Skip to content

build: Decrease renovate noise#529

Open
aig-hannes wants to merge 1 commit intomainfrom
feature/reduce-renovate-noise
Open

build: Decrease renovate noise#529
aig-hannes wants to merge 1 commit intomainfrom
feature/reduce-renovate-noise

Conversation

@aig-hannes
Copy link
Copy Markdown
Collaborator

@aig-hannes aig-hannes commented Apr 8, 2026

Currently, renovate aggressively creates MRs in our repos, potentially pulling malicious dependencies from open source componentes before they may be spottet by the community (supply chain attacks). Furthermore, they are causing a lot of noise in our inboxes. This change introduces the following changes:

  • updates must be at least 2 weeks old
  • unless they fix a known vulnerability
  • pull requests are only opened once the change has passed the internal checks

@aig-hannes
build: Decrease renovate noise
093f425 
Currently, renovate aggressively creates MRs in our repos, potentially
pulling malicious dependencies from open source componentes before they
may be spottet by the community (supply chain attacks). Furthermore,
they are causing a lot of noise in our inboxes. This change introduces
the following changes:

* updates must be at least 2 weeks old
* unless they fix a known vulnerability
* pull requests are only opened once the change has passed the internal
  checks
@aig-hannes aig-hannes requested a review from olivermeyer April 8, 2026 13:54
@aig-hannes aig-hannes self-assigned this Apr 8, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@olivermeyer
Copy link
Copy Markdown
Collaborator

olivermeyer commented Apr 8, 2026

Nice, I didn't know this was an option.

We discussed exactly this following the recent Trivy supply chain attack, and agreed to continue upgrading dependencies as quickly as possible, i.e. not use the minimumReleaseAge config. Our reasoning was that, while in the Trivy case the safe option was to not upgrade, it's just as likely that the safe option in the next incident will be to upgrade immediately. We did not however discuss the option of waiting 14 days for upgrades unless they fix a known vulnerability.

This seems to give the best of both worlds, but I'd be curious to get @helmut-hoffer-von-ankershoffen's thoughts on this as he was advocating for immediate upgrades.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 8, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 9 files with indirect coverage changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olivermeyer olivermeyer Awaiting requested review from olivermeyer

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

@aig-hannes aig-hannes

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aig-hannes @olivermeyer