Skip to content

Commit

Permalink
hold dependency updates back for 7 days (video-dev#4394)
Browse files Browse the repository at this point in the history 
* hold dependency updates back for 7 days

to reduce the risk of a hacked package version being merged in, because hopefully someone would notice in 7 days and have the hacked version removed.

Also enable `vulnerabilityAlerts` meaning if GitHub mark a version as venerable and have a fix, that is automatically created immediately.

* disable lock file maintenance

because it would update a transitive dependency early
  • Loading branch information
@tjenkinson
tjenkinson authored Oct 25, 2021
1 parent 6353fda commit 95b2650
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions renovate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
"labels": ["dependencies", "skip-change-log"],
"commitMessagePrefix": "[skip netlify]",
"prHourlyLimit": 0,
"prCreation": "not-pending",
"stabilityDays": 7,
"vulnerabilityAlerts": true,
"packageRules": [
{
"matchPackagePatterns": ["*"],
Expand All @@ -16,6 +19,5 @@
"matchDepTypes": ["peerDependencies"],
"rangeStrategy": "widen"
}
],
"lockFileMaintenance": { "enabled": true }
]
}

0 comments on commit 95b2650

Please sign in to comment.