-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default.json: use config:best-practices #6
Conversation
@@ -1,8 +1,7 @@ | |||
{ | |||
"$schema": "https://docs.renovatebot.com/renovate-schema.json", | |||
"extends": [ | |||
"config:base", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is best-practices
a super-set of config:base
? And if not, what would be removed with this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
based on my understanding config:base
is the one inherited by every other configuration. We can leave it in, in case. It should not change the computed final config.
https://github.com/renovatebot/renovate/blob/1efa2f21da4f4b2c0c984726c1a35038d76732db/docs/usage/config-validation.md?plain=1#L32 based on this comment, we should add a test pass to strictly check if the config is valid, here |
b20b777
to
8e61f72
Compare
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat's wrong with native code?Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs. Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
328b8b2
to
375086d
Compare
``` 'best-practices': { configMigration: true, description: 'Preset with best practices from the Renovate maintainers. Recommended for advanced users, who want to follow our best practices.', extends: [ 'config:recommended', 'docker:pinDigests', 'helpers:pinGitHubActionDigests', ':pinDevDependencies', ], }, ... recommended: { description: 'Recommended configuration for most users. It does not matter what programming language you use.', extends: [ ':dependencyDashboard', ':semanticPrefixFixDepsChoreOthers', ':ignoreModulesAndTests', 'group:monorepos', 'group:recommended', 'replacements:all', 'workarounds:all', ], }, ```
375086d
to
08facff
Compare
Solves: #2