renovatebot · rarkins · Apr 6, 2021 · Apr 4, 2021 · Apr 4, 2021 · Apr 4, 2021
diff --git a/docs/development/local-development.md b/docs/development/local-development.md
@@ -75,7 +75,6 @@ The Renovate project uses the [Yarn](https://github.com/yarnpkg/yarn) package ma
 
 To ensure everything is working properly on your end, you must:
 
-1. Make sure you don't have a local `.npmrc` file that overrides npm's default registry
 1. Install all dependencies with `yarn install`
 1. Make a build with `yarn build`, which should pass with no errors
 1. Verify all tests pass and have 100% test coverage, by running `yarn test`

diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
@@ -69,7 +69,7 @@ With the above config:
 ## additionalBranchPrefix
 
 This value defaults to an empty string, and is typically not necessary.
-Some managers populate this field for historical reasons, for example we use `docker-` for Docker branches, so they may look like `renovate/docker-ubuntu-16.x`.
+Some managers previously populated this field, but they no longer do so by default.
 You normally don't need to configure this, but one example where it can be useful is combining with `parentDir` in monorepos to split PRs based on where the package definition is located, e.g.
 
 ```json
@@ -1517,7 +1517,6 @@ For example to apply a special label for Major updates:
 ## patch
 
 Add to this object if you wish to define rules that apply only to patch updates.
-Only applies if `separateMinorPatch` is set to true.
 
 ## php
 

diff --git a/docs/usage/configuration-templates.md b/docs/usage/configuration-templates.md
@@ -21,8 +21,7 @@ Most users will be happy with the default `branchPrefix` of `renovate/`, but you
 Say you don't want the forward slashes, in that case you would use `renovate-` as your `branchPrefix`.
 The onboarding PR will always use `renovate/configure`.
 
-`additionalBranchPrefix` is optional and by default is empty for all JavaScript dependencies.
-We use `docker-` for all Docker updates, branches will look like this: `renovate/docker-ubuntu-16.x`.
+`additionalBranchPrefix` is optional and by default is empty.
 
 `branchTopic` depends on the package manager and upgrade type, so you will see a lot of variety.
 This is probably a setting you want to change yourself.

diff --git a/docs/usage/faq.md b/docs/usage/faq.md
@@ -208,10 +208,7 @@ To learn more read the section below.
 
 You can see in the example above that Renovate won't normally open a PR for the `snorgleborf` patch release.
 
-There are 2 ways to tell Renovate to open a separate PR for the patch release:
-
-- Set `separateMinorPatch` to `true`
-- Set `automerge` to the value: `"patch"`
+You can tell Renovate to open a separate PR for the patch release by setting `separateMinorPatch` to `true`.
 
 In both cases, Renovate will open 3 PRs:
 

diff --git a/docs/usage/private-modules.md b/docs/usage/private-modules.md
@@ -33,8 +33,6 @@ The recommended approaches in order of preference are:
 
 **Self-hosted hostRules**: Configure a hostRules entry in the bot's `config.js` with the `hostType`, `hostName` and `token` specified
 
-**Self-hosted .npmrc**: copy an `.npmrc` file to the home dir of the bot.
-
 **Renovate App with private modules from npmjs.org**: Add an encrypted `npmToken` to your Renovate config
 
 **Renovate App with a private registry**: Add an unencrypted `npmrc` plus an encrypted `npmToken` in config
@@ -64,23 +62,11 @@ module.exports = {
 };
 ```
 
-**NOTE:** Do not use `NPM_TOKEN` as an environment variable, it's incompatible with `hostRules` and will be deprecated soon.
-
-### Commit .npmrc file into repository
-
-One approach that many projects use for private repositories is to simply check in an authenticated `.npmrc` into the repository that is then shared between all developers.
-Therefore anyone running `npm install` or `yarn install` from the project root will be automatically authenticated with npm without having to distribute npm logins to every developer and make sure they've run `npm login` first before installing.
-
-The good news is that this works for Renovate too.
-If Renovate detects a `.npmrc` or `.yarnrc` file then it will use it for its install.
-
-Does not work if using binarySource=docker.
-_This method will be deprecated soon_
+**NOTE:** Do not use `NPM_TOKEN` as an environment variable.
 
 ### Add npmrc string to Renovate config
 
-The above solution maybe have a downside that all users of the repository (e.g. developers) will also use any `.npmrc` that is checked into the repository, instead of their own one in `~/.npmrc`.
-To avoid this, you can instead add your `.npmrc` authentication line to your Renovate config under the field `npmrc`. e.g. a `renovate.json` might look like this:
+You can add an `.npmrc` authentication line to your Renovate config under the field `npmrc`. e.g. a `renovate.json` might look like this:
 
 ```json
 {

diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
@@ -9,6 +9,8 @@ The configuration options listed in this document are applicable to self-hosted
 
 Please also see [Self-Hosted Experimental Options](./self-hosted-experimental.md).
 
+## allowCustomCrateRegistries
+
 ## allowPostUpgradeCommandTemplating
 
 Set to true to allow templating of post-upgrade commands.
@@ -52,6 +54,8 @@ npm ci --ignore-scripts
 npx ng update @angular/core --from=9.0.0 --to=10.0.0 --migrateOnly --allowDirty --force
 ```
 
+## allowScripts
+
 ## allowedPostUpgradeCommands
 
 A list of regular expressions that determine which commands in `postUpgradeTasks` are allowed to be executed.
@@ -178,6 +182,14 @@ e.g.
 
 ## endpoint
 
+## exposeAllEnv
+
+By default, Renovate only passes a limited set of environment variables to package managers.
+Confidential data can be leaked if a malicious script enumerates all environment variables.
+Set `exposeAllEnv` to `true` only if you have reviewed (and trust) the repositories which Renovate bot runs against.
+
+Setting this to `true` will also allow for variable substitution in `.npmrc` files.
+
 ## force
 
 This object is used as a "force override" when you need to make sure certain configuration overrides whatever is configured in the repository.
@@ -225,18 +237,6 @@ If left as default (null), a random short ID will be selected.
 
 ## logFileLevel
 
-## logLevel
-
-We recommend that you run the Renovate bot at the debug level if you can.
-Use the environment variable `LOG_LEVEL=debug` to run Renovate at the debug level.
-
-When you use `LOG_LEVEL=debug`, debug logging starts from the beginning of the app.
-If you had configured debug logging in a file config, then the debug logging starts _after_ the file config is parsed.
-
-Additionally, if you configure `LOG_FORMAT=json` in env then logging will be done in JSON format instead of "pretty" format, which is usually better if you're doing any ingestion or parsing of the logs.
-
-Warning: Configuring `logLevel` config option or `--log-level` cli option is deprecated and will be removed in a major version.
-
 ## onboarding
 
 Set this to `false` only if all three statements are true:
@@ -379,13 +379,4 @@ This is currently applicable to `npm` and `lerna`/`npm` only, and only used in c
 
 ## token
 
-## trustLevel
-
-Setting trustLevel to `"high"` can make sense in many self-hosted cases where the bot operator trusts the content in each repository.
-
-Setting trustLevel=high means:
-
-- Child processes are run with full access to `env`
-- `.npmrc` files can have environment variable substitution performed
-
 ## username
diff --git a/docs/usage/self-hosted-experimental.md b/docs/usage/self-hosted-experimental.md
@@ -27,11 +27,6 @@ If set to any integer, Renovate will use this integer instead of the default npm
 If set to any value, Renovate will skip its default artifacts filter check in the Maven datasource.
 Skiping the check will speed things up, but may result in versions being returned which don't properly exist on the server.
 
-## RENOVATE_LEGACY_GIT_AUTHOR_EMAIL
-
-An additional `gitAuthor` email to ignore.
-This variable is deprecated: use `ignoredAuthors` instead.
-
 ## RENOVATE_PAGINATE_ALL
 
 If set to any value, Renovate will always paginate requests to GitHub fully, instead of stopping after 10 pages.

diff --git a/lib/config/__snapshots__/migration.spec.ts.snap b/lib/config/__snapshots__/migration.spec.ts.snap
@@ -78,6 +78,8 @@ Array [
 exports[`config/migration migrateConfig(config, parentConfig) migrates config 1`] = `
 Object {
   "additionalBranchPrefix": "{{parentDir}}-",
+  "allowCustomCrateRegistries": true,
+  "allowScripts": true,
   "autodiscover": true,
   "automerge": false,
   "automergeType": "branch",
@@ -94,6 +96,7 @@ Object {
   "dependencyDashboard": true,
   "dependencyDashboardTitle": "foo",
   "enabled": true,
+  "exposeAllEnv": true,
   "extends": Array [
     "config:js-app",
     "config:js-lib",
@@ -108,8 +111,8 @@ Object {
   "includeForks": true,
   "lockFileMaintenance": Object {
     "automerge": true,
+    "exposeAllEnv": false,
     "schedule": "before 5am",
-    "trustLevel": "low",
   },
   "major": Object {
     "automerge": false,
@@ -233,7 +236,6 @@ Object {
   "travis": Object {
     "enabled": true,
   },
-  "trustLevel": "high",
 }
 `;
 

diff --git a/lib/config/admin.ts b/lib/config/admin.ts
@@ -4,14 +4,16 @@ let adminConfig: RepoAdminConfig = {};
 
 // TODO: once admin config work is complete, add a test to make sure this list includes all options with admin=true
 export const repoAdminOptions = [
+  'allowCustomCrateRegistries',
   'allowPostUpgradeCommandTemplating',
+  'allowScripts',
   'allowedPostUpgradeCommands',
   'customEnvVariables',
   'dockerImagePrefix',
   'dockerUser',
   'dryRun',
+  'exposeAllEnv',
   'privateKey',
-  'trustLevel',
 ];
 
 export function setAdminConfig(config: RenovateConfig = {}): void {

diff --git a/lib/config/definitions.ts b/lib/config/definitions.ts
@@ -275,13 +275,6 @@ const options: RenovateOptions[] = [
     admin: true,
   },
   // Log options
-  {
-    name: 'logLevel',
-    description: 'Logging level. Deprecated, use `LOG_LEVEL` environment.',
-    stage: 'global',
-    type: 'string',
-    allowedValues: ['fatal', 'error', 'warn', 'info', 'debug', 'trace'],
-  },
   {
     name: 'logFile',
     description: 'Log file path.',
@@ -461,17 +454,33 @@ const options: RenovateOptions[] = [
     default: false,
   },
   {
-    name: 'trustLevel',
+    name: 'exposeAllEnv',
     description:
-      'Set this to "high" if the bot should trust the repository owners/contents.',
+      'Configure this to true to allow passing of all env variables to package managers.',
     admin: true,
-    type: 'string',
-    default: 'low',
+    type: 'boolean',
+    default: false,
+  },
+  {
+    name: 'allowScripts',
+    description:
+      'Configure this to true if repositories are allowed to run install scripts.',
+    admin: true,
+    type: 'boolean',
+    default: false,
+  },
+  {
+    name: 'allowCustomCrateRegistries',
+    description:
+      'Configure this to true if custom crate registries are allowed.',
+    admin: true,
+    type: 'boolean',
+    default: false,
   },
   {
     name: 'ignoreScripts',
     description:
-      'Configure this to true if trustLevel is high but you wish to skip running scripts when updating lock files.',
+      'Configure this to true if allowScripts=true but you wish to skip running scripts when updating lock files.',
     type: 'boolean',
     default: false,
   },
@@ -1049,8 +1058,7 @@ const options: RenovateOptions[] = [
   },
   {
     name: 'patch',
-    description:
-      'Configuration to apply when an update type is patch. Only applies if `separateMinorPatch` is set to true.',
+    description: 'Configuration to apply when an update type is patch.',
     stage: 'package',
     type: 'object',
     default: {},

diff --git a/lib/config/index.ts b/lib/config/index.ts
@@ -1,4 +1,4 @@
-import { addStream, levels, logger, setContext } from '../logger';
+import { addStream, logger, setContext } from '../logger';
 import { get, getLanguageList, getManagerList } from '../manager';
 import { ensureDir, getSubDirectory, readFile } from '../util/fs';
 import { ensureTrailingSlash } from '../util/url';
@@ -84,15 +84,6 @@ export async function parseConfigs(
     delete config.privateKeyPath;
   }
 
-  // Deprecated set log level: https://github.com/renovatebot/renovate/issues/8291
-  // istanbul ignore if
-  if (config.logLevel) {
-    logger.warn(
-      'Configuring logLevel in CLI or file is deprecated. Use LOG_LEVEL environment variable instead'
-    );
-    levels('stdout', config.logLevel);
-  }
-
   if (config.logContext) {
     // This only has an effect if logContext was defined via file or CLI, otherwise it would already have been detected in env
     setContext(config.logContext);

diff --git a/lib/config/migration.spec.ts b/lib/config/migration.spec.ts
@@ -46,6 +46,7 @@ describe('config/migration', () => {
         masterIssueTitle: 'foo',
         gomodTidy: true,
         upgradeInRange: true,
+        trustLevel: 'high',
         automergeType: 'branch-push',
         branchName:
           '{{{branchPrefix}}}{{{managerBranchPrefix}}}{{{branchTopic}}}{{{baseDir}}}',

diff --git a/lib/config/migration.ts b/lib/config/migration.ts
@@ -189,11 +189,14 @@ export function migrateConfig(
           migratedConfig.rebaseWhen = 'never';
         }
       } else if (key === 'exposeEnv') {
+        migratedConfig.exposeAllEnv = val;
         delete migratedConfig.exposeEnv;
-        if (val === true) {
-          migratedConfig.trustLevel = 'high';
-        } else if (val === false) {
-          migratedConfig.trustLevel = 'low';
+      } else if (key === 'trustLevel') {
+        delete migratedConfig.trustLevel;
+        if (val === 'high') {
+          migratedConfig.allowCustomCrateRegistries ??= true;
+          migratedConfig.allowScripts ??= true;
+          migratedConfig.exposeAllEnv ??= true;
         }
       } else if (
         key === 'branchName' &&

diff --git a/lib/config/presets/index.ts b/lib/config/presets/index.ts
@@ -93,6 +93,7 @@ export function parsePreset(input: string): ParsedPreset {
     str = str.slice(0, str.indexOf('('));
   }
   const presetsPackages = [
+    'compatibility',
     'config',
     'default',
     'docker',

diff --git a/lib/config/presets/internal/compatibility.ts b/lib/config/presets/internal/compatibility.ts
@@ -0,0 +1,24 @@
+import { Preset } from '../types';
+
+export const presets: Record<string, Preset> = {
+  additionalBranchPrefix: {
+    buildkite: {
+      additionalBranchPrefix: 'buildkite-',
+    },
+    cargo: {
+      additionalBranchPrefix: 'rust-',
+    },
+    docker: {
+      additionalBranchPrefix: 'docker-',
+    },
+    homebrew: {
+      additionalBranchPrefix: 'homebrew-',
+    },
+    packageRules: [
+      {
+        matchDatasources: ['helm'],
+        additionalBranchPrefix: 'helm-',
+      },
+    ],
+  },
+};
diff --git a/lib/config/presets/internal/group.ts b/lib/config/presets/internal/group.ts
@@ -499,6 +499,9 @@ const staticGroups = {
         minor: {
           groupName: 'JS unit test packages',
         },
+        patch: {
+          groupName: 'JS unit test packages',
+        },
       },
     ],
   },
@@ -519,6 +522,9 @@ const staticGroups = {
         minor: {
           groupName: 'unit test packages',
         },
+        patch: {
+          groupName: 'unit test packages',
+        },
       },
     ],
   },
@@ -539,6 +545,9 @@ const staticGroups = {
         minor: {
           groupName: 'JS test packages',
         },
+        patch: {
+          groupName: 'JS test packages',
+        },
       },
     ],
   },
@@ -559,6 +568,9 @@ const staticGroups = {
         minor: {
           groupName: 'test packages',
         },
+        patch: {
+          groupName: 'test packages',
+        },
       },
     ],
   },