'allowedVersions' not working as expected

[ronaldploeger]

Hi,

in "renovate.json" we have configured the following "packageRules":

"packageRules": [
    ...,
    {
      "matchPackageNames": ["webpack"],
      "allowedVersions": "<=4.39.2"
    },
    {
      "matchPackageNames": ["webpack-cli"],
      "allowedVersions": "<=3.3.7"
    }
  ]

My expectation was that Renovate would not try to update webpack and webpack-cli above the "allowedVersions" but we get a "Pin dependencies" PR which at the same time wants to set the versions for those two dependencies to:

"webpack": "4.46.0",
"webpack-cli": "3.3.12"

The logs say:

Skipping webpack-cli@4.0.0-beta.2 because it is deprecated
...
Dependency webpack is part of group Pin Dependencies
...
Dependency webpack-cli is part of group Pin Dependencies
...
32 flattened updates found: ..., webpack, webpack-cli
...
npm.updateDependency(): devDependencies.webpack = 4.46.0
npm.updateDependency(): devDependencies.webpack-cli = 3.3.12

What are we doing wrong?

[rarkins]

Pinning will do this:

• If a lock file exists, it will pin the package.json to match what is the locked version
• If no lock file exists, it will use regular semver to work out what the highest stable version matching the current range

Which scenario is yours?

[ronaldploeger]

Hi @rarkins,

thank you very much for explaining. Case 1 was ours.

Best,
Ronald