Renovate not create PRs for vulnerabilityAlerts

[MaxymVlasov]

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

If you're self-hosting Renovate, select which platform you are using.

None

Was this something which used to work for you, and then stopped?

I am trying to get this working for the first time

Describe the problem

Renovate App don't create vulnerabilityAlerts PRs. Dependabot detects them and is able to create its own PRs

All settings are done as specified in https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts

You can double-check Renovate App and repo settings in the minimal reproduce repo.

Minimal reproduce repo - https://github.com/MaxymVlasov/renovate-vuln-alerts

Relevant debug logs

Logs

DEBUG: File config
{
  "config": {}
}

DEBUG: CLI config
{
  "config": {}
}

DEBUG: Env config
{
  "config": {
    "allowPostUpgradeCommandTemplating": true,
    "allowedPostUpgradeCommands": [
      "^git add --all$",
      "^git reset$",
      "^npx beachball change( --no-fetch)? --no-commit --type (patch|none) --message '{{{commitMessage}}}'$",
      "^pwd$"
    ],
    "baseDir": "/tmp/worker/f3a4fa/ad578f",
    "dependencyDashboardFooter": "\n- [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository\n",
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ],
    "forkProcessing": "enabled",
    "gitAuthor": "renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>",
    "gitIgnoredAuthors": [
      "29139614+renovate[bot]@users.noreply.github.com"
    ],
    "hostRules": [
      {
        "hostType": "docker",
        "matchHost": "docker.io",
        "password": "***********",
        "username": "mdpprod2renovate"
      }
    ],
    "logContext": "7189a8573e50436995e3f0ad7f5b5089",
    "logFile": "/tmp/worker/f3a4fa/ad578f/github/MaxymVlasov/renovate-vuln-alerts/7189a8573e50436995e3f0ad7f5b5089.log",
    "logFileLevel": "debug",
    "onboardingConfig": {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "extends": [
        "config:base"
      ]
    },
    "onboardingNoDeps": true,
    "platform": "github",
    "platformCommit": true,
    "prHeader": "[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)",
    "repositories": [
      "MaxymVlasov/renovate-vuln-alerts"
    ],
    "token": "***********",
    "username": "renovate[bot]",
    "repositoryCache": "enabled",
    "repositoryCacheType": "s3://mend-developer-platform-prod/renovate/",
    "binarySource": "docker",
    "redisUrl": "redis://mend-developer-platform-renovate-prod.aqffol.ng.0001.use1.cache.amazonaws.com:6379",
    "dockerChildPrefix": "renovate_a_",
    "dockerImagePrefix": "ghcr.io/containerbase",
    "privateKey": "***********",
    "privateKeyOld": "***********",
    "prFooter": "This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#{{platform}}/{{repository}})."
  }
}

DEBUG: Combined config
{
  "config": {
    "allowPostUpgradeCommandTemplating": true,
    "allowedPostUpgradeCommands": [
      "^git add --all$",
      "^git reset$",
      "^npx beachball change( --no-fetch)? --no-commit --type (patch|none) --message '{{{commitMessage}}}'$",
      "^pwd$"
    ],
    "baseDir": "/tmp/worker/f3a4fa/ad578f",
    "dependencyDashboardFooter": "\n- [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository\n",
    "extends": [
      "github>whitesource/merge-confidence:beta"
    ],
    "forkProcessing": "enabled",
    "gitAuthor": "renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>",
    "gitIgnoredAuthors": [
      "29139614+renovate[bot]@users.noreply.github.com"
    ],
    "hostRules": [
      {
        "hostType": "docker",
        "matchHost": "docker.io",
        "password": "***********",
        "username": "mdpprod2renovate"
      }
    ],
    "logContext": "7189a8573e50436995e3f0ad7f5b5089",
    "logFile": "/tmp/worker/f3a4fa/ad578f/github/MaxymVlasov/renovate-vuln-alerts/7189a8573e50436995e3f0ad7f5b5089.log",
    "logFileLevel": "debug",
    "onboardingConfig": {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "extends": [
        "config:base"
      ]
    },
    "onboardingNoDeps": true,
    "platform": "github",
    "platformCommit": true,
    "prHeader": "[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)",
    "repositories": [
      "MaxymVlasov/renovate-vuln-alerts"
    ],
    "token": "***********",
    "username": "renovate[bot]",
    "repositoryCache": "enabled",
    "repositoryCacheType": "s3://mend-developer-platform-prod/renovate/",
    "binarySource": "docker",
    "redisUrl": "redis://mend-developer-platform-renovate-prod.aqffol.ng.0001.use1.cache.amazonaws.com:6379",
    "dockerChildPrefix": "renovate_a_",
    "dockerImagePrefix": "ghcr.io/containerbase",
    "privateKey": "***********",
    "privateKeyOld": "***********",
    "prFooter": "This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#{{platform}}/{{repository}})."
  }
}

DEBUG: Enabling forkProcessing while in non-autodiscover mode
DEBUG: Found valid git version: 2.40.1
DEBUG: Using default github endpoint: https://api.github.com/
DEBUG: Platform config
{
  "platformConfig": {
    "hostType": "github",
    "endpoint": "https://api.github.com/",
    "isGHApp": true,
    "isGhe": false
  }
  "renovateUsername": "renovate[bot]"
}

DEBUG: Using configured gitAuthor (renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>)
DEBUG: Adding token authentication for api.github.com to hostRules
DEBUG: Using configured baseDir: /tmp/worker/f3a4fa/ad578f
DEBUG: Using cacheDir: /tmp/worker/f3a4fa/ad578f/cache
DEBUG: Using containerbaseDir: /tmp/worker/f3a4fa/ad578f/cache/containerbase
DEBUG: Redis cache init
DEBUG: Commits limit = null
DEBUG: Setting global hostRules
DEBUG: Adding password authentication for docker.io to hostRules
DEBUG: Adding token authentication for api.github.com to hostRules
DEBUG: validatePresets()
DEBUG: Reinitializing hostRules for repo
DEBUG: Clearing hostRules
DEBUG: Adding password authentication for docker.io to hostRules
DEBUG: Adding token authentication for api.github.com to hostRules
DEBUG: No dangling containers to remove
INFO: Repository started
{
  "renovateVersion": "35.115.2"
}

DEBUG: Using localDir: /tmp/worker/f3a4fa/ad578f/repos/github/MaxymVlasov/renovate-vuln-alerts
DEBUG: PackageFiles.clear() - Package files deleted
DEBUG: initRepo("MaxymVlasov/renovate-vuln-alerts")
DEBUG: MaxymVlasov/renovate-vuln-alerts default branch = main
DEBUG: Using app token for git init
DEBUG: RepoCacheS3.read() - success
DEBUG: Repository cache is restored from revision 13
DEBUG: Resetting npmrc
DEBUG: Resetting npmrc
DEBUG: checkOnboarding()
DEBUG: isOnboarded()
DEBUG: findPr(renovate/configure, Configure Renovate, !open)
DEBUG: getPrList success
{
  "pullsTotal": 1
  "requestsTotal": 1
  "apiQuotaAffected": true
}

DEBUG: Checking cached config file name
DEBUG: GET https://api.github.com/repos/MaxymVlasov/renovate-vuln-alerts/contents/renovate.json = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=96)
DEBUG: Existing config file no longer exists
DEBUG: findFile(renovate.json)
DEBUG: Initializing git repository into /tmp/worker/f3a4fa/ad578f/repos/github/MaxymVlasov/renovate-vuln-alerts
DEBUG: Performing blobless clone
DEBUG: git clone completed
{
  "durationMs": 310
}

DEBUG: latest repository commit
{
  "latestCommit": {
    "hash": "5716d081e83e68a94fd58156dcd5bec1cb8e1672",
    "date": "2023-06-13T21:56:22+03:00",
    "message": "Add basic config",
    "refs": "HEAD -> main, origin/main, origin/HEAD",
    "body": "",
    "author_name": "MaxymVlasov",
    "author_email": "MaxymVlasov@users.noreply.github.com"
  }
}

DEBUG: findFile(renovate.json5)
DEBUG: Config file exists, fileName: renovate.json5
DEBUG: Retrieving issueList
DEBUG: Retrieved 0 issues
DEBUG: Repo is onboarded
DEBUG: Delete Onboarding Cache
DEBUG: Found renovate.json5 config file
DEBUG: Repository config
{
  "fileName": "renovate.json5"
  "config": {
    "extends": [
      "config:base"
    ],
    "vulnerabilityAlerts": {
      "description": "Be sure that the Dependency graph and Dependabot alerts are enabled for the repo. Details: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts",
      "enabled": true
    }
  }
}

DEBUG: migrateAndValidate()
DEBUG: No config migration necessary
DEBUG: massaged config
{
  "config": {
    "extends": [
      "github>whitesource/merge-confidence:beta",
      "config:base"
    ],
    "vulnerabilityAlerts": {
      "description": [
        "Be sure that the Dependency graph and Dependabot alerts are enabled for the repo. Details: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts"
      ],
      "enabled": true
    }
  }
}

DEBUG: migrated config
{
  "config": {
    "extends": [
      "github>whitesource/merge-confidence:beta",
      "config:base"
    ],
    "vulnerabilityAlerts": {
      "description": [
        "Be sure that the Dependency graph and Dependabot alerts are enabled for the repo. Details: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts"
      ],
      "enabled": true
    }
  }
}

DEBUG: Setting hostRules from config
DEBUG: Found repo ignorePaths
{
  "ignorePaths": [
    "**/node_modules/**",
    "**/bower_components/**",
    "**/vendor/**",
    "**/examples/**",
    "**/__tests__/**",
    "**/test/**",
    "**/tests/**",
    "**/__fixtures__/**"
  ]
}

DEBUG: GitHub vulnerability details
{
  "alerts": {
    "pip/pymdown-extensions": {
      ">= 1.5, < 10.0": "10.0"
    },
    "pip/requests": {
      ">= 2.3.0, < 2.31.0": "2.31.0"
    }
  }
}

DEBUG: alert package rules
{
  "alertPackageRules": [
    {
      "matchDatasources": [
        "pypi"
      ],
      "matchPackageNames": [
        "pymdown-extensions"
      ],
      "matchCurrentVersion": "== 9.9.2",
      "matchFiles": [
        "Pipfile.lock"
      ],
      "allowedVersions": "==10.0",
      "prBodyNotes": [
        "### GitHub Vulnerability Alerts",
        "#### [CVE-2023-32309](https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-jh85-wwv9-24hv)\n\n### Summary\n\nArbitrary file read when using include file syntax.\n\n### Details\n\nBy using the syntax `--8<--\"/etc/passwd\"` or `--8<--\"/proc/self/environ\"` the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: `--8<-- \"../../../../etc/passwd\"`.\n\nWithin the Snippets extension, there exists a `base_path` option but the implementation is vulnerable to Directory Traversal.\nThe vulnerable section exists in `get_snippet_path(self, path)` lines 155 to 174 in snippets.py.\n\n```\nbase = \"docs\"\npath = \"/etc/passwd\"\nfilename = os.path.join(base,path) # Filename is now /etc/passwd\n```\n\n### PoC\n\n```py\nimport markdown\n\npayload = \"--8<-- \\\"/etc/passwd\\\"\"\nhtml = markdown.markdown(payload, extensions=['pymdownx.snippets'])\n\nprint(html)\n```\n\n### Impact\n\nAny readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users. \n\nIt is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed.\n\n### Suggestion\n\nSpecified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.\n"
      ],
      "isVulnerabilityAlert": true,
      "force": {
        "groupName": null,
        "schedule": [],
        "dependencyDashboardApproval": false,
        "minimumReleaseAge": null,
        "rangeStrategy": "update-lockfile",
        "commitMessageSuffix": "[SECURITY]",
        "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
        "prCreation": "immediate",
        "description": [
          "Be sure that the Dependency graph and Dependabot alerts are enabled for the repo. Details: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts"
        ],
        "enabled": true
      }
    },
    {
      "matchDatasources": [
        "pypi"
      ],
      "matchPackageNames": [
        "requests"
      ],
      "matchCurrentVersion": "== 2.28.2",
      "matchFiles": [
        "Pipfile.lock"
      ],
      "allowedVersions": "==2.31.0",
      "prBodyNotes": [
        "### GitHub Vulnerability Alerts",
        "#### [CVE-2023-32681](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)\n\n### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://**redacted**@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP → HTTPS: **leak**\n2. HTTPS → HTTP: **no leak**\n3. HTTPS → HTTPS: **leak**\n4. HTTP → HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@&#8203;gmail.com)"
      ],
      "isVulnerabilityAlert": true,
      "force": {
        "groupName": null,
        "schedule": "[Circular]",
        "dependencyDashboardApproval": false,
        "minimumReleaseAge": null,
        "rangeStrategy": "update-lockfile",
        "commitMessageSuffix": "[SECURITY]",
        "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
        "prCreation": "immediate",
        "description": "[Circular]",
        "enabled": true
      }
    }
  ]
}

DEBUG: findIssue(Dependency Dashboard)
DEBUG: No baseBranches
DEBUG: extract()
DEBUG: Cached extract result cannot be used due to base branch SHA change (old=a30bf31262e89bac976dbd7e514183859b252b14, new=5716d081e83e68a94fd58156dcd5bec1cb8e1672)
DEBUG: Setting current branch to main
DEBUG: latest commit
{
  "branchName": "main"
  "latestCommitDate": "2023-06-13T21:56:22+03:00"
}

DEBUG: Using file match: (^|/)tasks/[^/]+\.ya?ml$ for manager ansible
DEBUG: Using file match: (^|/)requirements\.ya?ml$ for manager ansible-galaxy
DEBUG: Using file match: (^|/)galaxy\.ya?ml$ for manager ansible-galaxy
DEBUG: Using file match: (^|/)\.tool-versions$ for manager asdf
DEBUG: Using file match: azure.*pipelines?.*\.ya?ml$ for manager azure-pipelines
DEBUG: Using file match: (^|/)batect(-bundle)?\.ya?ml$ for manager batect
DEBUG: Using file match: (^|/)batect$ for manager batect-wrapper
DEBUG: Using file match: (^|/)WORKSPACE(|\.bazel)$ for manager bazel
DEBUG: Using file match: \.bzl$ for manager bazel
DEBUG: Using file match: (^|/)MODULE\.bazel$ for manager bazel-module
DEBUG: Using file match: (^|/)\.bazelversion$ for manager bazelisk
DEBUG: Using file match: \.bicep$ for manager bicep
DEBUG: Using file match: (^|/)\.?bitbucket-pipelines\.ya?ml$ for manager bitbucket-pipelines
DEBUG: Using file match: buildkite\.ya?ml for manager buildkite
DEBUG: Using file match: \.buildkite/.+\.ya?ml$ for manager buildkite
DEBUG: Using file match: (^|/)Gemfile$ for manager bundler
DEBUG: Using file match: \.cake$ for manager cake
DEBUG: Using file match: (^|/)Cargo\.toml$ for manager cargo
DEBUG: Using file match: (^|/)\.circleci/config\.ya?ml$ for manager circleci
DEBUG: Using file match: (^|/)cloudbuild\.ya?ml for manager cloudbuild
DEBUG: Using file match: (^|/)Podfile$ for manager cocoapods
DEBUG: Using file match: (^|/)([\w-]*)composer\.json$ for manager composer
DEBUG: Using file match: (^|/)conanfile\.(txt|py)$ for manager conan
DEBUG: Using file match: (^|/)cpanfile$ for manager cpanfile
DEBUG: Using file match: (^|/)(?:deps|bb)\.edn$ for manager deps-edn
DEBUG: Using file match: (^|/)(?:docker-)?compose[^/]*\.ya?ml$ for manager docker-compose
DEBUG: Using file match: (^|/|\.)([Dd]ocker|[Cc]ontainer)file$ for manager dockerfile
DEBUG: Using file match: (^|/)([Dd]ocker|[Cc]ontainer)file[^/]*$ for manager dockerfile
DEBUG: Using file match: (^|/)\.drone\.yml$ for manager droneci
DEBUG: Using file match: (^|/)fleet\.ya?ml for manager fleet
DEBUG: Using file match: (^|/)flux-system/(?:.+/)?gotk-components\.ya?ml$ for manager flux
DEBUG: Using file match: (^|/)\.fvm/fvm_config\.json$ for manager fvm
DEBUG: Using file match: (^|/)\.gitmodules$ for manager git-submodules
DEBUG: Using file match: ^(workflow-templates|\.github/workflows)/[^/]+\.ya?ml$ for manager github-actions
DEBUG: Using file match: (^|/)action\.ya?ml$ for manager github-actions
DEBUG: Using file match: \.gitlab-ci\.ya?ml$ for manager gitlabci
DEBUG: Using file match: \.gitlab-ci\.ya?ml$ for manager gitlabci-include
DEBUG: Using file match: (^|/)go\.mod$ for manager gomod
DEBUG: Using file match: \.gradle(\.kts)?$ for manager gradle
DEBUG: Using file match: (^|/)gradle\.properties$ for manager gradle
DEBUG: Using file match: (^|/)gradle/.+\.toml$ for manager gradle
DEBUG: Using file match: (^|/)buildSrc/.+\.kt$ for manager gradle
DEBUG: Using file match: \.versions\.toml$ for manager gradle
DEBUG: Using file match: (^|/)versions.props$ for manager gradle
DEBUG: Using file match: (^|/)versions.lock$ for manager gradle
DEBUG: Using file match: (^|/)gradle/wrapper/gradle-wrapper\.properties$ for manager gradle-wrapper
DEBUG: Using file match: (^|/)requirements\.ya?ml$ for manager helm-requirements
DEBUG: Using file match: (^|/)values\.ya?ml$ for manager helm-values
DEBUG: Using file match: (^|/)helmfile\.ya?ml$ for manager helmfile
DEBUG: Using file match: (^|/)Chart\.ya?ml$ for manager helmv3
DEBUG: Using file match: (^|/)bin/hermit$ for manager hermit
DEBUG: Using file match: ^Formula/[^/]+[.]rb$ for manager homebrew
DEBUG: Using file match: \.html?$ for manager html
DEBUG: Using file match: (^|/)plugins\.(txt|ya?ml)$ for manager jenkins
DEBUG: Using file match: (^|/)jsonnetfile\.json$ for manager jsonnet-bundler
DEBUG: Using file match: ^.+\.main\.kts$ for manager kotlin-script
DEBUG: Using file match: (^|/)kustomization\.ya?ml$ for manager kustomize
DEBUG: Using file match: (^|/)project\.clj$ for manager leiningen
DEBUG: Using file match: (^|/|\.)pom\.xml$ for manager maven
DEBUG: Using file match: ^(((\.mvn)|(\.m2))/)?settings\.xml$ for manager maven
DEBUG: Using file match: (^|\/).mvn/wrapper/maven-wrapper.properties$ for manager maven-wrapper
DEBUG: Using file match: (^|/)package\.js$ for manager meteor
DEBUG: Using file match: (^|/)Mintfile$ for manager mint
DEBUG: Using file match: (^|/)mix\.exs$ for manager mix
DEBUG: Using file match: (^|/)flake\.nix$ for manager nix
DEBUG: Using file match: (^|/)\.node-version$ for manager nodenv
DEBUG: Using file match: (^|/)package\.json$ for manager npm
DEBUG: Using file match: \.(?:cs|fs|vb)proj$ for manager nuget
DEBUG: Using file match: \.(?:props|targets)$ for manager nuget
DEBUG: Using file match: (^|/)dotnet-tools\.json$ for manager nuget
DEBUG: Using file match: (^|/)global\.json$ for manager nuget
DEBUG: Using file match: (^|/)\.nvmrc$ for manager nvm
DEBUG: Using file match: (^|/)src/main/features/.+\.json$ for manager osgi
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager pep621
DEBUG: Using file match: (^|/)([\w-]*)requirements\.(txt|pip)$ for manager pip_requirements
DEBUG: Using file match: (^|/)setup\.py$ for manager pip_setup
DEBUG: Using file match: (^|/)Pipfile$ for manager pipenv
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager poetry
DEBUG: Using file match: (^|/)\.pre-commit-config\.ya?ml$ for manager pre-commit
DEBUG: Using file match: (^|/)pubspec\.ya?ml$ for manager pub
DEBUG: Using file match: (^|/)Puppetfile$ for manager puppet
DEBUG: Using file match: (^|/)\.python-version$ for manager pyenv
DEBUG: Using file match: (^|/)\.ruby-version$ for manager ruby-version
DEBUG: Using file match: \.sbt$ for manager sbt
DEBUG: Using file match: project/[^/]*\.scala$ for manager sbt
DEBUG: Using file match: project/build\.properties$ for manager sbt
DEBUG: Using file match: (^|/)setup\.cfg$ for manager setup-cfg
DEBUG: Using file match: (^|/)Package\.swift for manager swift
DEBUG: Using file match: \.tf$ for manager terraform
DEBUG: Using file match: (^|/)\.terraform-version$ for manager terraform-version
DEBUG: Using file match: (^|/)terragrunt\.hcl$ for manager terragrunt
DEBUG: Using file match: (^|/)\.terragrunt-version$ for manager terragrunt-version
DEBUG: Using file match: \.tflint\.hcl$ for manager tflint-plugin
DEBUG: Using file match: ^\.travis\.ya?ml$ for manager travis
DEBUG: Using file match: (^|/)\.vela\.ya?ml$ for manager velaci
DEBUG: Using file match: ^\.woodpecker(?:/[^/]+)?\.ya?ml$ for manager woodpecker
DEBUG: Matched 1 file(s) for manager pipenv: Pipfile
DEBUG: manager extract durations (ms)
{
  "managers": {
    "pipenv": 3
  }
}

DEBUG: Found pipenv package files
DEBUG: Found 1 package file(s)
INFO: Dependency extraction complete
{
  "baseBranch": "main"
  "stats": {
    "managers": {
      "pipenv": {
        "fileCount": 1,
        "depCount": 5
      }
    },
    "total": {
      "fileCount": 1,
      "depCount": 5
    }
  }
}

DEBUG: PackageFiles.add() - Package file saved for base branch
{
  "baseBranch": "main"
}

DEBUG: Package releases lookups complete
{
  "baseBranch": "main"
}

DEBUG: branchifyUpgrades
DEBUG: detectSemanticCommits()
DEBUG: getCommitMessages
DEBUG: semanticCommits: detected "unknown"
DEBUG: semanticCommits: disabled
DEBUG: 0 flattened updates found: 
DEBUG: Returning 0 branch(es)
DEBUG: config.repoIsOnboarded=true
DEBUG: packageFiles with updates
{
  "baseBranch": "main"
  "config": {
    "pipenv": [
      {
        "deps": [
          {
            "depType": "packages",
            "depName": "mkdocs",
            "managerData": {},
            "currentValue": "*",
            "skipReason": "unspecified-version",
            "updates": [],
            "packageName": "mkdocs"
          },
          {
            "depType": "packages",
            "depName": "mkdocs-material",
            "managerData": {},
            "currentValue": ">= 8.2.0",
            "datasource": "pypi",
            "updates": [],
            "packageName": "mkdocs-material",
            "warnings": [],
            "versioning": "pep440",
            "sourceUrl": "https://github.com/squidfunk/mkdocs-material",
            "registryUrl": "https://pypi.org/simple",
            "currentVersion": "9.1.15"
          },
          {
            "depType": "packages",
            "depName": "mkdocs-awesome-pages-plugin",
            "managerData": {},
            "currentValue": ">= 2.5.0",
            "datasource": "pypi",
            "updates": [],
            "packageName": "mkdocs-awesome-pages-plugin",
            "warnings": [],
            "versioning": "pep440",
            "sourceUrl": "https://github.com/lukasgeiter/mkdocs-awesome-pages-plugin",
            "registryUrl": "https://pypi.org/simple",
            "currentVersion": "2.9.1"
          },
          {
            "depType": "packages",
            "depName": "mkdocs-include-markdown-plugin",
            "managerData": {},
            "currentValue": "*",
            "skipReason": "unspecified-version",
            "updates": [],
            "packageName": "mkdocs-include-markdown-plugin"
          },
          {
            "depType": "packages",
            "depName": "mkdocs-exclude",
            "managerData": {},
            "currentValue": "*",
            "skipReason": "unspecified-version",
            "updates": [],
            "packageName": "mkdocs-exclude"
          }
        ],
        "registryUrls": [
          "https://pypi.org/simple"
        ],
        "lockFiles": [
          "Pipfile.lock"
        ],
        "packageFile": "Pipfile",
        "constraints": {
          "python": "== 3.11.*"
        }
      }
    ]
  }
}

DEBUG: detectSemanticCommits()
DEBUG: semanticCommits: returning "disabled" from cache
DEBUG: processRepo()
DEBUG: Processing 0 branches: 
DEBUG: Calculating hourly PRs remaining
DEBUG: currentHourStart=2023-06-13T18:00:00.000+00:00
DEBUG: PR hourly limit remaining: 2
DEBUG: Calculating prConcurrentLimit (10)
DEBUG: 0 PRs are currently open
DEBUG: PR concurrent limit remaining: 10
DEBUG: Calculated maximum PRs remaining this run: 2
DEBUG: PullRequests limit = 2
DEBUG: Calculating hourly PRs remaining
DEBUG: currentHourStart=2023-06-13T18:00:00.000+00:00
DEBUG: PR hourly limit remaining: 2
DEBUG: Calculating branchConcurrentLimit (10)
DEBUG: 0 already existing branches found: 
DEBUG: Branch concurrent limit remaining: 10
DEBUG: Calculated maximum branches remaining this run: 2
DEBUG: Branches limit = 2
DEBUG: Ensuring Dependency Dashboard
DEBUG: ensureIssue(Dependency Dashboard)
INFO: Issue created
DEBUG: Removing any stale branches
DEBUG: config.repoIsOnboarded=true
DEBUG: Branch lists
{
  "branchList": []
  "renovateBranches": [
    "renovate/configure"
  ]
}

DEBUG: remainingBranches=renovate/configure
DEBUG: findPr(renovate/configure, undefined, open)
DEBUG: Found PR #1
DEBUG: branch.isModified(): using git to calculate
DEBUG: branch.isModified() = false
DEBUG: setCachedModifiedResult(): Branch cache not present
INFO: Autoclosing PR
{
  "branchName": "renovate/configure"
  "prNo": 1
  "prTitle": "Configure Renovate"
}

DEBUG: updatePr(1, Configure Renovate - autoclosed, body)
DEBUG: PR updated...prNo: 1
DEBUG: Deleted remote branch: renovate/configure
DEBUG: No local branch to delete with name: renovate/configure
DEBUG: Retrieving issueList
DEBUG: Retrieving issueList
DEBUG: Retrieved 1 issues
DEBUG: Retrieved 1 issues
DEBUG: PackageFiles.clear() - Package files deleted
DEBUG: Branch summary
{
  "cacheModified": true
  "baseBranches": [
    {
      "branchName": "main",
      "sha": "5716d081e83e68a94fd58156dcd5bec1cb8e1672"
    }
  ]
  "branches": []
  "defaultBranch": "main"
  "inactiveBranches": []
}

DEBUG: Renovate repository PR statistics
{
  "stats": {
    "total": 1,
    "open": 0,
    "closed": 1,
    "merged": 0
  }
}

DEBUG: Repository result: done, status: onboarded, enabled: true, onboarded: true
DEBUG: Repository timing splits (milliseconds)
{
  "splits": {
    "init": 3468,
    "extract": 755,
    "lookup": 191,
    "onboarding": 1,
    "update": 4
  }
  "total": 6857
}

DEBUG: Package cache statistics
{
  "get": {
    "count": 2,
    "avgMs": 13,
    "medianMs": 3,
    "maxMs": 22
  }
  "set": {
    "count": 0
  }
}

DEBUG: http statistics
{
  "urls": {
    "https://api.github.com/graphql (POST,200)": 4,
    "https://api.github.com/repos/MaxymVlasov/renovate-vuln-alerts/contents/renovate.json (GET,404)": 1,
    "https://api.github.com/repos/MaxymVlasov/renovate-vuln-alerts/issues (POST,201)": 1,
    "https://api.github.com/repos/MaxymVlasov/renovate-vuln-alerts/pulls (GET,200)": 1,
    "https://api.github.com/repos/MaxymVlasov/renovate-vuln-alerts/pulls/1 (PATCH,200)": 1,
    "https://api.github.com/repos/whitesource/merge-confidence/contents/beta.json (GET,200)": 1
  }
  "hostStats": {
    "api.github.com": {
      "requestCount": 9,
      "requestAvgMs": 266,
      "queueAvgMs": 0
    }
  }
  "totalRequests": 9
}

DEBUG: Package lookup durations
{
  "pypi": {
    "count": 2,
    "averageMs": 46,
    "totalMs": 91,
    "maximumMs": 75
  }
}

DEBUG: dns cache
{
  "hosts": []
}

INFO: Repository finished
{
  "cloned": true
  "durationMs": 6857
}

DEBUG: Renovate exiting

Have you created a minimal reproduction repository?

I have linked to a minimal reproduction in the description above

[rarkins]

There are two vulnerability alerts, both are indirect/transitive dependencies (in the lock file, not Pipfile).

Looking at the two Dependabot PRs, they seem identical and seem to be a full lockfile refresh rather than anything targeted. You can achieve the same with Renovate by enabling the "lockFileMaintenance" feature.

[MaxymVlasov]

lockFileMaintenance not works for all Pipfiles

#14393 (comment)

[rarkins]

This sounds like an edge case where you have multiple versions of python within the same repository?

[MaxymVlasov]

Yes

[MaxymVlasov]

Should I close this discussion as resolved and open #14393 (reply in thread) as a separate issue? Because it looks like it was ignored.

Or can it be done as part of this discussion or part of #14393 ?

[rarkins]

Yes, your comment wasn't directly related to the original discussion. Start a new one and link to your reproduction repository. It might be solvable with config