Mend Remediate Package Managers Release Notes

Overview

This page describes package manager updates for Mend Renovate and Mend Remediate.

These tools' release schedules and version numbers differ from those of other Mend products.

Click here to access all release notes for Mend’s products

Version 23.11.1

The Mend Renovate OSS was updated from 37.33.1 to 37.52.0.

New feature highlights:

• Added support for Kotlin import directives in Gradle

• Added ziphash fetching for Terraform lock refreshes  

• Added support for https options and platform in host rules from env

• Made custom datasources mergeable

• Added support for Java Semeru and Semeru JRE in ASDF

• Added support for GitHub CLI in ASDF

• Optimized npm dedupe option   

• Added support for ASDF plugin manager, SBT and Vault

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.10.2

The Mend Renovate OSS was updated from 36.100.0 to 37.33.1.

New feature highlights:

• Added support for extracting buildkite plugins from Bitbucket Cloud

• Added support for private crates for Cargo  

• Always uses 'source' for Terraform modules

• Used maintenance fork of npm-run-all

• Mapped PHP linters in default linters group

• Ignored scripts for pnpm dedupe

• Added automatic ghcr.io auth when using GitHub.com

• Added support for services key in Woodpecker

• Added Maven support for Artifact Registry via Google ADC

• Sorted Nuget API response

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.9.2

The Mend Renovate OSS was updated from 36.97.1 to 36.100.0.

New feature highlights:

• Added Bazel rule recognition that begins with an underscore

• Added security group and OpenSSF badge preset

• Added mavenPropertyVersions regexManager

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.9.1

The Mend Renovate OSS was updated from 36.68.0 to 36.97.1.

New feature highlights:

• Added support for AWS machine images data source

• Added support for Gitea package releases

• Allowed versions without quotes in Ansible Galaxy yaml files

• Added support for Woodpecker configuration format

• Added support for Steampipe package manager

• Increased maximum DockerHub package list  

• Added releaseTimestamp support for DockerHub tags

• Added support for Gitea changelogs

• Improved Docker data source to support annotations and schemas

• Added support for digests from DockerHub

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.8.2

The Mend Renovate OSS was updated from 36.23.0 to 36.68.0.

New feature highlights:

• Added new presets for scaffdog monorepo, Pulumi group, testcontainers-node monorepo, unocss monorepo 

• Improved support for GitHub Actions including auto detecting registry URLs and GitHub Actions runners

• Enhanced Docker datasource to enable cache fallback and allow overriding max pages

• Added schema validation and parsing for various formats like JSON, TOML, Zod

• Extended Result class with methods like wrapNullable, unwrapOrNull, onValue, onError

• Improved support for custom managers including customType field and custom.<customMgrName> syntax

• Added gitea-tags datasource and allowed overriding package cache TTL

• Added support for Nuget VersionPrefix bumping, Composer patch suffixes, and Gradle verification metadata updates

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.7.1

The Mend Renovate OSS was updated from 35.126.0 to 36.23.0.

New feature highlights:

• postUpgradeTasks.fileFilters is now optional and defaults to all files

• languages are now called categories instead. Use matchCategories in packageRules

• Node v19 is no longer supported

• datasource: semver-coerced is now the default versioning

• presets: Preset config:base is now called config:recommended (will be migrated automatically)

• remove BUILDPACK env support

• package-rules: matchPackageNames now matches both depName (existing) and packageName (new) and warns if only depName matches

• release-notes: Release notes won't be fetched early for commitBody insertion unless explicitly configured with fetchReleaseNotes=branch

• dockerImagePrefix is now replaced by dockerSidecarImage

• matchPaths and matchFiles are now combined into matchFileNames, supporting exact match and glob-only. The "any string match" functionality of matchPaths is now removed

• presets: v25 compatibility for language-based branch prefixes is removed

• npm: Rollback PRs will no longer be enabled by default for npm (they are now disabled by default for all managers)

• post-upgrade-tasks: dot files will now be included by default for all minimatch results

• platform/gitlab: GitLab gitAuthor will change from the account's "email" to "commit_email" if they are different.

• automerge: Platform automerge will now be chosen by default whenever automerge is enabled.

• Post upgrade templating is now allowed by default, as long as the post upgrade task command is itself already allowed.

• Official Renovate Docker images now use the "slim" approach with binarySource=install by default. e.g. renovate/renovate:latest is the slim image, not full

• The "full" image is now available via the tag full, e.g. renovate/renovate:36-full, and defaults to binarySource=global (no dynamic installs)

• Third party tools in the full image have been updated to latest/LTS major version

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.6.2

The Mend Renovate OSS was updated from 35.104.0 to 35.126.0.

New feature highlights:

• Added timed presets to give Renovate more time to create branches 

• Added XState monorepo preset

• Added endoflife.date datasource

• Added support for Java Temurin and Temurin JRE to ASDF manager

• Added support for git_override in Bazel module manager  

• Added support for archive_override and local_path_override in Bazel module manager

• Added support for constraints and Erlang v26 to Mix manager

• Added support for parsing lockfileVersion=3 to NPM manager

• Added incremental sync for version lists to Rubygems manager

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.5.2

The Mend Renovate OSS was updated from 35.56.0 to 35.104.0.

New feature highlights:

• Added Poetry support to the ASDF manager

• Added Bazel datasource 

• Added AzureAD/microsoft-identity-web to monorepos preset

• Added branch caching for onboarding

• Added support for pnpm lock files

• Added Flux manager support for OCI Helm repositories

• Added properties map support for Gradle kts

• Added ECSpresso to ASDF manager 

• Added support for registry aliases in Terraform manager

• Added YAMLfmt to ASDF manager

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.4.2

The Mend Renovate OSS was updated from 35.23.3 to 35.56.0.

New feature highlights:

• Support for registry proxy for Docker digest updates

• Consolidation of replacement rules   

• Support for Docker image object in Bitbucket Pipelines

• Support for rules_oci/oci_pull for Bazel

• Support for years, months, weeks in pretty-time utility

• Use of cache to check if repo is onboarded

• Addition of JSON parsing functions

• Detection of kustomization.yaml for Helmfile

• Support for depth argument in Terraform modules

• Deprecation of npm-based presets

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.3.2

The Mend Renovate OSS was updated from 35.17.0 to 35.23.3.

New feature highlights:

• Better defaults for Codespaces configuration

• config: multi-org secrets decrypt

• presets:

  • added containerbase workarounds

  • added more containerbase replacements

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.3.1

The Mend Renovate OSS was updated from 34.100.1 to 35.17.0.

New feature highlights:

• Node v18.12+ is the required runtime for Renovate.

• config:

  • Forked repos will now be processed automatically if autodiscover=false. includeForks is removed and replaced by new option forkProcessing.

  • containerbase/ account used for sidecar containers instead of renovate/

  • Renovate now defaults to applying hourly and concurrent PR limits. To revert to unlimited, configure them back to 0.

  • Renovate will now default to updating locked dependency versions. To revert to previous behavior, configure rangeStrategy=replace.

  • PyPI releases will no longer be filtered by default based on constraints.python compatibility. To retain existing functionality, set constraintsFiltering=strict.

• Internal checks such as renovate/stability-days will no longer count as passing/green, meaning that actions such as automerge won't occur if the only checks are Renovate internal ones. Set internalChecksAsSuccess=true to restore existing behavior.

• versioning: default versioning is now semver-coerced, instead of semver.

• datasource/github-releases: Regex Manager configurations relying on the github-release data-source with digests will have different digest semantics. The digest will now always correspond to the underlying Git SHA of the release/version. The old behavior can be preserved by switching to the github-release-attachments datasource.

• go: Renovate will now use go's default GOPROXY settings. To avoid using the public proxy, configure GOPROXY=direct.

• datasource/npm: Package cache will include entries for up to 24 hours after the last lookup. Set cacheHardTtlMinutes=0 to revert to existing behavior.

• manager/composer: support git-tags hostRules for github.com when updating artifacts

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.1.2

The Mend Renovate OSS was updated from 34.100.0 to 34.100.1.

NOTE: A full list of features can be found on Octoclairvoyant.

Version 23.1.1

The Mend Renovate OSS was updated from 32.229.0 to 34.100.0.

New feature highlights:

• Node 16 is the required runtime for Renovate.

• config: internalChecksFilter default value is now "strict"

• config: ignoreScripts default value is now true. If allowScripts=true in global config, ignoreScripts must be set to false in repo config if you want all repos to run scripts.

• config: autodiscover filters can no longer include commas

• config: boolean variables must be true or false when configured in environment variables, and errors will be thrown for invalid values. Previously invalided values were ignored and treated as false.

• datasource/go: git-tags datasource will be used as the fallback instead of github-tags if a go package's host type is unknown.

• jsonnet-bundler: depName now uses the "absolute import" format (e.g. bar → github.com/foo/bar/baz-wow)

• azure-pipelines: azure-pipelines manager is now disabled by default.

• github: No longer necessary to configure forkMode. The forking mode is now experimental.

• Users of containerbase images (such as official Renovate images) will now have dynamic package manager installs enabled by default.

• Dependencies are no longer automatically pinned if rangeStrategy=auto, pinning must be opted into using rangeStrategy=pin

NOTE: A full list of features can be found on Octoclairvoyant.

Version 22.9.1

The Mend Renovate OSS was updated from 32.105.0 to 32.229.0.

New feature highlights:

• Renovate now logs when the PR was created and updated in the description of PR.

• github: added support of unprefixed App Installation Token.

• github: Added a log with warning when GitHub token is not configured

• Added support for Hermit and Hermit package manager

• Added support for librarian-puppet.

• gradle: added support for further apply-from patterns.

• manager/elixir: added support for install binary source.

• Add support for Kotlin Script.

NOTE: A full list of features can be found on Octoclairvoyant.

Version 22.6.2

Mend Renovate

The Mend Renovate OSS was updated from 32.89.1 to 32.105.0.

New feature highlights:

• bazelisk: added support for bazelisk bazelversion files.

• go: added support for GOINSECURE.

• gradle: added interpolation for local name variable in registry URL.

• config: added a print of hostRules when printConfig=true.

• clojure: added support dependencies in bb.edn.

• gradle: added support for versions with underscores.

• versioning/redhat: added support for Red Hat release versioning.

NOTE: A full list of features can be found on Octoclairvoyant.

Version 22.6.1

Mend Renovate

The Mend Renovate OSS was updated from 32.10.2 to 32.89.1.

New feature highlights:

• yarn: added support to yarn metadata dependency version, it was ignored.

• github: created cache data structure that can be used for any paginated data that have number and updated_at field.

• nuget: dotnet restore applied to all the project files that are dependent on the project file being operated on. This regenerates lock files needed for multi-project builds to succeed.

• presets: added mono repository Azure Active Directory IdentityModel Extensions for .NET to config presets.

• migrations: added support of regular expression as property name for custom migrations.

• clojure: Enhanced support for deps.edn files

NOTE: A full list of features can be found on Octoclairvoyant.

Package Managers

The following package manager default versions have been updated:

• dotnet@3.1.420

• composer@2.3.7

• lerna@5.1.4

• got@11.8.5

• yarn@1.22.19

• python@3.10.5

• php@8.1.17

• pnpm@7.2.1

• npm@8.12.2

• pipenv@2022.6.7

• express@4.18.1

Version 22.5.2

Package Managers

The following package manager default versions have been updated:

• gradle@7.4.2

• php@8.1.6

• pnpm@7.1.6

• npm@8.11.0

• node@16.15.1

• helm@3.9.0

• git@2.36.1

• ruby@3.1.2

• php@7.4.29

• golang@1.18.3

• elixir@1.13.4

• pipenv@2022.5.2

• python@3.10.4

• rust@1.61.0

• dotnet@3.1.419

• composer@2.3.6

Version 22.3.2

Mend Renovate

The Mend Renovate OSS was updated from 31.28.2 to 32.10.2.

New feature highlights:

• gradle: Option deepExtract is now removed and will be ignored

• Support for cron syntax for schedules

• pip_requirements: added support for packages from a git repository

• node: added support for Node.js codenames

• ubuntu: added support for Ubuntu codenames

• config: read config from branches in baseBranches

• npm: support for custom registryUrls

NOTE: A full list of features can be found on Octoclairvoyant.

Package Managers

The following package manager default versions have been updated:

• poetry@1.1.13

• gradle@6.9.2

• composer@2.3.1

• elixir@1.13.3

• git@2.35.1

• golang@1.18.0

• dotnet@3.1.417

• cocoapods@1.11.3

• yarn@1.22.18

• php@7.4.28

• hashin@0.17.0

• helm@3.8.1

• npm@8.5.5

• pnpm@6.32.3

• ruby@3.1.1

• rust@1.59.0

• pipenv@2022

• node@16.14.2

Version 22.2.2

Mend Renovate

The Mend Renovate OSS was updated from 29.18.0 to 31.28.2.

New feature highlights:

• Support for Confidential issues in GitLab.

• Terraform modules using bitbucket source URLs can be parsed as the bitbucket-tags datasource. This will enable the StabilityDays functionality.

• Support for updates for buildkite plugins hosted on Github.

• Support for plugin entries in the Gradle catalog using the short string-form syntax.

• Ssupport for the composer platform package for constraint extraction.

• Added sentry-dotnet monorepo.

• Added ZXing.Net monorepo.

• Support getDigest for GitLab repositories.

• Added 'and', 'or' and 'containsString' to handlebar helpers

• Added autodiscovery support for Github App

NOTE: A full list of features can be found on Octoclairvoyant.

Package Managers

The following package manager default versions have been updated:

• node@16.13.1

• npm@8.3.0

• dotnet@3.1.416

Version 21.11.1

Mend Renovate

The Mend Renovate OSS was updated from 27.31.10 to 29.18.0.

New feature highlights:

• Platform automerge is no longer enabled by default.

• Go: modules lookups will now no longer fallback to Renovate native lookups if GOPROXY is configured and without "direct" explicitly configured.

• Manager/regex: allow arbitrary regex groups for templates.

• Config: hostRules are no longer automatically derived from env variables such as NPM_X_TOKEN.

NOTE: A full list of features can be found on Octoclairvoyant.

Package Managers

The following package manager default versions have been updated:

• yarn@1.22.17

• php@7.4.26

• composer@2.1.12

• golang@1.17.3

• pipenv@2021.11.15

• rust@1.56.1

• pnp@6.22.2

• dotnet@3.1.415

• helm@3.7.1

Version 21.9.1.1

Mend Renovate

The Mend Renovate OSS was updated from 27.14.2 to 27.31.10.

New feature highlights:

• Added option to write discovered repositories to a json.

• Composer: added support for authentication for http-basic and bearer types.

• Go modules: added support for in gitlab subgroups.

• Docker: added support for authenticating at ECR with session tokens.

• GitHub Actions: added support for composite actions.

• Helm: added support for inline image definitions.

NOTE: A full list of features can be found on Octoclairvoyant.

Package Managers

The following package manager default versions have been updated:

• node@14.18.1

• yarn@1.22.15

• gradle@6.9.1

• elixir@1.12.3

• php@7.4.24

• composer@2.1.9

• golang@1.17.2

• python@3.9.7

• poetry@1.1.11

• rust@1.55.0

• cocoapods@1.11.2

• pnpm@6.16.1

• dotnet@3.1.414

• helm@3.7.0

Version 21.8.2

Mend Renovate

The Mend Renovate OSS was updated from 25.76.2 to 27.14.2.

Important or breaking changes:

• git-submodules: Git Submodules cloning now needs to be explicitly enabled

• yarn: It is no longer supported to configure a "yarnrc" override in Renovate config

• gradle: Gradle extraction now defaults to JS-based parsing (previously "gradle-lite")

• pre-commit manager is no longer enabled by default and must be opted into manually

• Dependency Dashboard is now enabled by default in the config:base preset

• Git: Blobless git cloning is now used, instead of shallow clone

Significant features:

• go: GOPROXY support

• rubygems: support GitHub Packages

• docker: use HEAD requests as optimization

• git: gitAuthor is repo-configurable

• gradle: Add support for Gradle's TOML version Catalogs

• helmv3: support helm chart dependencies in OCI images

 Package Managers

Third-party package managers are unchanged.

Version 21.8.1

Mend Renovate

The Mend Renovate OSS was updated from 25.48.0 to 25.76.2. These changes mostly do not affect Remediate users, which use Remediate-only mode and have not enabled Renovate.

New feature highlights:

• Added dependency dashboard label configuration

• Added support for Terraform community providers during lock file generation.

• The regex versioning now supports an optional build match group, which is handled as 4th version part.

• Added an implementation of getDigest() for the github-releases datasource.

• Supporting tag dependencies extraction for the GitLab and vanilla git

NOTE: A full list of features can be found on Octoclairvoyant

Package Managers

The following package manager default versions have been updated:

• cocoapods@1.10.2

• composer@2.1.6

• dotnet@3.1.412

• elixir@1.12.2

• git@2.33.0

• golang@1.17.0

• helm@3.6.3

• java@11.0.12

• node@14.17.5

• openjdk@16.0.2

• php@7.4.22

• pnpm@6.12.1

• poetry@1.1.8

• python@3.9.6

• ruby@3.0.2

• rust@1.54.0

• yarn@1.22.11

Version 21.6.2

Mend Renovate

The Mend Renovate OSS was updated from 24.119.14 to 25.48.0. These changes mostly do not affect Remediate users, which use Remediate-only mode and have not enabled Renovate.

Important changes:

• Remediate will no longer read ~/.npmrc from disk. npm credentials can be configured in multiple other ways described in Private Packages, including environment variables or a configuration file.

• Major updates for Docker dependencies will now be enabled by default.

• Grouping of Node.js packages into a single PR is no longer hardcoded. If you are not already using the config:base preset then you can add group:Nodejs to your extends instead.

• Patch updates are not considered updateType=minor by default, so any rules you have for minor need to have patch added to them in order to take effect. It is no necessary to configure separateMinorPatch in order to apply patch rules.

• trustLevel is no longer supported and instead broken into allowCustomCrateRegistries, allowScripts, and exposeAllEnv.

NOTE: A full list of changes can be found on Octoclairvoyant

Package Managers

The following package manager default versions have been updated:

• git@2.32.2

• node@14.17.1

• elixir@1.12.1

• php@7.4.20

• composer@2.1.3

• golang@1.16.5

• python@3.9.5

• pipenv@2021.5.29

• rust@1.53.0

• pnpm@6.8.0

• dotnet@3.1.410

• lerna@4.0.0

• helm@3.6.1