Skip to content

chore(deps): add renovate.json for automated dependency updates#561

Merged
Junman140 merged 4 commits into
Pi-Defi-world:devfrom
Code-Paragon:chore/471-add-renovate-config
Jun 29, 2026
Merged

chore(deps): add renovate.json for automated dependency updates#561
Junman140 merged 4 commits into
Pi-Defi-world:devfrom
Code-Paragon:chore/471-add-renovate-config

Conversation

@Code-Paragon

@Code-Paragon Code-Paragon commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Resolves the lack of automated dependency updates while mitigating supply chain risks.
  • Uses renovate.json targeting the dev branch.
  • Introduces a 7-day minimumReleaseAge for critical packages (Prisma, Stellar, Fintech SDKs) to protect against malicious patch injections.
  • Groups non-critical devDependencies to reduce PR fatigue.
  • Forces immediate, unscheduled PRs for recognized security vulnerabilities (CVEs).

Closes #471

Scope

  • Backend API behavior
  • Build/CI only
  • Docs only
  • Other

Validation

  • pnpm run build
  • pnpm test
  • pnpm lint
    (Note: Build, test, and lint validations were skipped for this PR as they are currently failing on the dev branch due to pre-existing unrelated errors. The Renovate config was validated locally using pnpm dlx renovate-config-validator.)

Links

image image

Summary by CodeRabbit

  • Chores
    • Added dependency update automation with scheduled runs, grouped updates, and automated version pinning.
    • Improved handling of security updates with dedicated alerting and labels for urgent vulnerabilities.
    • Set rules to slow down selected package updates so only stable releases are applied.

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@Code-Paragon, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 28 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a52c7a42-e97c-44aa-9343-3b2a672b9293

📥 Commits

Reviewing files that changed from the base of the PR and between 930c169 and f3ad2b6.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • renovate.json
📝 Walkthrough

Walkthrough

Adds a renovate.json configuration for automated dependency updates on dev, with semantic commits, scheduled updates, grouped tooling rules, package-specific release timing, and vulnerability alert handling.

Changes

Dependency automation configuration

Layer / File(s) Summary
Renovate configuration
renovate.json
Adds Renovate presets, branch targeting, semantic commit settings, update schedules, package rules for selected dependencies, and security alert labeling.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A bunny hops by under moonlit dew,
With Renovate chores all tidy and new.
Monday updates, soft and bright,
Security alerts gleam through the night.
🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: adding Renovate configuration for automated dependency updates.
Description check ✅ Passed The description covers Summary, Scope, Validation, and Links, and explains the skipped checks and issue reference.
Linked Issues check ✅ Passed The changes add automated dependency-update config as requested in #471 and address the security-update gap described there.
Out of Scope Changes check ✅ Passed The PR appears limited to renovate.json configuration and does not introduce unrelated code changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@drips-wave

drips-wave Bot commented Jun 27, 2026

Copy link
Copy Markdown

@Code-Paragon Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
renovate.json (1)

13-13: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Add timezone for schedule clarity.

Without an explicit timezone, "before 5am on monday" is interpreted as UTC. Add "timezone": "Etc/UTC" (or your team's zone like "Africa/Lagos", "America/New_York") to make schedule intent explicit and avoid confusion.

   "labels": ["dependencies"],
+  "timezone": "Etc/UTC",
   "schedule": ["before 5am on monday"],
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@renovate.json` at line 13, The Renovate schedule is missing an explicit
timezone, so the intent of the existing schedule entry can be misread. Update
the renovate configuration alongside the schedule setting to include a timezone
field in the same schedule block, using an explicit zone such as Etc/UTC or your
team’s preferred timezone, so the schedule remains unambiguous.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@renovate.json`:
- Line 13: The Renovate schedule is missing an explicit timezone, so the intent
of the existing schedule entry can be misread. Update the renovate configuration
alongside the schedule setting to include a timezone field in the same schedule
block, using an explicit zone such as Etc/UTC or your team’s preferred timezone,
so the schedule remains unambiguous.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bfdc86fe-8dde-4d5e-8cc1-38d42d6162de

📥 Commits

Reviewing files that changed from the base of the PR and between d6fa28a and 930c169.

📒 Files selected for processing (1)
  • renovate.json

@Code-Paragon

Copy link
Copy Markdown
Contributor Author

CI Failure Analysis (Unrelated to this PR)

The lint-and-test job failed with 1,728 problems, but these are unrelated to the addition of renovate.json. The failures stem from two codebase-wide configuration issues currently present in the environment or base branch:

  1. ESLint Misconfiguration: Every file is throwing Definition for rule 'reportUnusedDisableDirectives' was not found. This indicates a mismatch between the ESLint version and how this rule is declared in the config file (it likely needs to be a top-level property rather than inside the rules object, or dependencies are out of sync).
  2. Prettier Line-Ending Mismatch: The vast majority of the errors are formatting complaints regarding line breaks (prettier/prettier). This usually points to an active LF vs CRLF line-ending conflict on the runner, or an out-of-sync base branch that needs a global pnpm run lint --fix.

Since this PR only introduces the renovate.json file, these systemic lint issues will need to be addressed in a separate infrastructure/tooling fix on main.

@Junman140 Junman140 merged commit b942f6f into Pi-Defi-world:dev Jun 29, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

No renovate.json or Dependabot config for automated dependency updates

2 participants