feat: v25

docs/development/local-development.md

@@ -75,7 +75,6 @@ The Renovate project uses the [Yarn](https://github.com/yarnpkg/yarn) package ma
 
 To ensure everything is working properly on your end, you must:
 
-1. Make sure you don't have a local `.npmrc` file that overrides npm's default registry
 1. Install all dependencies with `yarn install`
 1. Make a build with `yarn build`, which should pass with no errors
 1. Verify all tests pass and have 100% test coverage, by running `yarn test`

docs/usage/configuration-options.md

@@ -69,7 +69,7 @@ With the above config:
 ## additionalBranchPrefix
 
 This value defaults to an empty string, and is typically not necessary.
-Some managers populate this field for historical reasons, for example we use `docker-` for Docker branches, so they may look like `renovate/docker-ubuntu-16.x`.
+Some managers previously populated this field, but they no longer do so by default.
 You normally don't need to configure this, but one example where it can be useful is combining with `parentDir` in monorepos to split PRs based on where the package definition is located, e.g.
 
 ```json
@@ -969,13 +969,6 @@ The above is the same as if you wrote this package rule:
 }
 ```
 
-## ignoreNpmrcFile
-
-By default, Renovate will look for and use any `.npmrc` file it finds in a repository.
-Additionally, it will be read in by `npm` or `yarn` at the time of lock file generation.
-Sometimes this causes problems, for example if the file contains placeholder values, so you can configure this to `true` and Renovate will ignore any `.npmrc` files it finds and temporarily remove the file before running `npm install` or `yarn install`.
-Renovate will try to configure this to `true` also if you have configured any `npmrc` string within your config file.
-
 ## ignorePaths
 
 Using this setting, you can selectively ignore package files that you don't want Renovate autodiscovering.
@@ -1517,7 +1510,6 @@ For example to apply a special label for Major updates:
 ## patch
 
 Add to this object if you wish to define rules that apply only to patch updates.
-Only applies if `separateMinorPatch` is set to true.
 
 ## php
 
@@ -1542,7 +1534,6 @@ If enabled Renovate will pin Docker images by means of their SHA256 digest and n
 Post-upgrade tasks are commands that are executed by Renovate after a dependency has been updated but before the commit is created.
 The intention is to run any additional command line tools that would modify existing files or generate new files when a dependency changes.
 
-This is only available on Renovate instances that have a `trustLevel` of 'high'.
 Each command must match at least one of the patterns defined in `allowedPostUpgradeTasks` in order to be executed.
 If the list of allowed tasks is empty then no tasks will be executed.
 

docs/usage/configuration-templates.md

@@ -21,8 +21,7 @@ Most users will be happy with the default `branchPrefix` of `renovate/`, but you
 Say you don't want the forward slashes, in that case you would use `renovate-` as your `branchPrefix`.
 The onboarding PR will always use `renovate/configure`.
 
-`additionalBranchPrefix` is optional and by default is empty for all JavaScript dependencies.
-We use `docker-` for all Docker updates, branches will look like this: `renovate/docker-ubuntu-16.x`.
+`additionalBranchPrefix` is optional and by default is empty.
 
 `branchTopic` depends on the package manager and upgrade type, so you will see a lot of variety.
 This is probably a setting you want to change yourself.

docs/usage/faq.md

@@ -208,10 +208,7 @@ To learn more read the section below.
 
 You can see in the example above that Renovate won't normally open a PR for the `snorgleborf` patch release.
 
-There are 2 ways to tell Renovate to open a separate PR for the patch release:
-
-- Set `separateMinorPatch` to `true`
-- Set `automerge` to the value: `"patch"`
+You can tell Renovate to open a separate PR for the patch release by setting `separateMinorPatch` to `true`.
 
 In both cases, Renovate will open 3 PRs:
 

docs/usage/private-modules.md

@@ -33,8 +33,6 @@ The recommended approaches in order of preference are:
 
 **Self-hosted hostRules**: Configure a hostRules entry in the bot's `config.js` with the `hostType`, `hostName` and `token` specified
 
-**Self-hosted .npmrc**: copy an `.npmrc` file to the home dir of the bot.
-
 **Renovate App with private modules from npmjs.org**: Add an encrypted `npmToken` to your Renovate config
 
 **Renovate App with a private registry**: Add an unencrypted `npmrc` plus an encrypted `npmToken` in config
@@ -64,23 +62,11 @@ module.exports = {
 };
 ```
 
-**NOTE:** Do not use `NPM_TOKEN` as an environment variable, it's incompatible with `hostRules` and will be deprecated soon.
-
-### Commit .npmrc file into repository
-
-One approach that many projects use for private repositories is to simply check in an authenticated `.npmrc` into the repository that is then shared between all developers.
-Therefore anyone running `npm install` or `yarn install` from the project root will be automatically authenticated with npm without having to distribute npm logins to every developer and make sure they've run `npm login` first before installing.
-
-The good news is that this works for Renovate too.
-If Renovate detects a `.npmrc` or `.yarnrc` file then it will use it for its install.
-
-Does not work if using binarySource=docker.
-_This method will be deprecated soon_
+**NOTE:** Do not use `NPM_TOKEN` as an environment variable.
 
 ### Add npmrc string to Renovate config
 
-The above solution maybe have a downside that all users of the repository (e.g. developers) will also use any `.npmrc` that is checked into the repository, instead of their own one in `~/.npmrc`.
-To avoid this, you can instead add your `.npmrc` authentication line to your Renovate config under the field `npmrc`. e.g. a `renovate.json` might look like this:
+You can add an `.npmrc` authentication line to your Renovate config under the field `npmrc`. e.g. a `renovate.json` might look like this:
 
 ```json
 {

docs/usage/self-hosted-configuration.md

@@ -9,6 +9,8 @@ The configuration options listed in this document are applicable to self-hosted
 
 Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md).
 
+## allowCustomCrateRegistries
+
 ## allowPostUpgradeCommandTemplating
 
 Set to true to allow templating of dependency level post-upgrade commands.
@@ -52,18 +54,18 @@ npm ci --ignore-scripts
 npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force
 ```
 
+## allowScripts
+
 ## allowedPostUpgradeCommands
 
 A list of regular expressions that determine which commands in `postUpgradeTasks` are allowed to be executed.
 If this list is empty then no tasks will be executed.
-Also you need to have `"trustLevel": "high"`, otherwise these tasks will be ignored.
 
 e.g.
 
 ```json
 {
-  "allowedPostUpgradeCommands": ["^tslint --fix$", "^tslint --[a-z]+$"],
-  "trustLevel": "high"
+  "allowedPostUpgradeCommands": ["^tslint --fix$", "^tslint --[a-z]+$"]
 }
 ```
 
@@ -156,17 +158,6 @@ You would use put this in your configuration file:
 
 If you pulled a new `node` image, the final image would be `ghcr.io/renovatebot/node` instead of `docker.io/renovate/node`.
 
-## dockerMapDotfiles
-
-This is used if you want to map "dotfiles" from your host computer home directory to containers that Renovate creates, e.g. for updating lock files.
-Currently applicable to `.npmrc` only.
-
-```json
-{
-  "dockerMapDotfiles": true
-}
-```
-
 ## dockerUser
 
 Override default user and group used by Docker-based binaries.
@@ -186,6 +177,14 @@ e.g.
 
 ## endpoint
 
+## exposeAllEnv
+
+By default, Renovate only passes a limited set of environment variables to package managers.
+Confidential data can be leaked if a malicious script enumerates all environment variables.
+Set `exposeAllEnv` to `true` only if you have reviewed (and trust) the repositories which Renovate bot runs against.
+
+Setting this to `true` will also allow for variable substitution in `.npmrc` files.
+
 ## force
 
 This object is used as a "force override" when you need to make sure certain configuration overrides whatever is configured in the repository.
@@ -233,18 +232,6 @@ If left as default (null), a random short ID will be selected.
 
 ## logFileLevel
 
-## logLevel
-
-We recommend that you run the Renovate bot at the debug level if you can.
-Use the environment variable `LOG_LEVEL=debug` to run Renovate at the debug level.
-
-When you use `LOG_LEVEL=debug`, debug logging starts from the beginning of the app.
-If you had configured debug logging in a file config, then the debug logging starts _after_ the file config is parsed.
-
-Additionally, if you configure `LOG_FORMAT=json` in env then logging will be done in JSON format instead of "pretty" format, which is usually better if you're doing any ingestion or parsing of the logs.
-
-Warning: Configuring `logLevel` config option or `--log-level` cli option is deprecated and will be removed in a major version.
-
 ## onboarding
 
 Set this to `false` only if all three statements are true:
@@ -387,13 +374,4 @@ This is currently applicable to `npm` and `lerna`/`npm` only, and only used in c
 
 ## token
 
-## trustLevel
-
-Setting trustLevel to `"high"` can make sense in many self-hosted cases where the bot operator trusts the content in each repository.
-
-Setting trustLevel=high means:
-
-- Child processes are run with full access to `env`
-- `.npmrc` files can have environment variable substitution performed
-
 ## username

docs/usage/self-hosted-experimental.md

@@ -27,11 +27,6 @@ If set to any integer, Renovate will use this integer instead of the default npm
 If set to any value, Renovate will skip its default artifacts filter check in the Maven datasource.
 Skiping the check will speed things up, but may result in versions being returned which don't properly exist on the server.
 
-## RENOVATE_LEGACY_GIT_AUTHOR_EMAIL
-
-An additional `gitAuthor` email to ignore.
-This variable is deprecated: use `ignoredAuthors` instead.
-
 ## RENOVATE_PAGINATE_ALL
 
 If set to any value, Renovate will always paginate requests to GitHub fully, instead of stopping after 10 pages.

lib/config/__snapshots__/migration.spec.ts.snap

@@ -78,6 +78,8 @@ Array [
 exports[`config/migration migrateConfig(config, parentConfig) migrates config 1`] = `
 Object {
   "additionalBranchPrefix": "{{parentDir}}-",
+  "allowCustomCrateRegistries": true,
+  "allowScripts": true,
   "autodiscover": true,
   "automerge": false,
   "automergeType": "branch",
@@ -94,6 +96,7 @@ Object {
   "dependencyDashboard": true,
   "dependencyDashboardTitle": "foo",
   "enabled": true,
+  "exposeAllEnv": true,
   "extends": Array [
     ":automergeBranch",
     "config:js-app",
@@ -109,8 +112,8 @@ Object {
   "includeForks": true,
   "lockFileMaintenance": Object {
     "automerge": true,
+    "exposeAllEnv": false,
     "schedule": "before 5am",
-    "trustLevel": "low",
   },
   "major": Object {
     "automerge": false,
@@ -121,6 +124,7 @@ Object {
   "minor": Object {
     "automerge": true,
   },
+  "npmrc": "",
   "nvmrc": Object {
     "packageRules": Array [
       Object {
@@ -243,7 +247,6 @@ Object {
   "travis": Object {
     "enabled": true,
   },
-  "trustLevel": "high",
 }
 `;
 

lib/config/admin.ts

@@ -4,15 +4,17 @@ let adminConfig: RepoAdminConfig = {};
 
 // TODO: once admin config work is complete, add a test to make sure this list includes all options with admin=true
 export const repoAdminOptions = [
+  'allowCustomCrateRegistries',
   'allowPostUpgradeCommandTemplating',
+  'allowScripts',
   'allowedPostUpgradeCommands',
   'customEnvVariables',
   'dockerChildPrefix',
   'dockerImagePrefix',
   'dockerUser',
   'dryRun',
+  'exposeAllEnv',
   'privateKey',
-  'trustLevel',
 ];
 
 export function setAdminConfig(config: RenovateConfig = {}): void {

lib/config/definitions.ts

@@ -254,14 +254,6 @@ const options: RenovateOptions[] = [
     type: 'object',
     default: false,
   },
-  {
-    name: 'dockerMapDotfiles',
-    description:
-      'Map relevant home directory dotfiles into containers when binarySource=docker.',
-    admin: true,
-    type: 'boolean',
-    default: false,
-  },
   {
     name: 'dockerChildPrefix',
     description:
@@ -294,13 +286,6 @@ const options: RenovateOptions[] = [
     admin: true,
   },
   // Log options
-  {
-    name: 'logLevel',
-    description: 'Logging level. Deprecated, use `LOG_LEVEL` environment.',
-    stage: 'global',
-    type: 'string',
-    allowedValues: ['fatal', 'error', 'warn', 'info', 'debug', 'trace'],
-  },
   {
     name: 'logFile',
     description: 'Log file path.',
@@ -480,17 +465,33 @@ const options: RenovateOptions[] = [
     default: false,
   },
   {
-    name: 'trustLevel',
+    name: 'exposeAllEnv',
     description:
-      'Set this to "high" if the bot should trust the repository owners/contents.',
+      'Configure this to true to allow passing of all env variables to package managers.',
     admin: true,
-    type: 'string',
-    default: 'low',
+    type: 'boolean',
+    default: false,
+  },
+  {
+    name: 'allowScripts',
+    description:
+      'Configure this to true if repositories are allowed to run install scripts.',
+    admin: true,
+    type: 'boolean',
+    default: false,
+  },
+  {
+    name: 'allowCustomCrateRegistries',
+    description:
+      'Configure this to true if custom crate registries are allowed.',
+    admin: true,
+    type: 'boolean',
+    default: false,
   },
   {
     name: 'ignoreScripts',
     description:
-      'Configure this to true if trustLevel is high but you wish to skip running scripts when updating lock files.',
+      'Configure this to true if allowScripts=true but you wish to skip running scripts when updating lock files.',
     type: 'boolean',
     default: false,
   },
@@ -562,12 +563,6 @@ const options: RenovateOptions[] = [
     default: null,
     admin: true,
   },
-  {
-    name: 'ignoreNpmrcFile',
-    description: 'Whether to ignore any .npmrc file found in repository.',
-    type: 'boolean',
-    default: false,
-  },
   {
     name: 'autodiscover',
     description: 'Autodiscover all repositories.',
@@ -1068,8 +1063,7 @@ const options: RenovateOptions[] = [
   },
   {
     name: 'patch',
-    description:
-      'Configuration to apply when an update type is patch. Only applies if `separateMinorPatch` is set to true.',
+    description: 'Configuration to apply when an update type is patch.',
     stage: 'package',
     type: 'object',
     default: {},