Merge remote-tracking branch 'remotes/renovate/main' into feature_674…

…2_mvn_lookup_parents

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM containerbase/node:14.16.1@sha256:1ae9b66d0c6c36cb9993c0dd939dfb5b09553bc26798b51f3c723e0aaa7c653c
+FROM containerbase/node:14.17.0@sha256:39419f23c62d0fec2f18255d2c822d499a0d2a9cd9f6fcce4e1f05d6edce111a
 
 
 # renovate: datasource=npm

.devcontainer/devcontainer.json

@@ -1,5 +1,5 @@
 {
-  "name": "Node.js 14",
+  "name": "Renovate",
   "dockerFile": "Dockerfile",
   "settings": {
     "terminal.integrated.shell.linux": "/bin/bash"

.eslintrc.js

@@ -60,6 +60,9 @@ module.exports = {
       },
     ],
 
+    // disallow direct `nock` module usage as it causes memory issues.
+    'no-restricted-imports': [2, { paths: ['nock'] }],
+
     // Makes no sense to allow type inference for expression parameters, but require typing the response
     '@typescript-eslint/explicit-function-return-type': [
       'error',
@@ -123,6 +126,8 @@ module.exports = {
         '@typescript-eslint/unbound-method': 0,
 
         'jest/valid-title': [0, { ignoreTypeOfDescribeName: true }],
+        'max-classes-per-file': 0,
+        'class-methods-use-this': 0,
       },
     },
     {

.github/label-actions.yml

@@ -28,7 +28,6 @@
 
 
     The Renovate team will take a look at the reproduction repository.
-    Once we confirm the provided repository reproduces the problem, the label will be changed to `reproduction:confirmed`.
 
 'logs:problem':
   comment: >

.github/pull_request_template.md

@@ -20,8 +20,8 @@
 I have verified these changes via:
 
 - [ ] Code inspection only, or
-- [ ] Newly added unit tests, or
-- [ ] No new tests but ran on a real repository, or
+- [ ] Newly added/modified unit tests, or
+- [ ] No unit tests but ran on a real repository, or
 - [ ] Both unit tests + ran on a real repository
 
 <!-- Do you have any suggestions about this PR template? Edit it here: https://github.com/renovatebot/renovate/edit/main/.github/pull_request_template.md -->

.github/workflows/build-pr.yml

@@ -8,7 +8,7 @@ env:
   YARN_PACKAGE_CACHE_KEY: v1
   YARN_CACHE_FOLDER: .cache/yarn
   NODE_VERSION: 14
-  PYTHON_VERSION: 3.8
+  PYTHON_VERSION: 3.9
   SKIP_JAVA_TESTS: true
 
 jobs:
@@ -47,7 +47,7 @@ jobs:
 
       - name: Cache Yarn packages
         id: yarn_cache_packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.6
         with:
           path: ${{ env.YARN_CACHE_FOLDER }}
           key: ${{ env.YARN_PACKAGE_CACHE_KEY }}-${{ runner.os }}-yarn_cache-${{ hashFiles('**/yarn.lock') }}
@@ -63,10 +63,10 @@ jobs:
         run: yarn install --frozen-lockfile
 
       - name: Unit tests
-        run: yarn jest --logHeapUsage --maxWorkers=2 --ci
+        run: yarn jest --maxWorkers=2 --ci
 
       - name: Codecov
-        uses: codecov/codecov-action@v1.5.0
+        uses: codecov/codecov-action@v1.5.2
         if: always()
 
       # build after tests to exclude files
@@ -102,7 +102,7 @@ jobs:
 
       - name: Cache Yarn packages
         id: yarn_cache_packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.6
         with:
           path: ${{ env.YARN_CACHE_FOLDER }}
           key: ${{ env.YARN_PACKAGE_CACHE_KEY }}-${{ runner.os }}-yarn_cache-${{ hashFiles('**/yarn.lock') }}

.github/workflows/build.yml

@@ -32,7 +32,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
         node-version: [14]
-        python-version: [3.8]
+        python-version: [3.9]
         java-version: [11]
 
     env:
@@ -83,7 +83,7 @@ jobs:
 
       - name: Cache Yarn packages
         id: yarn_cache_packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.6
         with:
           path: ${{ env.YARN_CACHE_FOLDER }}
           key: ${{ env.YARN_PACKAGE_CACHE_KEY }}-${{ runner.os }}-yarn_cache-${{ hashFiles('**/yarn.lock') }}
@@ -99,10 +99,10 @@ jobs:
         run: yarn install --frozen-lockfile
 
       - name: Unit tests
-        run: yarn jest --logHeapUsage --maxWorkers=2 --ci --coverage ${{ env.coverage }}
+        run: yarn jest --maxWorkers=2 --ci --coverage ${{ env.coverage }}
 
       - name: Codecov
-        uses: codecov/codecov-action@v1.5.0
+        uses: codecov/codecov-action@v1.5.2
         if: always() && env.coverage == 'true'
 
       # build after tests to exclude build files from tests
@@ -139,7 +139,7 @@ jobs:
 
       - name: Cache Yarn packages
         id: yarn_cache_packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.6
         with:
           path: ${{ env.YARN_CACHE_FOLDER }}
           key: ${{ env.YARN_PACKAGE_CACHE_KEY }}-${{ runner.os }}-yarn_cache-${{ hashFiles('**/yarn.lock') }}
@@ -204,7 +204,7 @@ jobs:
           fetch-depth: 0
 
       - name: Cache Yarn packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.6
         with:
           path: ${{ env.YARN_CACHE_FOLDER }}
           key: ${{ env.YARN_PACKAGE_CACHE_KEY }}-${{ runner.os }}-yarn_cache-${{ hashFiles('**/yarn.lock') }}

.github/workflows/codeql-analysis.yml

@@ -19,15 +19,15 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v1.0.1
 
         # Override language selection by uncommenting this and choosing your languages
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v1.0.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -41,4 +41,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v1.0.1

.github/workflows/release-npm.yml

@@ -57,7 +57,7 @@ jobs:
 
       - name: Cache Yarn packages
         id: yarn_cache_packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.6
         with:
           path: ${{ env.YARN_CACHE_FOLDER }}
           key: ${{ env.YARN_PACKAGE_CACHE_KEY }}-${{ runner.os }}-yarn_cache-${{ hashFiles('**/yarn.lock') }}

docs/development/issue-labeling.md

@@ -3,6 +3,17 @@
 We try to keep issues well-classified through use of labels.
 Any repository collaborator can apply labels according to the below guidelines.
 
+The general idea is that we have:
+
+- manager (`manager:`)
+- versioning (`versioning:`)
+- datasource (`datasource:`)
+- platform (`platform:`)
+- core functionality (`core:`)
+
+The majority of issues should have at least one of those labels.
+These labels should also map approximately to our Conventional Commit scopes.
+
 ## Basic knowledge about Renovate
 
 You should know about platforms, package managers, datasources and versioning to label issues effectively.
@@ -92,6 +103,20 @@ Use [this search](https://github.com/renovatebot/renovate/issues?q=is%3Aissue+is
 Use these to mark the platform that is affected by this issue.
 Keep in mind that an issue can be both affecting a platform and a self hosted instance.
 
+### Core
+
+<details>
+    <summary>Core labels</summary>
+
+    core:automerge
+    core:dashboard
+    core:onboarding
+    core:schedule
+
+</details>
+
+The purpose of these labels is to allow browsing of open issues by the most commonly-used functionality, such as automerging or Dependency Dashboard.
+
 ### Manager
 
 "manager" is short for "package manager".
@@ -141,7 +166,6 @@ Apply these labels when somebody opens a `feature` type issue requesting a new d
     logs:problem
     reproduction:needed
     reproduction:provided
-    reproduction:confirmed
     duplicate
 
 </details>
@@ -159,7 +183,6 @@ Add a label `logs:problem` to indicate that there's a problem with the logs, and
 
 Add a label `reproduction:needed` if nobody's reproduced it in a public repo yet and such a reproduction is necessary before further work can be done.
 Add the label `reproduction:provided` once there is a public reproduction.
-A developer will add the `reproduction:confirmed` once they have checked and confirmed the reproduction.
 
 Add a label `duplicate` to issues/PRs that are a duplicate of an earlier issue/PR.
 

docs/development/local-development.md

@@ -14,7 +14,7 @@ You need the following dependencies for local development:
 - Node.js `>=14.15.4`
 - Yarn `^1.22.5`
 - C++ compiler
-- Python `^3.8`
+- Python `^3.9`
 - Java between `8` and `12`
 
 We support Node.js versions according to the [Node.js release schedule](https://github.com/nodejs/Release#release-schedule).

docs/development/new-package-manager-template.md

@@ -2,7 +2,7 @@
 
 **Did you read our documentation on adding a package manager?**
 
-- [ ] I've read the [adding a package manager](../../docs/development/adding-a-package-manager.md) documentation.
+- [ ] I've read the [adding a package manager](/renovatebot/renovate/blob/HEAD/docs/development/adding-a-package-manager.md) documentation.
 
 ## Basics
 

docs/usage/configuration-options.md

@@ -1990,12 +1990,22 @@ In the above example, each regex manager will match a single dependency each.
 If `depName` cannot be captured with a named capture group in `matchString` then it can be defined manually using this field.
 It will be compiled using Handlebars and the regex `groups` result.
 
+### extractVersionTemplate
+
+If `extractVersion` cannot be captured with a named capture group in `matchString` then it can be defined manually using this field.
+It will be compiled using Handlebars and the regex `groups` result.
+
 ### lookupNameTemplate
 
 `lookupName` is used for looking up dependency versions.
 It will be compiled using Handlebars and the regex `groups` result.
 It will default to the value of `depName` if left unconfigured/undefined.
 
+### currentValueTemplate
+
+If the `currentValue` for a dependency is not captured with a named group then it can be defined in config using this field.
+It will be compiled using Handlebars and the regex `groups` result.
+
 ### datasourceTemplate
 
 If the `datasource` for a dependency is not captured with a named group then it can be defined in config using this field.
@@ -2180,6 +2190,12 @@ If this setting is true then you would get one PR for webpack@v2 and one for web
 
 If this is set to a non-zero value, _and_ an update contains a release timestamp header, then Renovate will check if the "stability days" have passed.
 
+Note: Renovate will wait for the set amount of `stabilityDays` to pass for each **separate** version.
+Renovate does not wait until the package has seen no releases for x `stabilityDays`.
+`stabilityDays` is not intended to help with slowing down fast releasing project updates.
+If you want to slow down PRs for a specific package, setup a custom schedule for that package.
+Read [our selective-scheduling help](https://docs.renovatebot.com/noise-reduction/#selective-scheduling) to learn how to set the schedule.
+
 If the amount of days since the release is less than the set `stabilityDays` a "pending" status check is added to the branch.
 If enough days have passed then the "pending" status is removed, and a "passing" status check is added.
 
@@ -2196,6 +2212,22 @@ There are a couple of uses for `stabilityDays`:
 If you combine `stabilityDays=3` and `prCreation="not-pending"` then Renovate will hold back from creating branches until 3 or more days have elapsed since the version was released.
 It's recommended that you enable `dependencyDashboard=true` so you don't lose visibility of these pending PRs.
 
+#### Prevent holding broken npm packages
+
+npm packages less than 72 hours (3 days) old can be unpublished, which could result in a service impact if you have already updated to it.
+Set `stabilityDays` to 3 for npm packages to prevent relying on a package that can be removed from the registry:
+
+```json
+{
+  "packageRules": [
+    {
+      "matchDatasources": ["npm"],
+      "stabilityDays": 3
+    }
+  ]
+}
+```
+
 #### Await X days before Automerging
 
 If you have both `automerge` as well as `stabilityDays` enabled, it means that PRs will be created immediately but automerging will be delayed until X days have passed.
@@ -2250,7 +2282,7 @@ To opt in to letting Renovate update internal package versions normally, set thi
 ## updateNotScheduled
 
 When schedules are in use, it generally means "no updates".
-However there are cases where updates might be desirable - e.g. if you have configured prCreation=not-pending, or you have rebaseStale=true and the base branch is updated so you want Renovate PRs to be rebased.
+However there are cases where updates might be desirable - e.g. if you have configured prCreation=not-pending, or you have rebaseWhen=behind-base-branch and the base branch is updated so you want Renovate PRs to be rebased.
 
 This defaults to `true`, meaning that Renovate will perform certain "desirable" updates to _existing_ PRs even when outside of schedule.
 If you wish to disable all updates outside of scheduled hours then configure this field to `false`.

docs/usage/docker.md

@@ -206,6 +206,53 @@ module.exports = {
 };
 ```
 
+#### Google Container Registry
+
+Assume you are running GitLab CI in the Google Cloud, and you are storing your Docker images in the Google Container Registry (GCR).
+
+Access to the GCR uses Bearer token based authentication.
+This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed.
+
+The token expires after 60 minutes so you cannot store it in a variable for subsequent builds (like you can with `RENOVATE_TOKEN`).
+
+When running Renovate in this context the Google access token must be retrieved and injected into the `hostRules` configuration just before Renovate is started.
+
+_This documentation gives **a few hints** on **a possible way** to achieve this end result._
+
+The basic approach is that you create a custom image and then run Renovate as one of the stages of your project.
+To make this run independent of any user you should use a [`Project Access Token`](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) (with Scopes: `api`, `read_api` and `write_repository`) for the project and use this as the `RENOVATE_TOKEN` variable for Gitlab CI.
+See also the [renovate-runner repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner) where `.gitlab-ci.yml` configuration examples can be found.
+
+To get access to the token a custom Renovate Docker image is needed that includes the Google Cloud SDK.
+The Dockerfile to create such an image can look like this:
+
+```Dockerfile
+FROM renovate/renovate:25.40.1
+# Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install
+# under "Installation" for "Debian/Ubuntu"
+RUN ...
+```
+
+For Renovate to access the Google Container Registry (GCR) it needs the current Google Access Token.
+The configuration fragment to do that looks something like this:
+
+```js
+hostRules: [
+  {
+    matchHost: 'eu.gcr.io',
+    token: 'MyReallySecretTokenThatExpiresAfter60Minutes',
+  },
+];
+```
+
+One way to provide the short-lived Google Access Token to Renovate is by generating these settings into a `config.js` file from within the `.gitlab-ci.yml` right before starting Renovate:
+
+```yaml
+script:
+  - 'echo "module.exports = { hostRules: [ { matchHost: ''eu.gcr.io'', token: ''"$(gcloud auth print-access-token)"'' } ] };" > config.js'
+  - renovate $RENOVATE_EXTRA_FLAGS
+```
+
 #### ChartMuseum
 
 Maybe you're running your own ChartMuseum server to host your private Helm Charts.

docs/usage/gitlab-bot-security.md

@@ -74,7 +74,7 @@ Bot services are better if they are provisioned with a "bot identity" so that us
 ## Recommended migration
 
 Until the hosted app can be reactivated, we recommend users migrate to use self-hosted pipelines to run Renovate.
-Please see the [renovate-bot/renovate-runner README on GitLab](https://gitlab.com/renovate-bot/renovate-runner/-/blob/master/README.md) for instructions on how to set this up as easily as possible.
+Please see the [renovate-bot/renovate-runner README on GitLab](https://gitlab.com/renovate-bot/renovate-runner/-/blob/HEAD/README.md) for instructions on how to set this up as easily as possible.
 
 The Renovate team is working to find a feasible design for the app so that we can reactive it securely in future.
 We welcome any ideas you may have.