Note: This repository is marked as Experimental. The configuration is under active development and may change. Please provide feedback and expect improvements over time.
Dependency updates are a leading cause of security incidents, outages, and technical debt. Renovate automates this critical maintenance task, saving your team time and reducing risk.
What you get with this shared configuration:
- Security: Global pinning to SHAs/digests for supply chain security
- Efficiency: Grouped PRs by ecosystem (JS/TS, Python, Java, Actions, Docker, etc.)
- Safety: Automerge for safe updates (minor, patch, linters, etc.)
- Stability: Prerelease blocking (e.g.,
-alpha,-beta,-rc, etc.) - Management: Dependency dashboard for tracking
- No immortal PRs: Closed PRs are not recreated
- Smart timing: Minimum release age (7 days) to avoid just-published breaking changes
- Language-specific grouping: Optimized rules for each ecosystem
- GitHub Actions policy: actions/docker/github orgs unpinned, all others pinned
Adopting this configuration means your team is following bcgov and NRIDS best practices for dependency management, supply chain security, and automation.
-
Enable Mend Renovate for your repository:
- BCGov: Create a devops-requests issue to join the Mend Renovate GitHub App.
- Other orgs: Use the Mend Renovate GitHub App.
-
Once approved a PR will be sent with a configuration file like the one in this repo.
-
Merge the PR or create your own renovate.json file. Renovate will scan your repo and open PRs for outdated dependencies.
That's it! Renovate will automatically keep your dependencies up to date and secure.
- "Updating dependencies will break my build." Most updates are safe, grouped, and automerged. Renovate makes it easy to review and test changes before merging.
- "It's too much work." Renovate automates the heavy lifting. You only need to review grouped PRs - far less work than dealing with large, overdue upgrades.
- "We don't have time." Regular small updates are much less disruptive than rare, major upgrades. Proactive maintenance saves time and reduces risk.
Q: What if a dependency update breaks my build?
- Best practice: adapt your code/config to support updated dependencies. Ignore only as a temporary measure.
Q: How do I customize the config?
- Add custom rules after the
extendsline in yourrenovate.json. See the Renovate docs.
Q: How do I get help?
- See CONTRIBUTING.md or open an issue.
Use Versioned Releases (SemVer-Compatible Calendar Versioning):
{
"extends": ["github>bcgov/renovate-config#2026.4.0"]
}- Quarterly releases (month segment reflects the release month) - thoroughly tested, stable updates.
- SemVer-Compatible CalVer (
YYYY.M.Patchformat) ensures compatibility with automated tools like Renovate and Dependabot out of the box. - No leading zeros in month segments (e.g., use
.4instead of.04). - Always specify a third segment (e.g.,
.0for the initial release) so standard SemVer parsers can compare versions correctly and trigger automatic downstream updates.
Testing Only (Not Recommended for Production):
{
"extends": ["github>bcgov/renovate-config"]
}Warning: Latest changes from main branch - may include breaking updates. Warning: Use only for internal testing and development projects.
Migration & Auto-Updates:
Three-Segment Standard: All releases are published as YYYY.Month.Patch (e.g., 2025.10.1, 2026.4.0).
Seamless Propagation: By maintaining three-segment SemVer compatibility, Renovate will naturally detect newer releases and open automated PRs to update your repositories' pins.
Historically, this configuration was split across multiple files (e.g., rules-*.json5). Those legacy presets are no longer maintained on main; all rules are now consolidated into default.json to address key Renovate limitations and ensure version stability.
| File | Purpose |
|---|---|
renovate.json |
Entry point for downstream repositories referencing this configuration. |
default.json |
The single consolidated Renovate preset containing all shared configuration rules. |
rules-*.json5 |
[LEGACY] Old language-specific configurations. |
Warning
The rules-*.json5 files are legacy configurations and will be deleted once our transition to the new system is fully complete.
Renovate has two design limitations that necessitate a single, consolidated configuration file:
- Preset Tag/Branch Inheritance: Renovate does not propagate the parent version tag/branch (e.g.,
#2026.7.0) down to nested preset extensions. Ifdefault.jsonextends sub-files (likerules-java.json5), downstream repositories that version-lock to#2026.7.0will resolvedefault.jsoncorrectly at that tag, but Renovate will fetch the nested rules from the defaultmainbranch. This breaks SemVer isolation. Consolidating all rules directly intodefault.jsonguarantees version locking. - Hardcoded Lookup: When downstream configurations extend
github>bcgov/renovate-config#<version>(omitting a specific file path), Renovate's resolver hardcodes the lookup specifically todefault.json. We cannot rename the file todefault.jsoncordefault.json5without forcing all downstream repositories to explicitly update theirextendstargets.
Although standard JSON does not support comments, Renovate parses all .json configuration and preset files through a JSONC-compliant parser (jsonc-weaver) as its primary code path.
Lines starting with // are safely stripped during Renovate's ingestion process.
The default.json file is structured into the following sections using comment dividers:
Configures global Renovate scheduler windows (such as processing updates on weekdays between 2 AM and 8 AM Pacific Time to avoid peak hours), automerge capabilities, vulnerability alert priorities, and a global block list that prevents updates to unstable pre-release versions (alpha, beta, rc, dev, etc.).
Consolidates and groups non-major updates for infrastructure managers:
- Managers covered: Terraform, Dockerfile, Kubernetes, Helm, and Docker Compose.
- Actions: Groups updates into a single
infrastructure updatesPR to reduce noise. - GitHub Actions: Groups non-major action updates while keeping major updates separate.
- Database Safety: Explicitly blocks major database upgrades (PostgreSQL, MySQL, MariaDB, MongoDB, Redis) to prevent accidental data loss or container start failures without manual migration.
- Pinning: Globally pins all digests and SHAs for Maven and Gradle dependencies to guarantee supply chain security.
- Grouping: Combines Maven and Gradle non-major updates into a single
java dependenciesPR. Also groups Spring Framework updates.
- Pinning: Enforces SHA/digest pinning for package managers (
npm,yarn,pnpm,bun). - Grouping: Consolidates non-major updates into a single
node dependenciesPR. - Framework Bundles: Automatically groups related library updates to prevent compilation errors (e.g.,
@angular/*, NestJS ecosystem, Vite, React Redux, Playwright,@mui/*, and frontend linters/Prettier/ESLint).
- Pinning: Pin digests/SHAs for Python package managers (
pip_requirements,pip_setup,pipenv,poetry,uv,pep621,pip-compile). - Grouping: Consolidates non-major dependencies into a single
python dependenciesPR. - Library Bundles: Automatically groups related library updates for common Python stacks (e.g., FastAPI/Starlette/Uvicorn, Pytest/coverage/mock, SQLAlchemy/Alembic/SQLModel, Boto3/Botocore, Pydantic, AI/ML libraries like HuggingFace and LangChain, and Python linters like Ruff/Black/Flake8).
Be respectful and constructive. Open an issue for questions, problems, or suggestions. Submit PRs for improvements.
For urgent matters: Use GitHub issues to ensure visibility and response.
This policy covers how teams should handle automated dependency updates from Renovate and vulnerability alerts from CodeQL and Trivy via GitHub Security Alerts.
| Source | Type | What It Does |
|---|---|---|
| Renovate | Dependency update PRs | Detects outdated dependencies and opens PRs to update them |
| CodeQL | Static analysis alerts | Identifies security vulnerabilities in your source code (injections, XSS, etc.) |
| Trivy | Container/IaC/dep alerts | Scans Docker images, IaC files, and dependencies for known CVEs and misconfigurations |
| Severity | Renovate PR | CodeQL Alert | Trivy Alert | Response Target |
|---|---|---|---|---|
| Critical | CVE with active exploit or RCE | Injection, auth bypass, hardcoded secrets | OS/package CVE with known exploit | 24 hours |
| High | Major version with security fix | Unsafe deserialization, path traversal | High-severity OS/package CVE | 1 week |
| Medium | Minor version with security fix | Weak crypto, missing input validation | Medium-severity findings | 2 weeks |
| Low | Patch update, no known CVE | Code quality, informational | Low-severity findings | Next sprint |
Renovate is configured to automerge safe updates. These typically merge without manual intervention:
- Patch and minor semver-compatible updates
- Linters and devDependency updates
- Lock file maintenance
Action: Let automerge handle these. Monitor CI for failures.
The following require manual review before merging:
- Major version bumps — check changelog/release notes for breaking changes
- Infrastructure updates (Terraform, Docker, Kubernetes, Helm) — verify compatibility with your deployment
- Database image updates — major DB version updates are blocked by default; minor/patch still need review
- Security-flagged updates — Renovate may label PRs with known CVEs
- Read the PR description — Renovate includes release notes, changelog links, and upgrade guides
- Check CI status — ensure tests pass before merging
- Review breaking changes — for major bumps, read the migration guide
- Merge during low-risk windows — avoid merging large updates on Fridays or before deployments
- Verify after merge — confirm the application deploys and runs correctly
Use packageRules in your renovate.json to:
- Block a specific version if it introduces regressions:
{ "packageRules": [ { "matchPackageNames": ["some-package"], "matchCurrentVersion": ">=3.0.0", "enabled": false } ] } - Pin to a specific version temporarily while waiting for a fix upstream
Best practice: Blocking or pinning should be temporary. Always include a comment or linked issue explaining why.
- Open GitHub > Security > Code Scanning Alerts
- Triage each alert using the priority matrix above
- For valid findings:
- Fix the code and push a commit that closes the alert
- Reference the alert number in your commit message
- For false positives:
- Dismiss with a reason in the GitHub UI
- Document the dismissal rationale
- Open GitHub > Security > Vulnerability Alerts or check the Trivy workflow output
- Container image CVEs:
- Update the base image in your Dockerfile
- Renovate will handle automated updates for pinned base images
- Dependency CVEs:
- Update the dependency (Renovate may already have a PR open)
- If no fix is available, assess whether the vulnerability is exploitable in your context and add a suppression if appropriate
- IaC misconfigurations:
- Fix the Terraform/Kubernetes/Helm configuration
- Consult the Trivy documentation for remediation guidance
Renovate maintains a Dependency Dashboard issue in each repository. Use it to:
- See all pending updates at a glance
- Trigger updates on-demand (check the checkbox to force-create a PR)
- Track which updates are awaiting approval vs. automerge
These settings in the shared config affect security posture:
| Setting | Value | Purpose |
|---|---|---|
:enableVulnerabilityAlerts |
Enabled | Renovate creates PRs in response to GitHub vulnerability alerts |
minimumReleaseAge |
7 days | Avoids adopting newly published (potentially compromised) packages immediately |
prConcurrentLimit |
5 | Limits open PRs to reduce noise while maintaining coverage |
schedule |
Between 2am and 8am weekdays | Updates arrive during low-traffic hours |
rebaseWhen |
behind-base-branch |
Automatically rebases open PRs when default branch updates |
updateNotScheduled |
false |
Disables auto-updating/rebasing of PRs outside schedule window to prevent API throttling |
automerge |
true | Safe updates merge automatically |
| Prerelease blocking | Enabled | -alpha, -beta, -rc, etc. are never merged |
If you encounter:
- A critical CVE with no available fix — open an issue in your repository and tag your security team
- A Renovate configuration problem — open an issue in bcgov/renovate-config
- A supply chain compromise suspicion — immediately pin the affected dependency and contact your organization's security team