From b12dda7a382630ec69dad1b80fa06e23cf76a7ea Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com>
Date: Wed, 29 Apr 2026 03:53:11 -0400
Subject: [PATCH] fix(renovate): bump lower-bound ranges on CVEs + simplify
 custom regex
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Renovate's vulnerabilityAlerts flow defaulted rangeStrategy to
update-lockfile, which only edits committed lockfiles, never manifest
ranges. Repos using `>=X` constraints with no committed lockfile (e.g.
mlx-benchmarks `pyproject.toml`, `space/requirements.txt`) silently
skipped CVE-driven bumps because `>=14` was already considered
satisfied by the patched 17.0.0. Result: critical vulns sat unaddressed
until manual PRs (mlx-benchmarks#28).

Changes:

- Add `rangeStrategy: "update-lockfile"` at root (locks current default,
  prevents drift across Renovate versions).
- Override `rangeStrategy: "bump"` + `vulnerabilityFixStrategy: "highest"`
  inside `vulnerabilityAlerts` so security PRs widen lower bounds to the
  latest fixed version (matches the manual mlx-benchmarks#28 behavior).
- Enable the built-in `pep723` manager with `**/*.py` scope so PEP 723
  inline-metadata scripts (e.g. mlx-benchmarks `harness/framework-eval/eval_*.py`)
  get tracked. Renovate skips files lacking the `# /// script` block, so
  the broad pattern is safe.
- Consolidate the 5 uv/uvx custom-regex matchStrings into one (alternation
  in the trigger group). Verified to match all 5 historical case shapes:
  `uvx --from`, `uv run --with`, `uv tool install`, and multi-line
  `"--from"`/`"--with"` argument forms.
- Replace imprecise version capture (`[\d][^\s"]*`) across all custom
  managers with a PEP 440 / semver pattern that rejects trailing garbage.
- Tighten the npm-in-Nix scope regex to npm spec lowercase rules.

Existing behavior preserved: the "never auto-merge majors" rule still
applies, so security-major bumps (e.g. pyarrow 14→17) land for human
review rather than auto-merge.

(claude)
---
 renovate-presets.json | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/renovate-presets.json b/renovate-presets.json
index 6a7b1a1..6d54431 100644
--- a/renovate-presets.json
+++ b/renovate-presets.json
@@ -16,11 +16,17 @@
   ],
   "minimumReleaseAge": "3 days",
   "timezone": "America/Chicago",
+  "rangeStrategy": "update-lockfile",
+  "pep723": {
+    "managerFilePatterns": ["/\\.py$/"]
+  },
   "vulnerabilityAlerts": {
     "enabled": true,
     "labels": ["type:security"],
     "automerge": true,
-    "minimumReleaseAge": "0 days"
+    "minimumReleaseAge": "0 days",
+    "rangeStrategy": "bump",
+    "vulnerabilityFixStrategy": "highest"
   },
   "lockFileMaintenance": {
     "enabled": true,
@@ -42,8 +48,8 @@
       "customType": "regex",
       "fileMatch": ["\\.nix$"],
       "matchStrings": [
-        "\"(?<depName>@[a-zA-Z0-9-]+/[a-zA-Z0-9][a-zA-Z0-9._-]*)@(?<currentValue>[\\d][^\\s\"]*)\"",
-        "bunx\\s+--bun\\s+(?<depName>(?:@[^@/]+\\/)?[^@\\s]+)@(?<currentValue>[\\d][^\\s\"']*)"
+        "\"(?<depName>@[a-z0-9][a-z0-9-]*/[a-z0-9][a-z0-9._-]*)@(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)\"",
+        "bunx\\s+--bun\\s+(?<depName>(?:@[^@/]+\\/)?[^@\\s]+)@(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)"
       ],
       "datasourceTemplate": "npm"
     },
@@ -52,11 +58,7 @@
       "customType": "regex",
       "fileMatch": ["\\.nix$"],
       "matchStrings": [
-        "uvx\\s+--from\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\"",
-        "uv\\s+run[^\"]*--with\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\"",
-        "\"--from\"\\r?\\n\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\"",
-        "\"--with\"\\r?\\n\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\"",
-        "\\buv\\S*\\s+tool\\s+install\\s+\"(?<depName>[a-zA-Z0-9][a-zA-Z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>[\\d][^\\s\"]*)\""
+        "(?:uvx\\s+--from\\s+|uv\\s+run[^\"]*--with\\s+|\\buv\\S*\\s+tool\\s+install\\s+|\"--(?:from|with)\"\\r?\\n\\s+)\"(?<depName>[A-Za-z0-9][A-Za-z0-9._-]*)(?:\\[[^\\]]+\\])?==(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)\""
       ],
       "datasourceTemplate": "pypi"
     },
@@ -65,7 +67,7 @@
       "customType": "regex",
       "fileMatch": ["\\.github/workflows/.*\\.ya?ml$"],
       "matchStrings": [
-        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)[\\r\\n]+[\\s\\S]*?\\bnpx\\b\\s+(?:--yes\\s+|-y\\s+)?\\S+@(?<currentValue>[^\\s\"']+)"
+        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)[\\r\\n]+[\\s\\S]*?\\bnpx\\b\\s+(?:--yes\\s+|-y\\s+)?\\S+@(?<currentValue>\\d+(?:\\.\\d+)*(?:[._-]?(?:a|b|rc|alpha|beta|dev|post)\\d*)?(?:\\+[A-Za-z0-9.]+)?)"
       ]
     }
   ],