f5d3697466
## Summary Three Renovate major bumps merged silently because `nx affected` doesn't see deps-only PRs as affecting any project — CI passed trivially, the breakage only surfaced when `nx run-many` was run locally: - **TypeScript 5→6** (#33) — `tsconfig.lib.json` fails with `TS5101: Option 'baseUrl' is deprecated`. Revert to 5.9.x. - **ESLint 9→10** (#36) — `@nx/eslint@22.7.1` not compatible: project graph fails with "Unable to find eslint". Revert eslint, `@eslint/js`, `jsonc-eslint-parser`, `eslint-plugin-playwright` to ESLint-9-compatible versions. - **webpack-cli 5→7** (#34) — webpack-cli 7 removed the `--node-env=production` flag Nx generates. Revert to 5.x. Bonus side-fix: the `ajv@<8.18.0` override added in #42 was over-broad and was forcing ESLint's bundled ajv to v8 (incompatible with ESLint 9's option contract). Narrow the override to `@angular-devkit/core>ajv@<8.18.0` so only the targeted nestjs-prisma chain is bumped. ## Prevention — gate majors behind the dependency dashboard Add a Renovate `packageRule` with `dependencyDashboardApproval: true` for `matchUpdateTypes: ["major"]`. Renovate stops auto-creating PRs for majors; they appear as checkboxes in the dashboard issue, and only get a PR after a human ticks the box (presumably after reading the changelog and confirming Nx-plugin / Angular / NestJS readiness). This is the surgical fix for the gap. The deeper fix (making `nx affected` correctly mark all projects as affected on package.json changes) is a separate investigation worth doing later — but the dashboard gate prevents the same trap regardless. ## Verification Locally on this branch: - `pnpm exec nx run-many -t lint test build --parallel=2` → ✓ 8 projects pass. - `pnpm audit --audit-level=moderate` → 0 vulnerabilities. ## Test plan - [ ] `check` job goes green on this PR (would have caught the regressions if `nx affected` were broader). - [ ] After merge, the next Renovate run does not create new PRs for any major (TS, eslint, webpack-cli, etc.). - [ ] Any pending major in the dashboard issue still appears, but only as a checkbox awaiting approval. ## Out of scope (follow-up) Investigate why `nx affected` misses package.json-only changes. Likely a missing entry in `nx.json` `namedInputs` (`default`) or `targetDefaults`. Worth its own focused PR; the dashboard gate is the conservative fix in the meantime. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #43
81 lines
2.7 KiB
JSON
81 lines
2.7 KiB
JSON
{
|
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
|
"extends": ["config:recommended"],
|
|
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
|
|
"dependencyDashboard": true,
|
|
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
|
|
"labels": ["dependencies"],
|
|
"prHourlyLimit": 4,
|
|
"prConcurrentLimit": 10,
|
|
"lockFileMaintenance": {
|
|
"enabled": true
|
|
},
|
|
"osvVulnerabilityAlerts": true,
|
|
"vulnerabilityAlerts": {
|
|
"enabled": true,
|
|
"labels": ["security", "dependencies"]
|
|
},
|
|
"packageRules": [
|
|
{
|
|
"matchUpdateTypes": ["major"],
|
|
"dependencyDashboardApproval": true,
|
|
"description": "Major bumps require explicit approval via the dependency dashboard (tick the entry to release the PR). Auto-creating major PRs has caused silent build regressions: TypeScript 5→6, ESLint 9→10, and webpack-cli 5→7 all passed CI through `nx affected` (which sees a deps-only change as not affecting any project) and only surfaced when run-many was attempted locally. Forcing a human in the loop on majors prevents the same trap. Patch and minor bumps still flow automatically."
|
|
},
|
|
{
|
|
"groupName": "Angular",
|
|
"matchPackageNames": [
|
|
"@angular/*",
|
|
"@angular-devkit/*",
|
|
"@angular-eslint/*",
|
|
"@schematics/angular",
|
|
"angular-eslint"
|
|
]
|
|
},
|
|
{
|
|
"groupName": "Nx",
|
|
"matchPackageNames": ["@nx/*", "nx"]
|
|
},
|
|
{
|
|
"groupName": "NestJS",
|
|
"matchPackageNames": ["@nestjs/*"]
|
|
},
|
|
{
|
|
"groupName": "Prisma",
|
|
"matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"]
|
|
},
|
|
{
|
|
"matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"],
|
|
"matchUpdateTypes": ["major"],
|
|
"enabled": false,
|
|
"description": "Prisma 7 requires a coordinated upgrade with nestjs-prisma compatibility (Prisma 7 was downgraded to 6 in PR #3 because nestjs-prisma 0.27.0 is incompatible with Prisma 7). Re-enable once a Prisma 7 ADR lands and the wrapper situation is settled — see ADR-0006 §'Prisma version pin: 6.x in v1'."
|
|
},
|
|
{
|
|
"groupName": "Vitest",
|
|
"matchPackageNames": ["vitest", "@vitest/*", "/^vitest-/"]
|
|
},
|
|
{
|
|
"groupName": "TypeScript tooling",
|
|
"matchPackageNames": [
|
|
"typescript",
|
|
"typescript-eslint",
|
|
"@typescript-eslint/*",
|
|
"ts-node",
|
|
"ts-jest",
|
|
"tslib"
|
|
]
|
|
},
|
|
{
|
|
"groupName": "ESLint",
|
|
"matchPackageNames": ["eslint", "eslint-*", "@eslint/*"]
|
|
},
|
|
{
|
|
"groupName": "SWC",
|
|
"matchPackageNames": ["@swc/*", "@swc-node/*"]
|
|
},
|
|
{
|
|
"groupName": "Tailwind CSS",
|
|
"matchPackageNames": ["tailwindcss", "@tailwindcss/*", "postcss"]
|
|
}
|
|
]
|
|
}
|