Perform *only* security updates?

[zjullion]

My team is trying to evaluate renovate as our tool of choice for handling security vulnerabilities in NodeJS applications. We are using the GitHub app. Is it possible to configure renovate to perform only security updates? We've tried the following renovate.json (posting only relevant sections):

{
  "extends": ["config:base"],
  "packageRules": [
    {
      "enabled": false,
      "groupName": "everything",
      "matchManagers": ["npm"],
      "matchPackagePatterns": ["*"],
      "separateMajorMinor": false
    }
  ],
  "vulnerabilityAlerts": {
    "packageRules": [
      {
        "groupName": "everything",
        "matchManagers": ["npm"],
        "matchPackagePatterns": ["*"]
      }
    ]
  }
}

but this just disables everything. Is there a way to get a package / group of packages to be enabled for security updates only?

[zjullion]

Figured it out - you need "enabled": true under vulnerabilityAlerts, such as:

{
  "extends": ["config:base"],
  "packageRules": [
    {
      "enabled": false,
      "groupName": "everything",
      "matchManagers": ["npm"],
      "matchPackagePatterns": ["*"],
      "separateMajorMinor": false
    }
  ],
  "vulnerabilityAlerts": {
    "enabled": true
  }
}

[viceice]

please don't use nested package rule, you can probably remove it at all from vulnerability alerts object

[zjullion]

Edited!

[liepins101]

Also my team is trying to evaluate renovate as our tool of choice for handling security vulnerabilities in Java applications. The only difference is that we are using Renovate Runner project for our self-hosted GitLab.

As far as I understand approach mentioned above can not be used by us because vulnerabilityAlerts configuration is supported only by GitHub platform. Is there any alternative?

We also considered to enable Dependency Dashboard and set dependencyDashboardApproval to true so in theory vulnerability remediation PRs would still get created immediately without requiring approval and assignee would be informed only in case of vulnerability remediation PRs. But once again this seems not to be a case for self-hosted GitLab

[weirdolucifer]

Thanks @rarkins for the clarification, I'll discuss this with my team and raise a customer ticket. @viceice Is there any way to use Mend's CVE rather than osvVulnerabilityAlerts in renovate BOT to perform only security updates?

[rarkins]

@weirdolucifer it is not possible to use Renovate with Mend's DB like you are asking. However as a customer, you should be using Mend's "Repository Integrations" which do combine Renovate plus Mend's DB into a product called "Mend Remediate".

[rarkins]

This original post has been answered and resolved, so I would like to lock it and move on before it get too much more off-topic.

[weirdolucifer]

To perform only security updates for self-hosted GitLab, renovate.json looks like this:

{
  "extends": [ "config:base"],
  "packageRules": [
    {
      "enabled": false,
      "groupName": "everything",
      "matchPackagePatterns": ["*"],
      "separateMajorMinor": false
    }
  ],
  "vulnerabilityAlerts": {
    "enabled": true
  },
  "osvVulnerabilityAlerts": true
}

[viceice]

you only need this:

{
  "extends": [ "config:base"],
  "packageRules": [
    {
      "enabled": false,
      "matchPackagePatterns": ["*"]
    }
  ],
  "vulnerabilityAlerts": {
    "enabled": true
  },
  "osvVulnerabilityAlerts": true
}