fix(renovate): add npm to enabledManagers

[williaby]

Summary

Adds npm to Renovate's enabledManagers so the npm frontend is covered.

The effective enabledManagers was ["pep621", "github-actions"], which excluded the npm frontend at frontend/package.json + frontend/package-lock.json. As a result Renovate ignored the frontend entirely, leaving its open npm vulnerabilities unmanaged (GitHub reports 16 Dependabot alerts on the default branch: 2 critical, 9 high, 4 moderate, 1 low).

The npm manager matches package.json at any depth, so enabling it covers the frontend without a per-directory override.

Changes

• renovate.json: add npm to enabledManagers (pep621 and github-actions retained).

Validation

• pre-commit run --files renovate.json passes, including renovate-config-validator.

Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 11 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f04b026d-e57a-4143-859a-0141e066860f

📥 Commits

Reviewing files that changed from the base of the PR and between 0d09232 and fa06474.

📒 Files selected for processing (2)

• CHANGELOG.md
• renovate.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/renovate-enabledmanagers-coverage

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR updates the repository’s Renovate configuration to ensure the JavaScript frontend dependencies are included in Renovate’s update and vulnerability remediation workflow.

Changes:

• Added the npm manager to enabledManagers in renovate.json (retaining pep621 and github-actions).

[williaby]

PR Review

The one-line change is correct and safe: enabledManagers is an allowlist that overrides config:recommended, so npm was genuinely excluded; enabling it covers frontend/package.json. npm updates default to automerge: false (no automerge rule matches the npm manager). Findings below are refinements, not blockers.

Review status: Copilot reviewed (0 findings). CodeRabbit's check is green but no review actually ran (rate/credit limit). SonarCloud analysis still in progress at review time.

Important

• renovate.json packageRules: npm vulnerability updates miss the priority handling Python gets. Both security rules are datasource-scoped and exclude npm: "Security updates - high priority" (matchDatasources: ["pypi", "github-actions"]) and "Critical security updates - immediate" (matchDatasources: ["pypi"], prPriority: 10). This PR exists to remediate 16 npm alerts (2 critical, 9 high), yet those npm vuln PRs won't receive prPriority: 10 or the enriched security labels. The top-level vulnerabilityAlerts block still raises them immediately with the security label, so they aren't ignored, just not prioritized to match Python. Fix: add "npm" to the matchDatasources arrays of both security rules.

Suggested

• No npm grouping rule. Python and Actions deps are grouped; npm has no matchManagers: ["npm"] group, so each frontend package opens its own PR. With prConcurrentLimit: 5 and 16 pending alerts, expect a throttled burst of individual PRs. Consider a "Group npm dependencies" rule.
• CHANGELOG.md not updated for a fix:-typed PR. renovate.json is CI tooling config (arguably CHANGELOG-exempt), but the rule technically applies; add a line or confirm the exemption.

Informational

• Global rangeStrategy: "bump" now also governs frontend/package.json; verify the range-bump behavior is intended (lockfile pins resolution regardless).

🤖 Generated with Claude Code

[williaby]

PR Fix Summary

Applied 3 findings from the review in fa06474cf4ec3397cd42cdaac8a3bcbc42e4d4eb (signed):

Config (renovate.json)

• (Important) Added the npm datasource to both security packageRules ("Security updates - high priority" and "Critical security updates - immediate" prPriority: 10) so frontend npm CVEs are raised with the same priority and labels as Python. Previously the npm vulnerabilities this PR targets would have fallen through to default handling.
• (Suggested) Added a "npm dependencies" grouping rule so frontend updates batch into one PR rather than one-per-package (respects prConcurrentLimit: 5).

Docs (CHANGELOG.md)

• (Suggested) Added an [Unreleased] → Changed entry documenting the npm coverage change.

Remaining (no code change, by design)

• rangeStrategy: "bump" now also governs frontend/package.json; verify the range-bump behavior is intended (lockfile pins resolution regardless).
• CodeRabbit's check is green but its review was rate-limited; re-trigger with @coderabbitai review for actual coverage.

Verification: renovate-config-validator and all pre-commit hooks pass locally; valid JSON; branch up-to-date with main.

🤖 Generated with Claude Code

[coderabbitai]

@williaby: All three findings have been cleanly addressed — the npm datasource additions to both security rules close the priority gap that motivated this PR, the grouping rule will keep the PR queue manageable under prConcurrentLimit: 5, and the CHANGELOG entry is now present. The rangeStrategy: "bump" note is properly carried forward as an informational item with no action needed. Kicking off a full review now to cover the updated state of the branch.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud