chore(deps): update dependency renovate to v42

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
renovate (source)	41.173 -> 42.1

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

renovatebot/renovate (renovate)

v42.1.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.4 (main) (#​39174) (1216402)

Build System

• deps: update dependency @​renovatebot/osv-offline to v1.7.10 (main) (#​39173) (a8f1501)

v42.1.2

Compare Source

Bug Fixes

• nuget: correct escaping syntax (#​39120) (50471cb)
• skip npm installation if no constraint specified (#​38974) (98eef7e)

v42.1.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.3 (main) (#​39172) (0ffd324)

v42.1.0

Compare Source

Features

• pip-compile: Support more uv pip compile options (#​39167) (0b02c42)

Code Refactoring

• deb: Split DebDatasource in smaller pieces and prepare for mutli-compression feature (#​38254) (5d36cf1)
• presets: add type for presets with global-only configuration (#​39166) (8348930)

Build System

• deps: update dependency @​sindresorhus/is to v7.1.1 (main) (#​39169) (2ed5bc5)

Continuous Integration

• add an "ago" note to the notification (#​39161) (a75dc8c)

v42.0.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v12.1.2 (main) (#​39164) (534a686)

Documentation

• reference glob tool (#​39154) (6f6a94a)

v42.0.2

Compare Source

Bug Fixes

• git-submodules: avoid network call during extract (#​39147) (7688550)

Miscellaneous Chores

• deps: update dependency rimraf to v6.1.0 (main) (#​39150) (c94c65f)

v42.0.1

Compare Source

Documentation

• major-release: document "why", "when", "how" (#​38963) (cd757d8)
• minimumReleaseAge: document how to opt-out a dependency (#​39119) (81697ad)

Miscellaneous Chores

• deps: update dependency @​smithy/util-stream to v4.5.5 (main) (#​39143) (1563b41)
• deps: update dependency @​vitest/eslint-plugin to v1.4.0 (main) (#​39138) (bddc1c3)
• update pull request template (#​39136) (39a1b86)

Build System

• deps: update dependency google-auth-library to v10.5.0 (main) (#​39146) (748a623)

v42.0.0

Compare Source

Breaking changes for 42

Using minimumReleaseAge will now require a release timestamp #​38843

When specifying minimumReleaseAge, Renovate will look for a release timestamp to determine the age of the release, and whether it matched the minimumReleaseAge configuration.

Before Renovate 42, if a release timestamp was not present, Renovate would treat the dependency update as if the release timestamp was present and the dependency had passed that lifetime.

This means that users with artifact proxies, or in cases that the release timestamp wasn't consistently present could lead to dependencies "slipping through", and being updated before Renovate's policy enforced it to.

As of Renovate 42, the configuration minimumReleaseAgeBehaviour (added in 41.150.0) requires the release timestamp to be present.

If the release timestamp isn't present, Renovate will mark it as "awaiting schedule", and will output a debug log message to explain why.

You can revert to the existing behaviour by setting minimumReleaseAgeBehaviour=timestamp-optional.

Note that not all datasources support this functionality, nor do custom registries (such as Artifactory, etc).
For more details on how to verify support for your repository, check out the Minimum Release Age documentation

minimumReleaseAge: 3 days will now be set by default for npm in config:best-practices #​37967

For users of config:best-practices, the Minimum Release Age functionality will now apply by default for the npm ecosystem.

This will introduce a delay of 3 days between package publishing and Renovate suggesting an update for the release, so:

• there is time for malware researchers and scanners to (possibly) detect any malicious behaviour in new releases, before your CI infrastructure or developers receive a malicious version upgrade
• you are not at risk of the package being unpublished in the 3 day window that the npm registry allows

This will be enforced by default for packages using the npm datasource via the security:minimumReleaseAgeNpm preset.

[!NOTE]
This may require additional configuration if using a custom registry, or you have packages that you wish to not have minimum release age checks.

For more details on this functionality, check out the Minimum Release Age documentation.

Renovate now defaults to using Node.JS 24 #​38939

With Node 24 now in Long Term Support (LTS) release status, we have moved to target Node.JS 24 (^24.11.0) as our default engine for Node, and retain support for Node 22.

The pre-built Docker containers have been updated to use Node 24.

If you self-host without using our Docker image, you should be able to continue running Renovate with Node 22, for instance if you build your own image, or run the renovate npm package.

Redis clusters now authenticate to all nodes in the cluster with the provided credentials

When running Renovate against a Redis cluster with authentication, it was possible that a NOAUTH Authentication required error may appear:

DEBUG: Redis cache init
DEBUG: Redis cache connected
...
 WARN: Error while setting Redis cache value (repository=jcl-test/example)
       "err": {"message": "NOAUTH Authentication required."}

Renovate will now use the same authentication for all nodes in a cluster.

Support Yarn Catalogs #​38215

We now support the official Yarn Catalog functionality.

As part of this, we have removed support for the yarn-plugin-catalogs community plugin.

If you are using the yarn-plugin-catalogs community plugin, you will need to migrate your catalogs to the official Yarn Catalog functionality before Renovate 42 will update your dependencies.

Remove versioning modules needing to implement rangeStrategy=pin #​36261

This is an internal refactor to make it easier for creating and maintaining versioning modules.

This should not be a non-breaking change, as the versioning modules will have defaults available.

However, we're releasing it as part of this major release, and highlighting it, in case it does lead to breaking changes.

PGP encryption is now performed using Bouncy Castle #​39032

GPG encryption is no longer performed using kbpgp Keybase's PGP for JavaScript), and has been replaced with a Bouncy Castle version.

Some users have found license compliance issues with the kbpgp package, so this will now resolve them.

Legacy RSA encryption has been removed #​39111

Deprecated since 37.315.0 (2024-04-21), the legacy RSA encryption is now no longer available.

Change to the default User Agent #​37535

The user-agent header for Renovate's outgoing HTTP calls has changed the default to Renovate/${version}.

Default tool version updates #​39100

For users of the upstream Renovate container images, the following tools have been updated to new major versions:

Tool	Version
Erlang	28
Gradle	9
Java	25
Node	24
Python	3.14.0

Commentary for 42

Focus on minimumReleaseAge

You'll notice that there are a number of big features here - and in recent minor releases - that focus on Minimum Release Age.

With recent supply chain attacks, the Renovate team have been hard at work improving the support we've had in Renovate (since 2019!) for this functionality, and making it as predictable as possible, so we can then enable it by default for users of config:best-practices.

You can read more about this focus in a blog post we've written on the Mend blog.

We're starting with the enabling of the npm datasource, but will look to extend this functionality in future major releases, based on community feedback, and ecosystem support.

Deprecations

As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 43:

• the renovate-schema.json will only support repository configuration, and a separate renovate-admin-schema.json will be needed for global/self-hosted configuration

42.0.0 (2025-11-06)

⚠ BREAKING CHANGES

• deps: Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) (#​39100)
• deps: Needs NodeJS v24.11.0 instead of v24.10.0. NodeJS v22 is still supported.
• npm: communit plugin yarn-catalogs-plugin is not supported anymore
• drop legacy rsa encryption (#​39111)
• remove rangeStrategy=pin from versioning modules (#​36261)
• minimumReleaseAge: require a release timestamp by default (#​38843)
• best-practices: provide default minimumReleaseAge for npm (#​37967)
• redis: add default auth to redis clusters (#​37337)
• remove the "Bot" from user-agent header (#​37535)

Features

• best-practices: provide default minimumReleaseAge for npm (#​37967) (e371de1), closes #​37952
• deps: Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) (#​39100) (f9f810f)
• minimumReleaseAge: require a release timestamp by default (#​38843) (1cf9b1c), closes #​37952
• npm: support yarn catalogs (#​38215) (d7a741b)
• replace kbpgp with bcpgp (#​39032) (6de0097)

Bug Fixes

• drop legacy rsa encryption (#​39111) (f1eefcf)
• redis: add default auth to redis clusters (#​37337) (df9844d)
• remove the "Bot" from user-agent header (#​37535) (4e4a0f9)

Code Refactoring

• remove rangeStrategy=pin from versioning modules (#​36261) (0d5d7a8)

Build System

• deps: update dependency node to v24 (main) (#​38939) (2e3da4d)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.