feat(cargo): default to update-lockfile

docs/usage/config-overview.md

@@ -108,6 +108,8 @@ Read the [Self-hosted experimental environment variables](./self-hosted-experime
 Finally, there are some special environment variables that are loaded _before_ configuration parsing because they are used during logging initialization:
 
 - `LOG_CONTEXT`: a unique identifier used in each log message to track context
+- `LOG_FILE`: used to enable file logging and specify the log file path
+- `LOG_FILE_LEVEL`: log file logging level, defaults to `debug`
 - `LOG_FORMAT`: defaults to a "pretty" human-readable output, but can be changed to "json"
 - `LOG_LEVEL`: most commonly used to change from the default `info` to `debug` logging
 
@@ -273,7 +275,7 @@ To get a onboarding PR from Renovate, change to Interactive mode either at the R
 
 #### Installing Renovate into selected repositories always leads to onboarding PRs
 
-Additionally, if an Organization is installed with "Selected repositories" then the app will change `onboardingNoDeps` to `true` so that an Onboarding PR is created even if no dependencies are detected.
+Additionally, if an Organization is installed with "Selected repositories" then the app will change `onboardingNoDeps` to `"enabled"` so that an Onboarding PR is created even if no dependencies are detected.
 
 ### Fork Processing
 

docs/usage/configuration-options.md

@@ -2527,6 +2527,8 @@ Instead you should do `> 13 months`.
 Use this field if you want to limit a `packageRule` to certain `depType` values.
 Invalid if used outside of a `packageRule`.
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 ### excludeDepNames
 
 ### excludeDepPatterns
@@ -2629,6 +2631,8 @@ The categories can be found in the [manager documentation](modules/manager/index
 }
 ```
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 ### matchRepositories
 
 Use this field to restrict rules to a particular repository. e.g.
@@ -2676,6 +2680,8 @@ This field also supports Regular Expressions if they begin and end with `/`. e.g
 }
 ```
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 ### matchManagers
 
 Use this field to restrict rules to a particular package manager. e.g.
@@ -2694,6 +2700,8 @@ Use this field to restrict rules to a particular package manager. e.g.
 
 For the full list of available managers, see the [Supported Managers](modules/manager/index.md#supported-managers) documentation.
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 ### matchMessage
 
 For log level remapping, use this field to match against the particular log messages.
@@ -2715,6 +2723,8 @@ Use this field to restrict rules to a particular datasource. e.g.
 }
 ```
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 ### matchCurrentValue
 
 This option is matched against the `currentValue` field of a dependency.
@@ -2849,12 +2859,26 @@ The following example matches any file in directories starting with `app/`:
 
 It is recommended that you avoid using "negative" globs, like `**/!(package.json)`, because such patterns might still return true if they match against the lock file name (e.g. `package-lock.json`).
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 ### matchDepNames
 
+This field behaves the same as `matchPackageNames` except it matches against `depName` instead of `packageName`.
+
 ### matchDepPatterns
 
+<!-- prettier-ignore -->
+!!! note
+    `matchDepNames` now supports pattern matching and should be used instead.
+    Use of `matchDepPatterns` is now deprecated and will be migrated in future.
+
 ### matchDepPrefixes
 
+<!-- prettier-ignore -->
+!!! note
+    `matchDepNames` now supports pattern matching and should be used instead.
+    Use of `matchDepPrefixes` is now deprecated and will be migrated in future.
+
 ### matchNewValue
 
 This option is matched against the `newValue` field of a dependency.
@@ -2891,54 +2915,68 @@ For more details on this syntax see Renovate's [string pattern matching document
 
 ### matchPackageNames
 
-Use this field if you want to have one or more exact name matches in your package rule.
-See also `excludePackageNames`.
+Use this field to match against the `packageName` field.
+This matching can be an exact match, Glob match, or Regular Expression match.
 
-```json
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+Note that Glob matching (including exact name matching) is case-insensitive.
+
+```json title="exact name match"
 {
   "packageRules": [
     {
+      "matchDatasources": ["npm"],
       "matchPackageNames": ["angular"],
       "rangeStrategy": "pin"
     }
   ]
 }
 ```
 
-The above will configure `rangeStrategy` to `pin` only for the package `angular`.
-
-<!-- prettier-ignore -->
-!!! note
-    `matchPackageNames` will try matching `packageName` first and then fall back to matching `depName`.
-    If the fallback is used, Renovate will log a warning, because the fallback will be removed in a future release.
-    Use `matchDepNames` instead.
+The above will configure `rangeStrategy` to `pin` only for the npm package `angular`.
 
-### matchPackagePatterns
+```json title="prefix match using Glob"
+{
+  "packageRules": [
+    {
+      "matchDatasources": ["npm"],
+      "matchPackageNames": ["@angular/*", "!@angular/abc"],
+      "groupName": "Angular"
+    }
+  ]
+}
+```
 
-Use this field if you want to have one or more package names patterns in your package rule.
-See also `excludePackagePatterns`.
+The above will group together any npm package which starts with `@angular/` except `@angular/abc`.
 
-```json
+```json title="pattern match using RegEx"
 {
   "packageRules": [
     {
-      "matchPackagePatterns": ["^angular"],
-      "rangeStrategy": "replace"
+      "matchDatasources": ["npm"],
+      "matchPackageNames": ["/^angular/"],
+      "groupName": "Angular"
     }
   ]
 }
 ```
 
-The above will configure `rangeStrategy` to `replace` for any package starting with `angular`.
+The above will group together any npm package which starts with the string `angular`.
+
+### matchPackagePatterns
 
 <!-- prettier-ignore -->
 !!! note
-    `matchPackagePatterns` will try matching `packageName` first and then fall back to matching `depName`.
-    If the fallback is used, Renovate will log a warning, because the fallback will be removed in a future release.
-    Use `matchDepPatterns` instead.
+    `matchPackageNames` now supports pattern matching and should be used instead.
+    Use of `matchPackagePatterns` is now deprecated and will be migrated in future.
 
 ### matchPackagePrefixes
 
+<!-- prettier-ignore -->
+!!! note
+    `matchPackageNames` now supports pattern matching and should be used instead.
+    Use of `matchPackagePrefixes` is now deprecated and will be migrated in future.
+
 Use this field to match a package prefix without needing to write a regex expression.
 See also `excludePackagePrefixes`.
 
@@ -2955,12 +2993,6 @@ See also `excludePackagePrefixes`.
 
 Like the earlier `matchPackagePatterns` example, the above will configure `rangeStrategy` to `replace` for any package starting with `angular`.
 
-<!-- prettier-ignore -->
-!!! note
-    `matchPackagePrefixes` will try matching `packageName` first and then fall back to matching `depName`.
-    If the fallback is used, Renovate will log a warning, because the fallback will be removed in a future release.
-    Use `matchDepPatterns` instead.
-
 ### matchSourceUrlPrefixes
 
 Here's an example of where you use this to group together all packages from the `renovatebot` GitHub org:
@@ -2991,6 +3023,8 @@ Here's an example of where you use this to group together all packages from the
 }
 ```
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 ### matchUpdateTypes
 
 Use `matchUpdateTypes` to match rules against types of updates.
@@ -3007,6 +3041,8 @@ For example to apply a special label to `major` updates:
 }
 ```
 
+For more details on supported syntax see Renovate's [string pattern matching documentation](./string-pattern-matching.md).
+
 <!-- prettier-ignore -->
 !!! warning
     Packages that follow SemVer are allowed to make breaking changes in _any_ `0.x` version, even `patch` and `minor`.
@@ -3875,15 +3911,6 @@ The above config will suppress the comment which is added to a PR whenever you c
 It is only recommended to configure this field if you wish to use the `schedules` feature and want to write them in your local timezone.
 Please see the above link for valid timezone names.
 
-## transitiveRemediation
-
-When enabled, Renovate tries to remediate vulnerabilities even if they exist only in transitive dependencies.
-
-Applicable only for GitHub platform (with vulnerability alerts enabled) and `npm` manager.
-When the `lockfileVersion` is higher than `1` in `package-lock.json`, remediations are only possible when changes are made to `package.json`.
-
-This is considered a feature flag with the aim to remove it and default to this behavior once it has been more widely tested.
-
 ## updateInternalDeps
 
 Renovate defaults to skipping any internal package dependencies within monorepos.

docs/usage/examples/self-hosting.md

@@ -248,7 +248,7 @@ module.exports = {
 };
 ```
 
-Here change the `logFile` and `repositories` to something appropriate.
+Here change the `repositories` to something appropriate.
 Also replace `gitlab-token` value with the one created during the previous step.
 
 If you're running against GitHub Enterprise Server, then change the `gitlab` values in the example to the equivalent GitHub ones.

docs/usage/self-hosted-configuration.md

@@ -795,8 +795,12 @@ Falls back to `renovate.json` if the name provided is not valid.
 
 ## onboardingNoDeps
 
-Set this to `true` if you want Renovate to create an onboarding PR even if no dependencies are found.
-Otherwise, Renovate skips onboarding a repository if it finds no dependencies in it.
+The default `auto` setting is converted to `disabled` if `autodiscoverRepositories` is `true`, or converted to `enabled` if false.
+
+In other words, the default behavior is:
+
+- If you run Renovate on discovered repositories then it will skip onboarding those without dependencies detected, but
+- If you run Renovate on _specific_ repositories then Renovate will onboard all such repositories even if no dependencies are found
 
 ## onboardingPrTitle
 

docs/usage/self-hosted-experimental.md

@@ -19,10 +19,6 @@ We will try to keep breakage to a minimum, but make no guarantees that an experi
 If set, Renovate will export OpenTelemetry data to the supplied endpoint.
 For more information see [the OpenTelemetry docs](opentelemetry.md).
 
-## `RENOVATE_CACHE_NPM_MINUTES`
-
-If set to any integer, Renovate will use this integer instead of the default npm cache time (15 minutes) for the npm datasource.
-
 ## `RENOVATE_EXPERIMENTAL_NO_MAVEN_POM_CHECK`
 
 If set to any value, Renovate will skip its default artifacts filter check in the Maven datasource.
@@ -80,19 +76,15 @@ You can set the config file Renovate should read with the `RENOVATE_CONFIG_FILE`
 
 The process that runs Renovate must have the correct permissions to delete the config file.
 
-## `RENOVATE_X_DOCKER_HUB_TAGS`
+## `RENOVATE_X_DOCKER_HUB_TAGS_DISABLE`
 
-If set to any value, Renovate will use the Docker Hub API (`https://hub.docker.com`) to fetch tags instead of the normal Docker API for images pulled from `https://index.docker.io`.
+If set to any value, Renovate will stop using the Docker Hub API (`https://hub.docker.com`) to fetch tags and instead use the normal Docker API for images pulled from `https://index.docker.io`.
 
 ## `RENOVATE_X_DOCKER_MAX_PAGES`
 
 If set to an integer, Renovate will use this as max page number for docker tags lookup on docker registries, instead of the default 20 pages.
 This is useful for registries which ignores the `n` parameter in the query string and only return 50 tags per page.
 
-## `RENOVATE_X_EAGER_GLOBAL_EXTENDS`
-
-Resolve and merge `globalExtends` presets before other global config, instead of after.
-
 ## `RENOVATE_X_EXEC_GPID_HANDLE`
 
 If set, Renovate will terminate the whole process group of a terminated child process spawned by Renovate.

docs/usage/string-pattern-matching.md

@@ -5,6 +5,33 @@ Renovate string matching syntax for some configuration options allows you, as us
 - [`minimatch`](https://github.com/isaacs/minimatch) glob patterns, including exact strings matches
 - regular expression (regex) patterns
 
+In cases where there are potentially multiple _inputs_, e.g. managers can have multiple categories, then the matcher will return `true` if _any_ of them match.
+
+## Special case: Match everything
+
+The value `*` is a special case which means "match everything".
+It is not valid to combine `*` with any other positive or negative match.
+
+```json title="Example of valid wildcard use"
+{
+  "allowedEnv": ["*"]
+}
+```
+
+```json title="Example of invalid wildcard use with additional match"
+{
+  "allowedEnv": ["*", "ABC"]
+}
+```
+
+```json title="Example of invalid wildcard use with negation"
+{
+  "allowedEnv": ["*", "!ABC"]
+}
+```
+
+In the latter case, the `*` can be ommitted and achieve the same thing.
+
 ## Regex matching
 
 A valid regex pattern:
@@ -76,6 +103,13 @@ For example, the pattern `["/^abc/", "!/^abcd/", "!/abce/"]`:
 - matches `"abc"` and `"abcf"`
 - does _not_ match `"foo"`, `"abcd"`, `"abce"`, or `"abcdef"`
 
+If you find yourself in a situation where you need to positive-match a string which starts with `!`, then you need to do so using a regular expression pattern.
+For example, `["/^!abc$/"]` will positively match against the string `"!abc"`.
+
+One limitation of negative matching is when there may be multiple inputs to match against.
+For example, a manager may have multiple categories, such as `java` and `docker`.
+If you have a rule such as `"matchCategories": ["!docker"]` then this will return `true` because the `java` category satisfies this rule.
+
 ## Usage in Renovate configuration options
 
 Renovate has evolved its approach to string pattern matching over time, but this means that existing configurations may have a mix of approaches and not be entirely consistent with each other.

lib/config/migrations/migrations-service.ts

@@ -71,6 +71,7 @@ export class MigrationsService {
     'maintainYarnLock',
     'statusCheckVerify',
     'supportPolicy',
+    'transitiveRemediation',
     'yarnCacheFolder',
     'yarnMaintenanceBranchName',
     'yarnMaintenanceCommitMessage',

lib/config/options/index.ts

@@ -148,8 +148,9 @@ const options: RenovateOptions[] = [
   {
     name: 'onboardingNoDeps',
     description: 'Onboard the repository even if no dependencies are found.',
-    type: 'boolean',
-    default: false,
+    type: 'string',
+    default: 'auto',
+    allowedValues: ['auto', 'enabled', 'disabled'],
     globalOnly: true,
     inheritConfigSupport: true,
   },
@@ -488,6 +489,8 @@ const options: RenovateOptions[] = [
     stage: 'global',
     type: 'string',
     globalOnly: true,
+    deprecationMsg:
+      'Instead of configuring log file path in the file config. Use the `LOG_FILE` environment variable instead.',
   },
   {
     name: 'logFileLevel',
@@ -496,6 +499,8 @@ const options: RenovateOptions[] = [
     type: 'string',
     default: 'debug',
     globalOnly: true,
+    deprecationMsg:
+      'Instead of configuring log file level in the file config. Use the `LOG_FILE_LEVEL` environment variable instead.',
   },
   {
     name: 'logContext',
@@ -2046,14 +2051,6 @@ const options: RenovateOptions[] = [
     parents: ['customDatasources'],
     default: [],
   },
-  {
-    name: 'transitiveRemediation',
-    description: 'Enable remediation of transitive dependencies.',
-    type: 'boolean',
-    default: false,
-    supportedManagers: ['npm'],
-    supportedPlatforms: ['github'],
-  },
   {
     name: 'vulnerabilityAlerts',
     description:
@@ -2066,7 +2063,7 @@ const options: RenovateOptions[] = [
       minimumReleaseAge: null,
       rangeStrategy: 'update-lockfile',
       commitMessageSuffix: '[SECURITY]',
-      branchTopic: `{{{datasource}}}-{{{depName}}}-vulnerability`,
+      branchTopic: `{{{datasource}}}-{{{depNameSanitized}}}-vulnerability`,
       prCreation: 'immediate',
     },
     mergeable: true,