From e06218ae58c18f1089585bfff47c305dca427204 Mon Sep 17 00:00:00 2001 From: Lan Luo Date: Fri, 20 Mar 2026 16:08:18 +0800 Subject: [PATCH 1/2] Update renovate configs to enable updates for CVE on release branches Signed-off-by: Lan Luo --- .github/renovate.json5 | 15 +++++++++++++++ hack/update-renovate-baseBranches.sh | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 1df1eacac20..afc7b0d2fce 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -37,6 +37,13 @@ enabled: false, }, + // Re-enable vulnerability/security updates for active release branches + { + matchBaseBranches: ["release-2.5", "release-2.4", "release-2.3"], + isVulnerabilityAlert: true, + enabled: true, + }, + // Disable indirect go dependencies updates, resource: https://github.com/renovatebot/renovate/discussions/35225#discussioncomment-13666269 { matchManagers: ["gomod"], @@ -44,6 +51,14 @@ enabled: false, }, + // Re-enable vulnerability/security updates for indirect go dependencies + { + matchManagers: ["gomod"], + matchDepTypes: ["indirect"], + isVulnerabilityAlert: true, + enabled: true, + }, + { matchManagers: ["gomod"], matchBaseBranches: ["main"], diff --git a/hack/update-renovate-baseBranches.sh b/hack/update-renovate-baseBranches.sh index 12f7aba8c2d..5401e980330 100755 --- a/hack/update-renovate-baseBranches.sh +++ b/hack/update-renovate-baseBranches.sh @@ -31,8 +31,8 @@ echo "Updating renovate configuration with versions: $VERSION1, $VERSION2, $VERS sed -i.bak "s/baseBranches: \[\"main\", \"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/baseBranches: [\"main\", \"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/" "$RENOVATE_CONFIG" -# Update first matchBaseBranches occurrence that disables regular updates for active release branches -sed -i.bak2 "0,/matchBaseBranches: \[\"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/{s/matchBaseBranches: \[\"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/matchBaseBranches: [\"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/}" "$RENOVATE_CONFIG" +# Update all matchBaseBranches occurrences that list the active release branches +sed -i.bak2 "s/matchBaseBranches: \[\"release-[^\"]*\", \"release-[^\"]*\", \"release-[^\"]*\"\],/matchBaseBranches: [\"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/g" "$RENOVATE_CONFIG" rm -f "$RENOVATE_CONFIG.bak" "$RENOVATE_CONFIG.bak2" From 96ef27423b6dec668712f855517bc1402fb7f8a2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 10:22:03 +0000 Subject: [PATCH 2/2] Update module github.com/hashicorp/go-immutable-radix to v2 Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 1 + go.sum | 1 + 2 files changed, 2 insertions(+) diff --git a/go.mod b/go.mod index 5cef4043ed1..b5cca9b8560 100644 --- a/go.mod +++ b/go.mod @@ -157,6 +157,7 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect + github.com/hashicorp/go-immutable-radix/v2 v2.0.0 // indirect github.com/hashicorp/go-metrics v0.5.4 // indirect github.com/hashicorp/go-msgpack/v2 v2.1.5 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect diff --git a/go.sum b/go.sum index 1d2095f4f3d..90ee8098ddf 100644 --- a/go.sum +++ b/go.sum @@ -420,6 +420,7 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-immutable-radix/v2 v2.0.0/go.mod h1:hgdqLXA4f6NIjRVisM1TJ9aOJVNRqKZj+xDGF6m7PBw= github.com/hashicorp/go-metrics v0.5.4 h1:8mmPiIJkTPPEbAiV97IxdAGNdRdaWwVap1BU6elejKY= github.com/hashicorp/go-metrics v0.5.4/go.mod h1:CG5yz4NZ/AI/aQt9Ucm/vdBnbh7fvmv4lxZ350i+QQI= github.com/hashicorp/go-msgpack/v2 v2.1.5 h1:Ue879bPnutj/hXfmUk6s/jtIK90XxgiUIcXRl656T44=