Skip to content

Reconsider Renovate auto-merge of devDependencies and GitHub Actions updates #159

Description

@maximn

renovate.json auto-merges patch/minor updates for devDependencies and the github-actions manager without human review (minimumReleaseAge: 3 days is set).

For a widely-used action this is an aggressive supply-chain posture: an auto-merged compromised dev dependency or action tag could land on main and flow into the published v1 bundle unreviewed.

Options to weigh

  • Require review for github-actions updates (and/or pin actions to commit SHAs).
  • Keep automerge for low-risk types but add provenance / lockfile-integrity checks.
  • Document the accepted risk explicitly if keeping current behavior.

Decision needed on risk tolerance.

Flagged during the AI-native docs revamp; tracked in .agents/known-issues.md (item B).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions