feat(cargo): default to update-lockfile #28714

rarkins · 2024-04-29T05:07:01Z

Changes

Change Cargo's default behavior from rangeStrategy=bump to rangeStrategy=update-lockfile

Context

Align with other managers

Documentation (please check one with an [x])

I have updated the documentation, or
No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

Code inspection only, or
Newly added/modified unit tests, or
No unit tests but ran on a real repository, or
Both unit tests + ran on a real repository

Previously, config from globalExtends was incorrectly merged _after_ other global config. This meant for example that packageRules in a config.js could not override packageRules from within globalExtends, because they were applied after. Now, globalExtends content will be merged first, and remaining global config merged second. Fixes #28131 BREAKING CHANGE: order of globalExtends resolution is changed so that it is applied first and remaining global config takes precedence.

Previously, the “depName” for pep621 was constructed using groupName/packageName, which in turn meant that the same dependency was upgraded in different branches if it was present in multiple groups. Instead, depName is now set to packageName. This will lead to a change of branch name for pep621 updates. Closes #28131 BREAKING CHANGE: depName for pep621 dependencies changes, which will lead to branch name changes, which will lead to some autoclosing and reopening of PRs.

Previous Gitea implementation used non-standard “token” auth instead of “Bearer”. Gitea supports Bearer al alternate to token since v1.8.0, so it’s safe to make this change now. BREAKING CHANGE: Gitea platfor authentication will now be done using Bearer auth instead of token auth.

Stop publishing -slim Renovate tags - slim is now the default. BREAKING CHANGE: Renovate docker images no longer have -slim tags. Drop the -slim prefix as this is now the default behavior.

… alerts (#25166) Use sanitized depName in vulnerability/remediation branches instead of raw depName. This will result in some open remediation branches being autoclosed and replaced for ecosystems like go in particular which have special characters in depNames. BREAKING CHANGE: Branch names for remediation will be sanitized to exclude special characters, potentially resulting in some autoclosing/replacing of existing PRs.

This option only worked for npm <7, which is now EOL. BREAKING CHANGE: Transitive remediation for npm <7 is no longer supported.

Change onboardingNoDeps from boolean to enum, with new default "auto". Auto means that Renovate will continue skipping repos with no dependencies if autodiscover is in use, but onboarding them if they are explicitly specified in a non-autodiscover mode. Closes #28101 BREAKING CHANGE: onboardingNoDeps changes from boolean to enum. Repositories with no dependencies will be onboarded unless in autodiscover mode.

Removes fallback to checking depName for all matchPackageX and excludePackageX rules. BREAKING CHANGE: matchPackageNames and related functions no longer fall back to checking depName. Rewrite packageRules to use matchDepNames instead.

…for tag lookups (#28400) Changes default Docker Hub lookups from index.docker.io to hub.docker.com, which is more efficient. If you are configuring a Docker Hub token for docker.io then you should now configure it for docker.com as well. Closes #24666 BREAKING CHANGE: Docker Hub lookups prefer hub.docker.com over index.docker.io. Set RENOVATE_X_DOCKER_HUB_TAGS_DISABLE=true in env to revert behavior.

#28551)

…#28225)

Co-authored-by: Michael Kriese <michael.kriese@visualon.de>