Skip to content

38.0.0
Compare
Choose a tag to compare
@renovate-release renovate-release released this 25 Jul 13:49
· 4038 commits to main since this release
38.0.0
3bee6bf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

38.0.0 (2024-07-25)

Breaking changes for 38

General:

  • Require Node.js 20 (#30291)
  • The Renovate Docker images no longer have -slim tags. You must stop using the -slim prefix. Renovate now defaults to the -slim tag type behavior.

Specific:

  • bitbucket-server: autodetect gitAuthor, if possible (#29525)
  • config: change from boolean to enum for onboardingNoDeps. Renovate now onboards repositories with no dependencies, with one exception: if you run Renovate in autodiscover mode then you must manually onboard Renovate for repos with no dependencies
  • config: sanitize special characters from branch names for vulnerability type PRs. This may cause Renovate to autoclose/replace existing PRs
  • config: change the order of globalExtends resolution, it is applied first and remaining global config takes precedence
  • datasource/docker: Docker Hub lookups prefers hub.docker.com over index.docker.io. To revert to the old behavior: set RENOVATE_X_DOCKER_HUB_TAGS_DISABLE=true in your env
  • git: check all commits on the branch to decide if the branch was modified (#28225)
  • gitea: use "bearer auth" instead of "token auth" to authenticate to the Gitea platform
  • github: if you run Renovate as a GitHub app then platformCommit is automatically enabled
  • gomod: the value of GOSUMDB was previously set to off, meaning the Go toolchain would not validate signatures for modules. This has now been corrected, which may result in errors updating Go modules. In particular, if you are using Renovate with private Go modules, you will need to set GOPRIVATE. For more details, see Go's official documentation for working with private Go modules.
  • http: remove dnsCache
  • logging: you must set file logging via env, not in config.js
  • manager/pep621: change depName for pep621 dependencies. This causes the branch name for pep621 updates to change, which in turn means Renovate may autoclose and re-open some pep621 PRs. Also, Renovate may start grouping dependencies into a single PR.
  • npm: for npm versions lower than 7, drop support for remediating vulnerabilities in transitive dependencies
  • npm: remove RENOVATE_CACHE_NPM_MINUTES (#28715)
  • packageRules: matchPackageNames (and related functions) no longer fall back to checking depName
  • packageRules: matchPackageNames exact matches are now case-insensitive

Commentary for 38

Our Docker images are slim by default

If you self-host using Renovate's Docker -slim images: drop the -slim suffix, and switch to the default tags.
Renovate's default tags like 38.0.0 are "slim" by default.
There's no change if you're using the -full images.

Renovate needs Node.js 20

Renovate now needs Node.js ^20.15.1 to run.
Our Docker images already use the correct version of Node.js.

But if you self-host without using our Docker image, then you must update the version of Node.js.
You must update manually, if for example: you build your own image, or run the renovate npm package.

Why we picked Node 20

We dropped Node.js 18, and do not yet support Node.js 22 as it's non-LTS and not recommended for production.

Why we picked a non-vulnerable version of Node

We decided to require the current non-vulnerable version of Node.js (20.15.1 or newer).
If we ever need to bump the minimum version of Node.js v20, we will release a new major version of Renovate.

If you self-host: we recommend you always run a secure version of Node.js v20.
This is because security vulnerabilities in Node.js can affect Renovate too.

If you use Mend's Renovate GitHub app

We recommend that all users running Renovate as a GitHub App use platformCommit.
Renovate now defaults to platformCommit is enabled, when Renovate detects a GitHub App token.
For PATs, we still recommend regular commits.

Log file configuration requires env settings

File-based logging must be configured using environment variables (e.g. LOG_FILE).
Do not set logging in files or CLI (such as logFile).

This ensures that logging begins right when Renovate starts a run.
It also means Renovates logs how it parses the config.

Changes to package matching

Finally, we merged the matchPackage* and excludePackage* options into matchPackageNames.
We also enabled patterns for the matchPackageNames config option.

This means you can now use regex or glob patterns:

  • "matchPackageNames": "/^com.renovatebot/" (regex)
  • "matchPackageNames": "@renovate/*" (glob)

And of course, you can still use exact name matching.

⚠ BREAKING CHANGES

  • bitbucket-server: autodetect gitAuthor if possible (#29525)
  • require node v20 (#30291)
  • http: dnsCache is now removed
  • github: platformCommit will be automatically enabled if running as a GitHub app
  • npm: remove RENOVATE_CACHE_NPM_MINUTES (#28715)
  • git: determine branch modification based on all branch commits (#28225)
  • packageRules: matchPackageNames exact matches are now case-insensitive
  • datasource/docker: Docker Hub lookups prefer hub.docker.com over index.docker.io. Set RENOVATE_X_DOCKER_HUB_TAGS_DISABLE=true in env to revert behavior.
  • package-rules: matchPackageNames and related functions no longer fall back to checking depName.
  • logging: File logging must now be set via env and not in config.js
  • config: onboardingNoDeps changes from boolean to enum. Repositories with no dependencies will be onboarded unless in autodiscover mode.
  • npm: Transitive remediation for npm <7 is no longer supported.
  • config: Branch names for remediation will be sanitized to exclude special characters, potentially resulting in some autoclosing/replacing of existing PRs.
  • Renovate docker images no longer have -slim tags. Drop the -slim prefix as this is now the default behavior.
  • gitea: Gitea platfor authentication will now be done using Bearer auth instead of token auth.
  • manager/pep621: depName for pep621 dependencies changes, which will lead to branch name changes, which will lead to some autoclosing and reopening of PRs.
  • config: order of globalExtends resolution is changed so that it is applied first and remaining global config takes precedence.

Features

Bug Fixes

  • config: globalExtends merge order (#28145) (e3175a3), closes #28131
  • config: Use depNameSanitized in branch name for vulnerability alerts (#25166) (33b1cdb)
  • deps: update ghcr.io/containerbase/sidecar docker tag to v11 (#30357) (46f0357)
  • normalize Python depName in every manager (#27733) (2e78a71)
  • presets: replace matchPackagePrefix/Patterns with matchPackageNames (#29159) (2c13498)

Miscellaneous Chores

  • deps: update dependency @swc/core to v1.7.0 (#30367) (e93b071)
  • deps: update dependency @swc/core to v1.7.1 (#30371) (6bad833)
  • deps: update dependency @types/node to v20 (e629b2b)
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v11 (#30368) (3bee6bf)
  • deps: update github/codeql-action action to v3.25.14 (#30372) (0b9d899)

Code Refactoring

Tests

Build System

Assets 3
Loading