If you find any bug with Renovate that may be a security problem, then e-mail us at: renovate-disclosure@mend.io. This way we can evaluate the bug and hopefully fix it before it gets abused. Please give us enough time to investigate the bug before you report it anywhere else.
Please do not create GitHub issues for security-related doubts or problems.
If you want help with your Renovate configuration, go to the discussions tab in the Renovate repository and open a new "config help" discussion post.
Bugs: First search for related bugs in the issues and discussions, if you don't find anything then:
- Create a minimal reproduction
- Open a new discussion and link to the minimal reproduction
For feature requests: first search for related requests in the issues and discussions, if you don't find anything: create a discussion.
If you would like to fix a bug or work on a feature, please fork the repository and create a Pull Request. To learn how to setup your local workstation correctly read docs/development/local-development.md. Also skim the docs/development folder, it has a lot of helpful information on things like adding a new package manager, how Renovate branches work, design decisions and more.
Before you start any Pull Request, it's recommended that you open a discussion first if you have any doubts about requirements or implementation. That way you can be sure that the maintainer(s) agree on what to change and how, and you can hopefully get a quick merge afterwards. Also, let the maintainers know that you plan to work on a particular issue so that no one else starts any duplicate work.
Pull Requests can only be merged once all status checks are green, which means pnpm test
passes, and coverage is 100%.
Please do not force push to your PR's branch after you have created your PR, as doing so forces us to review the whole PR again. This makes it harder for us to review your work because we don't know what has changed. PRs will always be squashed by us when we merge your work. Commit as many times as you need in your pull request branch.
If you're updating your PR branch from within the GitHub PR interface, use the default "Update branch" button. This is the "Update with merge commit" option in the dropdown.
Force pushing a PR, or using the "Update with rebase" button is OK when you:
- make large changes on a PR which require a full review anyway
- bring the branch up-to-date with the target branch and incorporating the changes is more work than to create a new PR
Maintainers can suggest changes while reviewing your pull request, please follow these steps to apply them:
- Batch the suggestions into a logical group by selecting the Add suggestion to batch button
- Select the Commit suggestions button
Read the GitHub docs, Applying suggested changes to learn more.
A maintainer/contributor can ask you to make changes, without giving you a suggestion that you can apply. In this case you should make the necessary changes.
Once you've done the work, resolve the conversation by selecting the Resolve conversation button in the PR overview. Avoid posting comments like "I've done the work", or "Done".
Read the GitHub Docs, resolving conversations to learn more.
Please do not ping your reviewer(s) by mentioning them in a new comment. Instead, use the re-request review functionality. Read more about this in the GitHub docs, Re-requesting a review.
The codebase can be difficult to navigate, especially for a first-time contributor. We don't want you spending an hour trying to work out something that would take us only a minute to explain.
For that reason, we have a Slack channel dedicated to helping anyone who's working on or considering Pull Requests for Renovate. Please email rhys@arkins.net and simply mention that you need an invitation to the channel and you'll be added ASAP.
Important: this Slack group is restricted to development questions only in order to keep the volume of messages lower - all technical support questions should still be posted to this repository's Discussions instead.
Pull Request authors must sign the Renovate CLA.
If you cannot or do not want to sign this CLA (e.g. your employment contract for your employer may not allow this), you should not submit a PR. Open an issue and someone else can do the work.