Update dependencies for vulnerability alerts only

[Waldo000000]

Is there a way to configure renovate to raise PRs for vulnerability alerts only? I've tried this:

{
  "extends": [
    "config:base"
  ],
  "enabled": "false",
  "vulnerabilityAlerts": {
    "enabled": "true"
  }
}

But from the logs that results in Repository is disabled - skipping.

[Waldo000000]

Managed to sort of achieve this via:

{
  "extends": [
    "config:base"
  ],
  "schedule": "before 3am on the first day of the year"
}

This ensures that renovate will only raise PRs for vulnerability alerts (which are the only ones -- except for pinning PRs -- to bust through the schedule) at least until Jan 1 2020.

Hoping for a more intuitive solution though :-)

EDIT: Actually this doesn't work as renovate ignores the day of year filter in the schedule.

[rarkins]

Hi,

Can you try this?

{
  "packageRules": [
    "packagePatterns": ["*"],
    "enabled": false
  ],
  "vulnerabilityAlerts": {
    "enabled": "true"
  }
}

[rarkins]

"enabled": false at the top of a config is really a "go away, do not renovate this repository" instruction, so that's why it immediately shortcuts and quits. My goal with the above is to disable all packages so that (a) we still extract/discover them all, but (b) the the vulnerability alerts takes over. BTW I don't think the vulnerabilityAlerts enabling is even necessary because it's enabled by default: https://github.com/renovatebot/renovate/blob/827e9de100b7b0b15227c184554fd7d662b85726/lib/config/definitions.js#L809

But you can leave it in to make your config more "readable".

[Waldo000000]

Thanks @rarkins. I've made that update and will see what happens.

[prestonvanloon]

@rarkins, we've also made the same change here: https://github.com/prysmaticlabs/website/blob/master/renovate.json

If anyone is looking for an example ^

[Waldo000000]

@rarkins I've tried that out (as we've recently had a GitHub alert pop up) and this was the result:

1. Initially we had a schedule:monthly preset, and this suppressed the PR (it was there just in case, in future, we decide to enable PRs for some other packages)
2. I removed the schedule:monthly preset, and this resulted in a PR being raised to address the vulnerability 🎉 However, it just looked like a regular renovate PR and was missing the commitMessageSuffix.

Are those two above behaviors expected?

[rarkins]

@Waldo000000 can you give me a basic package.json and renovate.json that would reproduce the issue? I assume it's a public package if GitHub are alerting you about it.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed soon if no further activity occurs.