From e06218ae58c18f1089585bfff47c305dca427204 Mon Sep 17 00:00:00 2001 From: Lan Luo Date: Fri, 20 Mar 2026 16:08:18 +0800 Subject: [PATCH 1/2] Update renovate configs to enable updates for CVE on release branches Signed-off-by: Lan Luo --- .github/renovate.json5 | 15 +++++++++++++++ hack/update-renovate-baseBranches.sh | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 1df1eacac20..afc7b0d2fce 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -37,6 +37,13 @@ enabled: false, }, + // Re-enable vulnerability/security updates for active release branches + { + matchBaseBranches: ["release-2.5", "release-2.4", "release-2.3"], + isVulnerabilityAlert: true, + enabled: true, + }, + // Disable indirect go dependencies updates, resource: https://github.com/renovatebot/renovate/discussions/35225#discussioncomment-13666269 { matchManagers: ["gomod"], @@ -44,6 +51,14 @@ enabled: false, }, + // Re-enable vulnerability/security updates for indirect go dependencies + { + matchManagers: ["gomod"], + matchDepTypes: ["indirect"], + isVulnerabilityAlert: true, + enabled: true, + }, + { matchManagers: ["gomod"], matchBaseBranches: ["main"], diff --git a/hack/update-renovate-baseBranches.sh b/hack/update-renovate-baseBranches.sh index 12f7aba8c2d..5401e980330 100755 --- a/hack/update-renovate-baseBranches.sh +++ b/hack/update-renovate-baseBranches.sh @@ -31,8 +31,8 @@ echo "Updating renovate configuration with versions: $VERSION1, $VERSION2, $VERS sed -i.bak "s/baseBranches: \[\"main\", \"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/baseBranches: [\"main\", \"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/" "$RENOVATE_CONFIG" -# Update first matchBaseBranches occurrence that disables regular updates for active release branches -sed -i.bak2 "0,/matchBaseBranches: \[\"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/{s/matchBaseBranches: \[\"[^\"]*\", \"[^\"]*\", \"[^\"]*\"\],/matchBaseBranches: [\"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/}" "$RENOVATE_CONFIG" +# Update all matchBaseBranches occurrences that list the active release branches +sed -i.bak2 "s/matchBaseBranches: \[\"release-[^\"]*\", \"release-[^\"]*\", \"release-[^\"]*\"\],/matchBaseBranches: [\"$VERSION1\", \"$VERSION2\", \"$VERSION3\"],/g" "$RENOVATE_CONFIG" rm -f "$RENOVATE_CONFIG.bak" "$RENOVATE_CONFIG.bak2" From 4403d1baf898ee34cbfc76dfe4d088dcb9dacad2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 10:22:18 +0000 Subject: [PATCH 2/2] Update module github.com/MakeNowJust/heredoc to v2 Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 5cef4043ed1..c89aa34a903 100644 --- a/go.mod +++ b/go.mod @@ -91,7 +91,7 @@ require ( cel.dev/expr v0.25.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/ClickHouse/ch-go v0.66.0 // indirect - github.com/MakeNowJust/heredoc v1.0.0 // indirect + github.com/MakeNowJust/heredoc/v2 v2.0.0 // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/VividCortex/ewma v1.2.0 // indirect