Only Security Updates preset still raises updates for other packages

[adamlyka]

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

https://github.com/adamlyka/renovate-minimal-reproduction

I only want Renovate to create PR's for security updates, and my config is exactly as found in the docs: https://docs.renovatebot.com/presets-security/#securityonly-security-updates
I also tried the config from this thread, which has a slight difference on the matcher: #15490 (reply in thread)

Though both still create pr's for other dependencies:

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[HonkingGoose]

@adamlyka Is this your current Renovate config then?

{
  "extends": [
    "config:recommended"
  ],
  "packageRules": [
    {
      "enabled": false,
      "matchPackageNames": [
        "*"
      ]
    }
  ],
  "vulnerabilityAlerts": {
    "enabled": true
  },
  "osvVulnerabilityAlerts": true
}

[adamlyka]

Yes

[adamlyka]

Was wondering if you were able to find anything to change or if it is in fact an issue?
Is there anything I can do to help reproduce it?

[adamlyka]

I added my repro, are there some automations for the tag to go away for it to be reviewed, or that is done manually?

[HonkingGoose]

A human reviews the minimal reproduction and removes the label. 😉

[github-actions[bot]]

Hi there,

Get your discussion fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible.

Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. Discussions without reproductions are less likely to be converted to Issues.

Please follow these steps:

1. Read our guide on creating a minimal reproduction.
2. Go to our minimal reproduction template repository.
3. Select the Use this template button to create a new repository based on the template.
4. Work on the minimal reproduction in your own repository.
5. Fill out the information in your repository's README.md.
6. Add the link to your reproduction to the first post of your Discussion. If you are not the original author, you can post a new comment with the link.

Good luck,

The Renovate team

[adamlyka]

Here is the repro:

• https://github.com/adamlyka/renovate-minimal-reproduction

Edit by @HonkingGoose: I forked this repository into our minimal reproduction organization:

• renovate-reproductions/29509 repository

[Churro]

Not reproducible on my end when using matchPackagePatterns: ["*"]

Full config:

{
  "extends": [
    "config:recommended"
  ],
  "packageRules": [
    {
      "enabled": false,
      "matchPackagePatterns": [
        "*"
      ]
    }
  ],
  "vulnerabilityAlerts": {
    "enabled": true
  },
  "osvVulnerabilityAlerts": true
}

Logs show disabled deps:

{
   "depType": "dependencies",
   "depName": "express",
   "currentValue": "^4.18.2",
   "datasource": "npm",
   "prettyDepType": "dependency",
   "updates": [],
   "packageName": "express",
   "skipReason": "disabled"
 },
 {
   "depType": "dependencies",
   "depName": "sqlite3",
   "currentValue": "^5.1.7",
   "datasource": "npm",
   "prettyDepType": "dependency",
   "updates": [],
   "packageName": "sqlite3",
   "skipReason": "disabled"
 },
....

[adamlyka]

Seems to be working for me now also! Not sure if anything has changed recently as I had tried that previously as mentioned in the post (even double checked my commit history). Though also worth updating the docs to use the above method instead as the one in the docs definitely doesn't work: https://docs.renovatebot.com/presets-security/#securityonly-security-updates

[Churro]

Addressed in this PR -> #29801