Keep patch/minor/major intermediates MR with osvVulnerabilityAlerts enable #21763
Replies: 2 comments
-
|
If I understand you correctly, you're suggesting that renovate assigns vulnerabilities to individual updates, for which you would then get individual PRs. In that case, renovate would have to check for every single available update version that renovate wants to create a PR for, whether it is affected by one or multiple vulnerabilities and if so, make it a vulnerability fix PR. This would be quite the opposite of how it is implemented right now, where, behind the scenes, renovate creates a package rule for each vulnerability finding. The version that fixes all found issues then acts as a lower bound constraint when selecting updates and, of course, that specific version needs to be present in the list of available updates. |
Beta Was this translation helpful? Give feedback.
-
|
Today we have a rule where if a vulnerability fix is available for a dependency then we block any other PRs. You'd like to still receive them? Can you create a reproduction to demonstrate? |
Beta Was this translation helpful? Give feedback.
-
Type of discussion.
I'm proposing an idea
Tell us more.
If I activate
osvVulnerabilityAlerts, patch/minor/major intermediates PRs for a dependency are not created, it creates only PRs that fix vulnerabilities of the dependency.Is there a way to keep all patch/minor/major intermediates PR, even if there is vulnerabilities for theses versions of the dependency?
Sometimes, it can be complicated to upgrade to the version that fix all vulnerabilities of a dependency, and some other patch/minor/major versions can fix some of the most importants vulnerabilities without a lot of work.
Beta Was this translation helpful? Give feedback.
All reactions