|
2 | 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", |
3 | 3 | "description": "Base configuration rules with quiet automerging", |
4 | 4 | "extends": [ |
5 | | - // https://docs.renovatebot.com/presets-config/#configrecommended |
6 | | - "config:recommended", |
| 5 | + // https://docs.renovatebot.com/presets-config/#configbest-practices |
| 6 | + "config:best-practices", |
7 | 7 | // This is helpful for seeing the state of dependencies |
8 | 8 | ":dependencyDashboard", |
9 | 9 | // Don't limit the number of PRs we can open |
10 | 10 | ":disableRateLimiting", |
11 | | - // Lock file maintenance is really critical to keeping a repository healthy |
12 | | - ":maintainLockFilesWeekly", |
13 | 11 | // We don't use semantic commits |
14 | 12 | ":semanticCommitsDisabled", |
15 | 13 | // We pin dependencies to keep dependencies deterministic |
16 | 14 | ":pinDependencies", |
17 | 15 | ":pinDevDependencies", |
18 | | - // This isn't part of the recommended config, so adding it as we use vite |
| 16 | + // This isn't part of the core recommendation, so adding it as we use Vite |
19 | 17 | "group:vite", |
20 | | - // Force waiting 3 days for NPM packages before updating |
21 | | - // This helps protect us against any compromised packages and |
22 | | - // from pacakges being deleted from NPM |
| 18 | + // These are included via config:best-practices, but kept explicit because |
| 19 | + // they are critical safeguards we never want to accidentally drop. |
| 20 | + // - Weekly lockfile maintenance keeps dependency metadata healthy. |
| 21 | + // - Minimum release age reduces risk from compromised/fresh npm releases. |
| 22 | + ":maintainLockFilesWeekly", |
23 | 23 | "security:minimumReleaseAgeNpm" |
24 | 24 | ], |
25 | 25 | // Don't separate out PRs for individual major jumps |
|
0 commit comments