Mend Remediate Package Managers Release Notes
Overview
This page describes package manager updates for Mend Renovate and Mend Remediate.
These tools' release schedules and version numbers differ from those of other Mend products.
Click here to access all release notes for Mend’s products
Version 23.11.1
The Mend Renovate OSS was updated from 37.33.1 to 37.52.0.
New feature highlights:
Added support for Kotlin import directives in Gradle
Added ziphash fetching for Terraform lock refreshes
Added support for https options and platform in host rules from env
Made custom datasources mergeable
Added support for Java Semeru and Semeru JRE in ASDF
Added support for GitHub CLI in ASDF
Optimized npm dedupe option
Added support for ASDF plugin manager, SBT and Vault
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.10.2
The Mend Renovate OSS was updated from 36.100.0 to 37.33.1.
New feature highlights:
Added support for extracting buildkite plugins from Bitbucket Cloud
Added support for private crates for Cargo
Always uses 'source' for Terraform modules
Used maintenance fork of npm-run-all
Mapped PHP linters in default linters group
Ignored scripts for pnpm dedupe
Added automatic ghcr.io auth when using GitHub.com
Added support for services key in Woodpecker
Added Maven support for Artifact Registry via Google ADC
Sorted Nuget API response
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.9.2
The Mend Renovate OSS was updated from 36.97.1 to 36.100.0.
New feature highlights:
Added Bazel rule recognition that begins with an underscore
Added security group and OpenSSF badge preset
Added mavenPropertyVersions regexManager
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.9.1
The Mend Renovate OSS was updated from 36.68.0 to 36.97.1.
New feature highlights:
Added support for AWS machine images data source
Added support for Gitea package releases
Allowed versions without quotes in Ansible Galaxy yaml files
Added support for Woodpecker configuration format
Added support for Steampipe package manager
Increased maximum DockerHub package list
Added releaseTimestamp support for DockerHub tags
Added support for Gitea changelogs
Improved Docker data source to support annotations and schemas
Added support for digests from DockerHub
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.8.2
The Mend Renovate OSS was updated from 36.23.0 to 36.68.0.
New feature highlights:
Added new presets for scaffdog monorepo, Pulumi group, testcontainers-node monorepo, unocss monorepo
Improved support for GitHub Actions including auto detecting registry URLs and GitHub Actions runners
Enhanced Docker datasource to enable cache fallback and allow overriding max pages
Added schema validation and parsing for various formats like JSON, TOML, Zod
Extended Result class with methods like wrapNullable, unwrapOrNull, onValue, onError
Improved support for custom managers including customType field and custom.<customMgrName> syntax
Added gitea-tags datasource and allowed overriding package cache TTL
Added support for Nuget VersionPrefix bumping, Composer patch suffixes, and Gradle verification metadata updates
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.7.1
The Mend Renovate OSS was updated from 35.126.0 to 36.23.0.
New feature highlights:
postUpgradeTasks.fileFilters is now optional and defaults to all files
languages
are now calledcategories
instead. UsematchCategories
inpackageRules
Node v19 is no longer supported
datasource:
semver-coerced
is now the default versioningpresets: Preset
config:base
is now calledconfig:recommended
(will be migrated automatically)remove
BUILDPACK
env supportpackage-rules:
matchPackageNames
now matches bothdepName
(existing) andpackageName
(new) and warns if onlydepName
matchesrelease-notes: Release notes won't be fetched early for
commitBody
insertion unless explicitly configured withfetchReleaseNotes=branch
dockerImagePrefix
is now replaced bydockerSidecarImage
matchPaths
andmatchFiles
are now combined intomatchFileNames
, supporting exact match and glob-only. The "any string match" functionality ofmatchPaths
is now removedpresets: v25 compatibility for language-based branch prefixes is removed
npm: Rollback PRs will no longer be enabled by default for npm (they are now disabled by default for all managers)
post-upgrade-tasks: dot files will now be included by default for all minimatch results
platform/gitlab: GitLab
gitAuthor
will change from the account's "email" to "commit_email" if they are different.automerge: Platform automerge will now be chosen by default whenever automerge is enabled.
Post upgrade templating is now allowed by default, as long as the post upgrade task command is itself already allowed.
Official Renovate Docker images now use the "slim" approach with
binarySource=install
by default. e.g.renovate/renovate:latest
is the slim image, not fullThe "full" image is now available via the tag
full
, e.g.renovate/renovate:36-full
, and defaults tobinarySource=global
(no dynamic installs)Third party tools in the full image have been updated to latest/LTS major version
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.6.2
The Mend Renovate OSS was updated from 35.104.0 to 35.126.0.
New feature highlights:
Added timed presets to give Renovate more time to create branches
Added XState monorepo preset
Added endoflife.date datasource
Added support for Java Temurin and Temurin JRE to ASDF manager
Added support for git_override in Bazel module manager
Added support for archive_override and local_path_override in Bazel module manager
Added support for constraints and Erlang v26 to Mix manager
Added support for parsing lockfileVersion=3 to NPM manager
Added incremental sync for version lists to Rubygems manager
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.5.2
The Mend Renovate OSS was updated from 35.56.0 to 35.104.0.
New feature highlights:
Added Poetry support to the ASDF manager
Added Bazel datasource
Added AzureAD/microsoft-identity-web to monorepos preset
Added branch caching for onboarding
Added support for pnpm lock files
Added Flux manager support for OCI Helm repositories
Added properties map support for Gradle kts
Added ECSpresso to ASDF manager
Added support for registry aliases in Terraform manager
Added YAMLfmt to ASDF manager
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.4.2
The Mend Renovate OSS was updated from 35.23.3 to 35.56.0.
New feature highlights:
Support for registry proxy for Docker digest updates
Consolidation of replacement rules
Support for Docker image object in Bitbucket Pipelines
Support for rules_oci/oci_pull for Bazel
Support for years, months, weeks in pretty-time utility
Use of cache to check if repo is onboarded
Addition of JSON parsing functions
Detection of kustomization.yaml for Helmfile
Support for depth argument in Terraform modules
Deprecation of npm-based presets
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.3.2
The Mend Renovate OSS was updated from 35.17.0 to 35.23.3.
New feature highlights:
Better defaults for Codespaces configuration
config: multi-org secrets decrypt
presets:
added containerbase workarounds
added more containerbase replacements
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.3.1
The Mend Renovate OSS was updated from 34.100.1 to 35.17.0.
New feature highlights:
Node v18.12+ is the required runtime for Renovate.
config:
Forked repos will now be processed automatically if autodiscover=false. includeForks is removed and replaced by new option forkProcessing.
containerbase/ account used for sidecar containers instead of renovate/
Renovate now defaults to applying hourly and concurrent PR limits. To revert to unlimited, configure them back to
0
.Renovate will now default to updating locked dependency versions. To revert to previous behavior, configure rangeStrategy=replace.
PyPI releases will no longer be filtered by default based on
constraints.python
compatibility. To retain existing functionality, setconstraintsFiltering=strict
.
Internal checks such as
renovate/stability-days
will no longer count as passing/green, meaning that actions such asautomerge
won't occur if the only checks are Renovate internal ones. SetinternalChecksAsSuccess=true
to restore existing behavior.versioning: default versioning is now
semver-coerced
, instead ofsemver
.datasource/github-releases: Regex Manager configurations relying on the github-release data-source with digests will have different digest semantics. The digest will now always correspond to the underlying Git SHA of the release/version. The old behavior can be preserved by switching to the github-release-attachments datasource.
go: Renovate will now use go's default
GOPROXY
settings. To avoid using the public proxy, configureGOPROXY=direct
.datasource/npm: Package cache will include entries for up to 24 hours after the last lookup. Set cacheHardTtlMinutes=0 to revert to existing behavior.
manager/composer: support git-tags hostRules for github.com when updating artifacts
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.1.2
The Mend Renovate OSS was updated from 34.100.0 to 34.100.1.
NOTE: A full list of features can be found on Octoclairvoyant.
Version 23.1.1
The Mend Renovate OSS was updated from 32.229.0 to 34.100.0.
New feature highlights:
Node 16 is the required runtime for Renovate.
config:
internalChecksFilter
default value is now"strict"
config:
ignoreScripts
default value is nowtrue
. IfallowScripts=true
in global config,ignoreScripts
must be set tofalse
in repo config if you want all repos to run scripts.config:
autodiscover
filters can no longer include commasconfig: boolean variables must be
true
orfalse
when configured in environment variables, and errors will be thrown for invalid values. Previously invalided values were ignored and treated asfalse
.datasource/go:
git-tags
datasource will be used as the fallback instead ofgithub-tags
if a go package's host type is unknown.jsonnet-bundler:
depName
now uses the "absolute import" format (e.g.bar
→github.com/foo/bar/baz-wow
)azure-pipelines: azure-pipelines manager is now disabled by default.
github: No longer necessary to configure
forkMode
. The forking mode is now experimental.Users of
containerbase
images (such as official Renovate images) will now have dynamic package manager installs enabled by default.Dependencies are no longer automatically pinned if
rangeStrategy=auto
, pinning must be opted into usingrangeStrategy=pin
NOTE: A full list of features can be found on Octoclairvoyant.
Version 22.9.1
The Mend Renovate OSS was updated from 32.105.0 to 32.229.0.
New feature highlights:
Renovate now logs when the PR was created and updated in the description of PR.
github: added support of unprefixed App Installation Token.
github: Added a log with warning when GitHub token is not configured
Added support for Hermit and Hermit package manager
Added support for librarian-puppet.
gradle: added support for further apply-from patterns.
manager/elixir: added support for install binary source.
Add support for Kotlin Script.
NOTE: A full list of features can be found on Octoclairvoyant.
Version 22.6.2
Mend Renovate
The Mend Renovate OSS was updated from 32.89.1 to 32.105.0.
New feature highlights:
bazelisk: added support for bazelisk bazelversion files.
go: added support for GOINSECURE.
gradle: added interpolation for local name variable in registry URL.
config: added a print of hostRules when
printConfig=true
.clojure: added support dependencies in
bb.edn
.gradle: added support for versions with underscores.
versioning/redhat: added support for Red Hat release versioning.
NOTE: A full list of features can be found on Octoclairvoyant.
Version 22.6.1
Mend Renovate
The Mend Renovate OSS was updated from 32.10.2 to 32.89.1.
New feature highlights:
yarn: added support to yarn metadata dependency version, it was ignored.
github: created cache data structure that can be used for any paginated data that have
number
andupdated_at
field.nuget:
dotnet restore
applied to all the project files that are dependent on the project file being operated on. This regenerates lock files needed for multi-project builds to succeed.presets: added mono repository Azure Active Directory IdentityModel Extensions for .NET to config presets.
migrations: added support of regular expression as property name for custom migrations.
clojure: Enhanced support for
deps.edn
files
NOTE: A full list of features can be found on Octoclairvoyant.
Package Managers
The following package manager default versions have been updated:
dotnet@3.1.420
composer@2.3.7
lerna@5.1.4
got@11.8.5
yarn@1.22.19
python@3.10.5
php@8.1.17
pnpm@7.2.1
npm@8.12.2
pipenv@2022.6.7
express@4.18.1
Version 22.5.2
Package Managers
The following package manager default versions have been updated:
gradle@7.4.2
php@8.1.6
pnpm@7.1.6
npm@8.11.0
node@16.15.1
helm@3.9.0
git@2.36.1
ruby@3.1.2
php@7.4.29
golang@1.18.3
elixir@1.13.4
pipenv@2022.5.2
python@3.10.4
rust@1.61.0
dotnet@3.1.419
composer@2.3.6
Version 22.3.2
Mend Renovate
The Mend Renovate OSS was updated from 31.28.2 to 32.10.2.
New feature highlights:
gradle: Option
deepExtract
is now removed and will be ignoredSupport for cron syntax for schedules
pip_requirements: added support for packages from a git repository
node: added support for Node.js codenames
ubuntu: added support for Ubuntu codenames
config: read config from branches in baseBranches
npm: support for custom registryUrls
NOTE: A full list of features can be found on Octoclairvoyant.
Package Managers
The following package manager default versions have been updated:
poetry@1.1.13
gradle@6.9.2
composer@2.3.1
elixir@1.13.3
git@2.35.1
golang@1.18.0
dotnet@3.1.417
cocoapods@1.11.3
yarn@1.22.18
php@7.4.28
hashin@0.17.0
helm@3.8.1
npm@8.5.5
pnpm@6.32.3
ruby@3.1.1
rust@1.59.0
pipenv@2022
node@16.14.2
Version 22.2.2
Mend Renovate
The Mend Renovate OSS was updated from 29.18.0 to 31.28.2.
New feature highlights:
Support for Confidential issues in GitLab.
Terraform modules using bitbucket source URLs can be parsed as the
bitbucket-tags
datasource. This will enable theStabilityDays
functionality.Support for updates for buildkite plugins hosted on Github.
Support for plugin entries in the Gradle catalog using the short string-form syntax.
Ssupport for the composer platform package for constraint extraction.
Added sentry-dotnet monorepo.
Added ZXing.Net monorepo.
Support
getDigest
for GitLab repositories.Added 'and', 'or' and 'containsString' to handlebar helpers
Added autodiscovery support for Github App
NOTE: A full list of features can be found on Octoclairvoyant.
Package Managers
The following package manager default versions have been updated:
node@16.13.1
npm@8.3.0
dotnet@3.1.416
Version 21.11.1
Mend Renovate
The Mend Renovate OSS was updated from 27.31.10 to 29.18.0.
New feature highlights:
Platform automerge is no longer enabled by default.
Go: modules lookups will now no longer fallback to Renovate native lookups if GOPROXY is configured and without "direct" explicitly configured.
Manager/regex: allow arbitrary regex groups for templates.
Config:
hostRules
are no longer automatically derived from env variables such asNPM_X_TOKEN
.
NOTE: A full list of features can be found on Octoclairvoyant.
Package Managers
The following package manager default versions have been updated:
yarn@1.22.17
php@7.4.26
composer@2.1.12
golang@1.17.3
pipenv@2021.11.15
rust@1.56.1
pnp@6.22.2
dotnet@3.1.415
helm@3.7.1
Version 21.9.1.1
Mend Renovate
The Mend Renovate OSS was updated from 27.14.2 to 27.31.10.
New feature highlights:
Added option to write discovered repositories to a json.
Composer: added support for authentication for http-basic and bearer types.
Go modules: added support for in gitlab subgroups.
Docker: added support for authenticating at ECR with session tokens.
GitHub Actions: added support for composite actions.
Helm: added support for inline image definitions.
NOTE: A full list of features can be found on Octoclairvoyant.
Package Managers
The following package manager default versions have been updated:
node@14.18.1
yarn@1.22.15
gradle@6.9.1
elixir@1.12.3
php@7.4.24
composer@2.1.9
golang@1.17.2
python@3.9.7
poetry@1.1.11
rust@1.55.0
cocoapods@1.11.2
pnpm@6.16.1
dotnet@3.1.414
helm@3.7.0
Version 21.8.2
Mend Renovate
The Mend Renovate OSS was updated from 25.76.2 to 27.14.2.
Important or breaking changes:
git-submodules: Git Submodules cloning now needs to be explicitly enabled
yarn: It is no longer supported to configure a "yarnrc" override in Renovate config
gradle: Gradle extraction now defaults to JS-based parsing (previously "gradle-lite")
pre-commit manager is no longer enabled by default and must be opted into manually
Dependency Dashboard is now enabled by default in the config:base preset
Git: Blobless git cloning is now used, instead of shallow clone
Significant features:
go: GOPROXY support
rubygems: support GitHub Packages
docker: use HEAD requests as optimization
git: gitAuthor is repo-configurable
gradle: Add support for Gradle's TOML version Catalogs
helmv3: support helm chart dependencies in OCI images
Package Managers
Third-party package managers are unchanged.
Version 21.8.1
Mend Renovate
The Mend Renovate OSS was updated from 25.48.0 to 25.76.2. These changes mostly do not affect Remediate users, which use Remediate-only mode and have not enabled Renovate.
New feature highlights:
Added dependency dashboard label configuration
Added support for Terraform community providers during lock file generation.
The regex versioning now supports an optional
build
match group, which is handled as 4th version part.Added an implementation of
getDigest()
for thegithub-releases
datasource.Supporting tag dependencies extraction for the GitLab and vanilla git
NOTE: A full list of features can be found on Octoclairvoyant
Package Managers
The following package manager default versions have been updated:
cocoapods@1.10.2
composer@2.1.6
dotnet@3.1.412
elixir@1.12.2
git@2.33.0
golang@1.17.0
helm@3.6.3
java@11.0.12
node@14.17.5
openjdk@16.0.2
php@7.4.22
pnpm@6.12.1
poetry@1.1.8
python@3.9.6
ruby@3.0.2
rust@1.54.0
yarn@1.22.11
Version 21.6.2
Mend Renovate
The Mend Renovate OSS was updated from 24.119.14 to 25.48.0. These changes mostly do not affect Remediate users, which use Remediate-only mode and have not enabled Renovate.
Important changes:
Remediate will no longer read
~/.npmrc
from disk. npm credentials can be configured in multiple other ways described in Private Packages, including environment variables or a configuration file.Major updates for Docker dependencies will now be enabled by default.
Grouping of Node.js packages into a single PR is no longer hardcoded. If you are not already using the
config:base
preset then you can addgroup:Nodejs
to yourextends
instead.Patch updates are not considered updateType=minor by default, so any rules you have for
minor
need to havepatch
added to them in order to take effect. It is no necessary to configureseparateMinorPatch
in order to applypatch
rules.trustLevel
is no longer supported and instead broken intoallowCustomCrateRegistries
,allowScripts
, andexposeAllEnv
.
NOTE: A full list of changes can be found on Octoclairvoyant
Package Managers
The following package manager default versions have been updated:
git@2.32.2
node@14.17.1
elixir@1.12.1
php@7.4.20
composer@2.1.3
golang@1.16.5
python@3.9.5
pipenv@2021.5.29
rust@1.53.0
pnpm@6.8.0
dotnet@3.1.410
lerna@4.0.0
helm@3.6.1