Skip to content

chore(renovate): re-enable dependency updates with a targeted ignore-list#1744

Merged
fengmk2 merged 1 commit into
mainfrom
chore/renovate-targeted-ignore-list
Jun 2, 2026
Merged

chore(renovate): re-enable dependency updates with a targeted ignore-list#1744
fengmk2 merged 1 commit into
mainfrom
chore/renovate-targeted-ignore-list

Conversation

@fengmk2
Copy link
Copy Markdown
Member

@fengmk2 fengmk2 commented Jun 2, 2026
edited
Loading

Why

Since #1536, .github/renovate.json disabled all npm and cargo updates, so nothing gets updated and security alerts persist. The disable was a workaround for lockfile refresh failing (the vendored vite/ and rolldown/ dirs that lockfiles depend on are gitignored).

What

Replace the blanket disable with a targeted ignore-list, keeping everything else enabled:

  • Ignored npm (managed upstream): rolldown, oxc-*, @oxc-node/*, @oxc-project/*, @vitejs/devtools, oxfmt, oxlint, oxlint-tsgolint, tsdown, vite, vitest, vitest-dev.
  • Ignored cargo: oxc crates and the vite-task git deps (fspy, vite_glob, vite_path, vite_powershell, vite_str, vite_task, vite_workspace).
  • Everything else updates again, so security alerts get remediation PRs.

Note

Lockfile refresh still can't succeed in Renovate (vendored dirs are gitignored), but that no longer blocks the PR: Renovate opens it with an "Artifact update problem" note, and the lockfile is regenerated manually (just init && pnpm install / cargo update) before merge.

@fengmk2
chore(renovate): re-enable dependency updates with a targeted ignore-…
16c64b1 
…list

Replace the blanket npm/cargo disable (#1536) with per-package ignore
rules so Renovate keeps updating everything except the upstream
toolchain that is managed elsewhere (sync-remote, the proactive catalog
workflow, and the bump-vite-task workflow). This lets security
vulnerability alerts get fixed again instead of persisting.

Ignored npm packages: rolldown, oxc-*, @oxc-node/*, @oxc-project/*,
@vitejs/devtools, oxfmt, oxlint, oxlint-tsgolint, tsdown, vite, vitest,
vitest-dev. Ignored cargo: oxc crates plus the vite-task git deps (now
including vite_powershell).

Lockfile refresh still fails because vite/ and rolldown/ are gitignored,
so Renovate raises these PRs with an artifact-update warning and the
lockfile is regenerated manually before merge.
@fengmk2 fengmk2 self-assigned this Jun 2, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented Jun 2, 2026
edited
Loading

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit 16c64b1
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a1e7c9d17ce2900085101c7

@fengmk2 fengmk2 requested review from Boshen, camc314 and wan9chi and removed request for camc314 June 2, 2026 06:49
@fengmk2 fengmk2 mentioned this pull request Jun 2, 2026
Closed
@fengmk2 fengmk2 merged commit baca158 into main Jun 2, 2026
40 checks passed
@fengmk2 fengmk2 deleted the chore/renovate-targeted-ignore-list branch June 2, 2026 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camc314 camc314 camc314 approved these changes

@Boshen Boshen Awaiting requested review from Boshen

@wan9chi wan9chi Awaiting requested review from wan9chi

Assignees

@fengmk2 fengmk2

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fengmk2 @camc314