From 16c64b15753cbeb50a5976722da14dd47928e00e Mon Sep 17 00:00:00 2001
From: MK <fengmk2@gmail.com>
Date: Tue, 2 Jun 2026 14:47:29 +0800
Subject: [PATCH] chore(renovate): re-enable dependency updates with a targeted
 ignore-list

Replace the blanket npm/cargo disable (#1536) with per-package ignore
rules so Renovate keeps updating everything except the upstream
toolchain that is managed elsewhere (sync-remote, the proactive catalog
workflow, and the bump-vite-task workflow). This lets security
vulnerability alerts get fixed again instead of persisting.

Ignored npm packages: rolldown, oxc-*, @oxc-node/*, @oxc-project/*,
@vitejs/devtools, oxfmt, oxlint, oxlint-tsgolint, tsdown, vite, vitest,
vitest-dev. Ignored cargo: oxc crates plus the vite-task git deps (now
including vite_powershell).

Lockfile refresh still fails because vite/ and rolldown/ are gitignored,
so Renovate raises these PRs with an artifact-update warning and the
lockfile is regenerated manually before merge.
---
 .github/renovate.json | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/.github/renovate.json b/.github/renovate.json
index 653d46a629..9823490af3 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -11,13 +11,41 @@
   ],
   "packageRules": [
     {
-      "description": "Disable all npm updates (lockfile updates fail because vite/patches/* is gitignored)",
+      "description": "Ignore upstream toolchain npm packages (vendored via sync-remote or bumped by the proactive catalog workflow); everything else stays enabled so security alerts get fixed. Lockfile refresh fails because vite/ and rolldown/ are gitignored, so Renovate raises these PRs with an artifact-update warning and the lockfile is regenerated manually.",
       "matchManagers": ["npm"],
+      "matchPackageNames": [
+        "rolldown",
+        "/^oxc-.*/",
+        "@oxc-node/*",
+        "@oxc-project/*",
+        "@vitejs/devtools",
+        "oxfmt",
+        "oxlint",
+        "oxlint-tsgolint",
+        "tsdown",
+        "vite",
+        "vitest",
+        "vitest-dev"
+      ],
       "enabled": false
     },
     {
-      "description": "Disable all cargo updates (lockfile updates fail because rolldown/ is gitignored)",
+      "description": "Ignore oxc crate updates (bumped by the proactive catalog workflow); other cargo crates stay enabled.",
       "matchManagers": ["cargo"],
+      "matchPackageNames": ["/^oxc([_-].*)?$/"],
+      "enabled": false
+    },
+    {
+      "description": "Ignore vite-task git dependency digest updates (bumped via the bump-vite-task workflow).",
+      "matchDepNames": [
+        "fspy",
+        "vite_glob",
+        "vite_path",
+        "vite_powershell",
+        "vite_str",
+        "vite_task",
+        "vite_workspace"
+      ],
       "enabled": false
     }
   ]