{ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"], "gitAuthor": "APF Portal Bot ", "dependencyDashboard": true, "dependencyDashboardTitle": "Renovate Dependency Dashboard", "dependencyDashboardHeader": "## Triage guide\n\nRenovate organises this dashboard in sections that map directly to a triage action. Use the sections below as a checklist:\n\n| Section | What it contains | What to do |\n| - | - | - |\n| **Open** | Patch + minor PRs already created. CI is running or done. | Review & merge once green. Batch-merge friendly. |\n| **Awaiting Schedule** | Items waiting for their schedule window (e.g. weekly `lockFileMaintenance`). | Nothing — they will appear automatically when their window opens. |\n| **Pending Approval** | **Major** bumps. Renovate will not create a PR until you tick the box. | One at a time: read the upstream changelog, verify our toolchain (Nx plugins / Angular / NestJS / ESLint plugins) supports it, then tick. Past offenders we caught the hard way: TS 5→6, ESLint 9→10, webpack-cli 5→7. |\n| **Detected dependencies** | The full list Renovate sees. Reference only. | None. |\n| **Errored / Edited / Other** | Out-of-band situations. | Investigate case by case. |\n\n**Pinned constraints**\n\n- **Prisma group** (`prisma`, `@prisma/*`, `nestjs-prisma`) — major bumps are explicitly disabled until the Prisma 7 upgrade ADR lands. See [ADR-0006 §\"Prisma version pin: 6.x in v1\"](../docs/decisions/0006-persistence-postgresql-prisma.md).\n- **Trivy / gitleaks binary versions** in `.gitea/workflows/*.yml` are not Renovate-tracked yet (no package-manager-tracked dep). Bump manually from their GitHub releases — see comments in the workflow.\n\n**Reference**: [docs/development.md §\"Reviewing Renovate PRs\"](../docs/development.md) — full procedure including the lighter CI on bot PRs (`perf` and `commits` skipped per ADR-0017 amendment).\n", "labels": ["dependencies"], "prHourlyLimit": 4, "prConcurrentLimit": 10, "lockFileMaintenance": { "enabled": true }, "osvVulnerabilityAlerts": true, "vulnerabilityAlerts": { "enabled": true, "labels": ["security", "dependencies"] }, "packageRules": [ { "matchUpdateTypes": ["major"], "dependencyDashboardApproval": true, "description": "Major bumps require explicit approval via the dependency dashboard (tick the entry to release the PR). Auto-creating major PRs has caused silent build regressions: TypeScript 5→6, ESLint 9→10, and webpack-cli 5→7 all passed CI through `nx affected` (which sees a deps-only change as not affecting any project) and only surfaced when run-many was attempted locally. Forcing a human in the loop on majors prevents the same trap. Patch and minor bumps still flow automatically." }, { "groupName": "Angular", "matchPackageNames": [ "@angular/*", "@angular-devkit/*", "@angular-eslint/*", "@schematics/angular", "angular-eslint" ] }, { "groupName": "Nx", "matchPackageNames": ["@nx/*", "nx"] }, { "groupName": "NestJS", "matchPackageNames": ["@nestjs/*"] }, { "groupName": "Prisma", "matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"] }, { "matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"], "matchUpdateTypes": ["major"], "enabled": false, "description": "Prisma 7 requires a coordinated upgrade with nestjs-prisma compatibility (Prisma 7 was downgraded to 6 in PR #3 because nestjs-prisma 0.27.0 is incompatible with Prisma 7). Re-enable once a Prisma 7 ADR lands and the wrapper situation is settled — see ADR-0006 §'Prisma version pin: 6.x in v1'." }, { "groupName": "Vitest", "matchPackageNames": ["vitest", "@vitest/*", "/^vitest-/"] }, { "groupName": "TypeScript tooling", "matchPackageNames": [ "typescript", "typescript-eslint", "@typescript-eslint/*", "ts-node", "ts-jest", "tslib" ] }, { "groupName": "ESLint", "matchPackageNames": ["eslint", "eslint-*", "@eslint/*"] }, { "groupName": "SWC", "matchPackageNames": ["@swc/*", "@swc-node/*"] }, { "groupName": "Tailwind CSS", "matchPackageNames": ["tailwindcss", "@tailwindcss/*", "postcss"] } ] }