsrangeStrategytoupdate-lockfile, which only edits committed lockfiles — never manifest ranges. mlx-benchmarks has no committed lockfile, andpyarrow>=14was already satisfied by the patched17.0.0, so Renovate considered the constraint up-to-date. Same forpillow>=10.4.0. A human had to widen the floor.With this PR, future critical CVEs in inheriting repos auto-PR with the floor moved to latest. Existing "never auto-merge majors" rule is preserved — security-major bumps still land for human review.
Test plan
new RegExp(...))uvx --from,uv run --with,uv tool install, multi-line\"--from\"/\"--with\")renovate-config-validator --no-globalaccepts new options (pep723,vulnerabilityFixStrategy,rangeStrategyoverrides)pyarrow/pillowfor re-bump (or that the existing PR ci(.github): add conventional commit validation (pre-commit hook) #28 already covers them)harness/framework-eval/eval_*.pydeps in mlx-benchmarks dependency dashboardOut of scope (follow-ups)
fileMatch→managerFilePatternsmigration (Renovate 41+ deprecation)pinGitHubActionDigestsvalidation warning in Renovate 43.x — Mend's hosted runner accepts it, but worth confirming whether to switch topinDigestsor remove