From bc2ffd7e64e629cfccbe7752f7e551ba053c70ca Mon Sep 17 00:00:00 2001 From: "Michael E. Karpeles (Mek)" Date: Tue, 5 May 2026 18:12:36 -0600 Subject: [PATCH 1/3] chore(renovate): add stabilization delay, weekly schedule, and PR cap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - minimumReleaseAge: 7 days — wait for packages to stabilize before opening PRs; prevents chasing yanked releases and bleeding-edge versions that may break things - schedule: Monday morning only — batches all updates into one weekly window instead of PRs trickling in throughout the week - prConcurrentLimit: 10 — caps open Renovate PRs so the queue stays manageable - Security updates bypass both limits (minimumReleaseAge: 0, schedule: any time) so CVE patches still land immediately --- renovate.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/renovate.json b/renovate.json index d74b57c6e82..ad143239282 100644 --- a/renovate.json +++ b/renovate.json @@ -2,6 +2,9 @@ "extends": [ "config:recommended" ], + "minimumReleaseAge": "7 days", + "schedule": ["before 9am on Monday"], + "prConcurrentLimit": 10, "git-submodules": { "enabled": true }, @@ -11,6 +14,11 @@ ] }, "packageRules": [ + { + "matchCategories": ["security"], + "minimumReleaseAge": "0 days", + "schedule": ["at any time"] + }, { "matchPackageNames": [ "eslint", From 3f88373db36745d82b96d4d2ef6fe65bfae4e825 Mon Sep 17 00:00:00 2001 From: "Michael E. Karpeles (Mek)" Date: Tue, 5 May 2026 18:13:00 -0600 Subject: [PATCH 2/3] chore(renovate): group Python and JS patch/minor updates into two PRs --- renovate.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/renovate.json b/renovate.json index ad143239282..e2b443df9af 100644 --- a/renovate.json +++ b/renovate.json @@ -19,6 +19,18 @@ "minimumReleaseAge": "0 days", "schedule": ["at any time"] }, + { + "matchManagers": ["pip_requirements"], + "matchUpdateTypes": ["patch", "minor"], + "groupName": "Python dependencies (non-major)", + "groupSlug": "python-non-major" + }, + { + "matchManagers": ["npm"], + "matchUpdateTypes": ["patch", "minor"], + "groupName": "JS dependencies (non-major)", + "groupSlug": "js-non-major" + }, { "matchPackageNames": [ "eslint", From f8d8dd83bc3d5f84a0f0ababb9a31851fc315cad Mon Sep 17 00:00:00 2001 From: "Michael E. Karpeles (Mek)" Date: Mon, 11 May 2026 18:49:32 -0600 Subject: [PATCH 3/3] fix(renovate): security updates bypass prConcurrentLimit; explicit minimumReleaseAge on grouped rules - Add prConcurrentLimit: 0 to security packageRule so CVE patches are never blocked by the global 10-PR cap - Add explicit minimumReleaseAge: "7 days" to the Python and JS grouping rules for clarity (global default already applies, but explicit is safer) --- renovate.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/renovate.json b/renovate.json index e2b443df9af..d1727b2ab32 100644 --- a/renovate.json +++ b/renovate.json @@ -17,19 +17,22 @@ { "matchCategories": ["security"], "minimumReleaseAge": "0 days", - "schedule": ["at any time"] + "schedule": ["at any time"], + "prConcurrentLimit": 0 }, { "matchManagers": ["pip_requirements"], "matchUpdateTypes": ["patch", "minor"], "groupName": "Python dependencies (non-major)", - "groupSlug": "python-non-major" + "groupSlug": "python-non-major", + "minimumReleaseAge": "7 days" }, { "matchManagers": ["npm"], "matchUpdateTypes": ["patch", "minor"], "groupName": "JS dependencies (non-major)", - "groupSlug": "js-non-major" + "groupSlug": "js-non-major", + "minimumReleaseAge": "7 days" }, { "matchPackageNames": [