Files
apf_portal/renovate.json
T
Julien Gautier a0ee9fb3ca
CI / commits (pull_request) Successful in 2m6s
CI / check (pull_request) Successful in 2m33s
CI / a11y (pull_request) Successful in 1m32s
CI / perf (pull_request) Successful in 2m32s
CI / scan (pull_request) Failing after 5m58s
fix(deps): revert TS6/ESLint10/webpack-cli7 majors and gate future majors
Three Renovate-driven major bumps that landed via `nx affected`
passing trivially (deps-only change → no project flagged as
affected) have been silently breaking the build since they merged:

- **TypeScript 5→6** (#33) — TS6 deprecates `baseUrl`; every lib's
  `tsconfig.lib.json` now fails with `TS5101: Option 'baseUrl' is
  deprecated and will stop functioning in TypeScript 7.0`. Revert
  to TypeScript 5.9.x; we'll revisit when the broader Angular/Nx
  ecosystem aligns on TS6.
- **ESLint 9→10** (#36) — `@nx/eslint@22.7.1` was built against
  ESLint 9 and fails project-graph extraction with `Unable to find
  eslint`. Revert to ESLint 9.x; bring `@eslint/js`,
  `eslint-plugin-playwright`, and `jsonc-eslint-parser` back to
  their ESLint-9-compatible versions in the same revert.
- **webpack-cli 5→7** (#34) — webpack-cli 7 removed the
  `--node-env=production` flag that Nx's webpack target generates,
  breaking `portal-bff:build`. Revert to webpack-cli 5.x; revisit
  when Nx's webpack executor is updated.

The `ajv@<8.18.0` override added in #42 was over-broad: it forced
ESLint's transitively-bundled ajv to v8, which doesn't accept the
legacy options ESLint 9 passes. Narrow the override to
`@angular-devkit/core>ajv@<8.18.0` so only the targeted chain
(nestjs-prisma > @angular-devkit/core > ajv) is bumped, leaving
ESLint's ajv alone.

Verified locally: `pnpm exec nx run-many -t lint test build` is
green on all 8 projects; `pnpm audit --audit-level=moderate`
reports zero vulnerabilities.

To prevent future silent breakages, add a Renovate package rule
that gates **all major updates** behind the dependency dashboard
(`dependencyDashboardApproval: true`). Renovate stops creating PRs
for majors automatically — they appear as checkboxes in the
dashboard, and only get a PR when a human ticks the box. Patch
and minor bumps still flow on the daily cron.

`docs/development.md` "Reviewing Renovate PRs" is updated to
explain the gate and why it exists, citing the three offenders we
caught the hard way.
2026-05-06 22:01:44 +02:00

81 lines
2.7 KiB
JSON

{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
"labels": ["dependencies"],
"prHourlyLimit": 4,
"prConcurrentLimit": 10,
"lockFileMaintenance": {
"enabled": true
},
"osvVulnerabilityAlerts": true,
"vulnerabilityAlerts": {
"enabled": true,
"labels": ["security", "dependencies"]
},
"packageRules": [
{
"matchUpdateTypes": ["major"],
"dependencyDashboardApproval": true,
"description": "Major bumps require explicit approval via the dependency dashboard (tick the entry to release the PR). Auto-creating major PRs has caused silent build regressions: TypeScript 5→6, ESLint 9→10, and webpack-cli 5→7 all passed CI through `nx affected` (which sees a deps-only change as not affecting any project) and only surfaced when run-many was attempted locally. Forcing a human in the loop on majors prevents the same trap. Patch and minor bumps still flow automatically."
},
{
"groupName": "Angular",
"matchPackageNames": [
"@angular/*",
"@angular-devkit/*",
"@angular-eslint/*",
"@schematics/angular",
"angular-eslint"
]
},
{
"groupName": "Nx",
"matchPackageNames": ["@nx/*", "nx"]
},
{
"groupName": "NestJS",
"matchPackageNames": ["@nestjs/*"]
},
{
"groupName": "Prisma",
"matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"]
},
{
"matchPackageNames": ["prisma", "@prisma/*", "nestjs-prisma"],
"matchUpdateTypes": ["major"],
"enabled": false,
"description": "Prisma 7 requires a coordinated upgrade with nestjs-prisma compatibility (Prisma 7 was downgraded to 6 in PR #3 because nestjs-prisma 0.27.0 is incompatible with Prisma 7). Re-enable once a Prisma 7 ADR lands and the wrapper situation is settled — see ADR-0006 §'Prisma version pin: 6.x in v1'."
},
{
"groupName": "Vitest",
"matchPackageNames": ["vitest", "@vitest/*", "/^vitest-/"]
},
{
"groupName": "TypeScript tooling",
"matchPackageNames": [
"typescript",
"typescript-eslint",
"@typescript-eslint/*",
"ts-node",
"ts-jest",
"tslib"
]
},
{
"groupName": "ESLint",
"matchPackageNames": ["eslint", "eslint-*", "@eslint/*"]
},
{
"groupName": "SWC",
"matchPackageNames": ["@swc/*", "@swc-node/*"]
},
{
"groupName": "Tailwind CSS",
"matchPackageNames": ["tailwindcss", "@tailwindcss/*", "postcss"]
}
]
}