renovate
Automated dependency updates. Flexible so you don't need to be.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| license | copyleft-license:AGPL-3.0-only | AI (license): Renovate's declared license; stable across all versions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): lru-cache is a well-known, widely-trusted package; addition is benign for this established project. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Renovate is a large, actively developed project; incremental file additions are routine across its 8960+ versions. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Renovate publishes extremely frequently via CI; dormancy signal is a false positive for this package. | ai | |
| dependencies | unvetted-dep:conventional-commits-detector | AI (dependencies): Standard utility dep for renovate; no risk signal. | ai | |
| dependencies | unvetted-dep:changelog-filename-regex | AI (dependencies): Legitimate, stable dependency of renovate; no security concerns. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a well-known TypeScript runtime helper; declared in package.json as a runtime dep, stable false positive. | ai | |
| dependencies | unvetted-dep:@renovatebot/good-enough-parser | AI (dependencies): First-party @renovatebot scoped package; expected dependency. | ai | |
| dependencies | unvetted-dep:@renovatebot/detect-tools | AI (dependencies): First-party @renovatebot scoped package; expected dependency. | ai | |
| dependencies | unvetted-dep:emojibase-regex | AI (dependencies): Emoji regex library; legitimate renovate dependency. | ai | |
| dependencies | unvetted-dep:@renovatebot/pgp | AI (dependencies): First-party renovatebot package for PGP operations. | ai | |
| dependencies | unvetted-dep:parse-link-header | AI (dependencies): HTTP Link header parser; legitimate renovate dependency. | ai | |
| dependencies | unvetted-dep:ae-cvss-calculator | AI (dependencies): CVSS scoring library used for vulnerability assessment. | ai | |
| dependencies | unvetted-dep:@aws-sdk/client-rds | AI (dependencies): Official AWS SDK package; legitimate renovate dependency. | ai | |
| dependencies | unvetted-dep:moo | AI (dependencies): Legitimate lexer library; stable renovate dependency. | ai | |
| dependencies | unvetted-dep:graph-data-structure | AI (dependencies): Graph library for dependency resolution. | ai | |
| dependencies | unvetted-dep:@pnpm/parse-overrides | AI (dependencies): Official pnpm package for overrides parsing. | ai | |
| dependencies | unvetted-dep:json-dup-key-validator | AI (dependencies): JSON validation utility; legitimate renovate dependency. | ai | |
| dependencies | unvetted-dep:@renovatebot/osv-offline | AI (dependencies): First-party renovatebot package for offline OSV vulnerability data. | ai | |
| dependencies | unvetted-dep:@renovatebot/ruby-semver | AI (dependencies): First-party renovatebot package for Ruby semver handling. | ai | |
| dependencies | unvetted-dep:@baszalmstra/rattler | AI (dependencies): Conda/rattler package for conda ecosystem support. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Well-known templating library; used by renovate for PR templates. | ai | |
| dependencies | unvetted-dep:markdown-it | AI (dependencies): Established markdown parser; legitimate renovate dependency. | ai | |
| dependencies | unvetted-dep:jsonc-weaver | AI (dependencies): Legitimate JSON manipulation library for renovate config handling. | ai | |
| dependencies | unvetted-dep:@breejs/later | AI (dependencies): Scheduling library used for renovate schedule features. | ai | |
| dependencies | unvetted-dep:find-packages | AI (dependencies): pnpm ecosystem package for workspace discovery. | ai | |
| dependencies | unvetted-dep:semver-stable | AI (dependencies): Semver utility; legitimate renovate dependency. | ai | |
| dependencies | unvetted-dep:@cdktf/hcl2json | AI (dependencies): HashiCorp CDK for Terraform package; used for HCL parsing. | ai | |
| dependencies | unvetted-dep:@qnighy/marshal | AI (dependencies): Ruby marshal parser; used for Gemfile.lock parsing. | ai |
Versions (showing 41 of 41)
| Version | Deps | Published |
|---|---|---|
| 43.200.1 | 117 / 75 | |
| 43.149.0 | 117 / 76 | |
| 43.148.0 | 117 / 76 | |
| 43.147.0 | 117 / 76 | |
| 43.146.0 | 117 / 76 | |
| 43.145.0 | 117 / 76 | |
| 43.143.2 | 117 / 76 | |
| 43.142.1 | 117 / 76 | |
| 43.138.2 | 117 / 76 | |
| 43.136.2 | 117 / 76 | |
| 43.134.1 | 117 / 76 | |
| 43.134.0 | 117 / 76 | |
| 43.127.3 | 117 / 76 | |
| 43.127.2 | 117 / 76 | |
| 43.127.0 | 117 / 76 | |
| 43.126.0 | 117 / 76 | |
| 43.123.7 | 117 / 76 | |
| 43.123.3 | 117 / 76 | |
| 43.123.2 | 117 / 76 | |
| 43.123.0 | 117 / 76 | |
| 43.122.0 | 117 / 76 | |
| 43.121.0 | 117 / 76 | |
| 43.120.2 | 117 / 76 | |
| 43.119.0 | 117 / 76 | |
| 43.116.0 | 116 / 76 | |
| 43.115.0 | 116 / 76 | |
| 43.112.0 | 116 / 76 | |
| 43.110.5 | 116 / 77 | |
| 43.109.5 | 116 / 77 | |
| 43.108.2 | 116 / 76 | |
| 43.108.0 | 116 / 84 | |
| 43.105.0 | 116 / 84 | |
| 43.104.11 | 116 / 84 | |
| 43.104.10 | 116 / 83 | |
| 43.104.8 | 116 / 83 | |
| 43.104.7 | 116 / 83 | |
| 43.104.6 | 116 / 83 | |
| 43.104.5 | 116 / 83 | |
| 43.104.4 | 116 / 83 | |
| 43.104.1 | 116 / 83 | |
| 43.103.0 | 117 / 84 |
v43.200.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.149.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.148.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.147.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.146.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.145.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.143.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.142.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.138.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.136.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.134.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.134.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.127.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.127.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.127.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.126.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.123.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.123.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.123.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.123.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.122.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.121.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.120.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.119.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.116.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.115.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.112.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.110.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.109.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.108.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.108.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.105.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.104.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v43.103.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.