chore(renovate): add stabilization delay, weekly schedule, and PR cap

[mekarpeles]

Problem

Renovate currently opens PRs the moment a new version publishes, with no concurrency limit and no grouping. This causes:

• PRs for packages that get immediately yanked or have regressions
• A constant trickle of individual PRs (one per package) throughout the week
• Impossible to keep up with manually — we've seen 40+ Renovate PRs open in a single week

Changes

Top-level settings:

Setting	Value	Effect
minimumReleaseAge	"7 days"	Won't open a PR until a version has been live ≥7 days. Catches yanked packages and immediate regressions.
schedule	"before 9am on Monday"	All non-security updates batched to Monday morning. One review session per week.
prConcurrentLimit	10	Caps open Renovate PRs at 10. Prevents queue flooding.

New grouping rules (the big change):

Instead of one PR per package, Renovate will now open at most two PRs per week:

• "Python dependencies (non-major)" — all pip patch/minor updates in one PR
• "JS dependencies (non-major)" — all npm patch/minor updates in one PR

Major version bumps still get individual PRs (they need dedicated review).

Security updates bypass all limits — minimumReleaseAge: "0 days", schedule: "at any time", and prConcurrentLimit: 0 so CVE patches still land immediately, ungrouped, and are never blocked by the 10-PR cap.

What this does NOT change

• automerge remains false everywhere
• All existing named grouping rules (eslint, jest/sinon/stylelint, mypy/ruff/pytest, actions) are preserved unchanged
• Submodule and pip_requirements manager configs unchanged

Note: Two new grouping rules are added (Python non-major and JS non-major) — the above refers to pre-existing rules only.

Expected outcome

• Before: ~10–40 individual Renovate PRs opened throughout the week
• After: 2 PRs opened Monday morning (Python non-major + JS non-major), plus immediate security PRs as needed

[Copilot]

Pull request overview

This PR adjusts Renovate’s dependency-update workflow in renovate.json by adding global throttling/batching settings and a security-specific exception, and it also introduces new grouping rules for non-major Python and npm updates.

Changes:

• Add global Renovate controls: minimumReleaseAge, weekly schedule, and prConcurrentLimit.
• Add a security-targeted package rule intended to bypass the delay/schedule.
• Add new grouping rules for non-major pip_requirements and npm updates.

[RayBB]

Copilot makes some good points. Can you please respond or resolve them and then we can take a look?

[mekarpeles]

uv and npm config should have minimum release age of 7 days.

[mekarpeles]

Addressed all Copilot threads and your comment @RayBB:

Real bug fixed (Copilot thread on security rule): Added "prConcurrentLimit": 0 to the security packageRule. Without it, CVE patches could be queued behind the global 10-PR cap on a busy week — security updates now truly bypass all limits.

Explicit minimumReleaseAge on grouping rules (your comment): Added "minimumReleaseAge": "7 days" explicitly to both the Python and JS non-major grouping rules. The global default already applies, but this makes the intent visible at the rule level.

PR description clarified (Copilot threads on grouping rules): Updated the "What this does NOT change" section to be explicit that the two new grouping rules are new additions — the existing named groups (eslint, jest, mypy, actions) are unchanged.

All 3 Copilot threads resolved.

[RayBB]

@mekarpeles do you want to make it so we consolidate PRs instead of having one PR for each dependency?

you can configure renovate to consolidate PRs for minor bumps like this, if you find that desirable.

https://stackoverflow.com/questions/66471226/renovate-combine-all-updates-to-one-branch-pr

Comment is from: #12713

[mekarpeles]

@RayBB for now, maybe easier to land this and test PRs individually, though a followup PR for minor bumps may be beneficial.

responded to review feedback