Renovate with grouped PRs, release-age quarantine, and lockfile-only updates #44
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#44
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Automate dependency updates with guardrails that protect against the most common supply-chain pattern: a compromised release of a package we already trust. The scanners in #14 catch known CVEs after they're disclosed; this ticket catches the update mechanism itself becoming the attack vector.
Scope
package-lock.jsonto pick up transitive bumps but does not modifypackage.jsonversion ranges. Major-version bumps that require a range change get their own opt-in PR with human approval.package.jsonrange change require human approval.docs/ci.md(orCLAUDE.mdif a separate CI doc doesn't exist yet) so it's discoverable.Acceptance criteria
renovate.jsonchecked in; Renovate runs on a schedule and opens grouped PRs.package.jsonrange fails the gate or is blocked — only lockfile-only changes are auto-merge-eligible.Part of epic #2.
npm ci --ignore-scriptsin CI with an explicit allowlist #46