Can I make Renovate prioritize Vulnerabilities "no matter what"?

[stdedos]

What would you like help with?

I would like help with my configuration

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

Gitlab, latest

Please tell us more about your question or problem

prPriority seems to be a packageRules thing.

The documentation says that vulnerabilities skip the queue, but it also says that it's a Github feature.

... but it seems that osvVulnerabilityAlerts "sort-of works" (i.e., I got [SECURITY] candidates)

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    ":automergeDisabled",
    ":automergeRequireAllStatusChecks",
    ":combinePatchMinorReleases",
    ":ignoreModulesAndTests",
    ":ignoreUnstable",
    ":maintainLockFilesDisabled",
    ":prConcurrentLimit20",
    ":separateMajorReleases",
    "config:best-practices",
  ],
  "packageRules": [
    {
      "description": "Renovate configuration for backend",
      "matchFileNames": ["backend/**"],
      "matchManagers": ["bundler"],
      "addLabels": ["backend"],
      "commitMessagePrefix": "<>: Renovate - ",
      // Backend never pins versions.
      "rangeStrategy": "replace",
    },
    {
      "description": "Mark major version upgrades",
      "matchUpdateTypes": ["major"],
      "commitMessageSuffix": " [Major]",
    },
    // This should be a roundabout way of saying "but please open vulnerability MRs"; see
    // https://github.com/renovatebot/renovate/discussions/15490#discussioncomment-2702421.
    {
      "description": "Stables require explicit approval",
      "matchBaseBranches": [
        ...
      ],
      "dependencyDashboardApproval": true,
    }
  ],
  "includePaths": [
    "backend/**",
  ],
  "enabledManagers": [
    "bundler",
  ],
  "addLabels": ["renovate"],
  "assigneesFromCodeOwners": true,
  "assigneesSampleSize": 1,
  "reviewersFromCodeOwners": true,
  "reviewersSampleSize": 2,
  "branchPrefix": "renovate/",
  "ignoreTests": false,
  "minimumReleaseAge": "7d",
  // We do not have `GITHUB_COM_TOKEN` set, so we cannot use `fetchChangeLogs`.
  "fetchChangeLogs": "off",
  // Enable and track Vulnerabilities.
  "osvVulnerabilityAlerts": true,
  "dependencyDashboardOSVVulnerabilitySummary": "all",
  "vulnerabilityAlerts": {
    "rangeStrategy": "bump",
  },
  "baseBranches": [
    "master",
    ...
  ]
}

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[rarkins]

@Churro do you know if the osv vulnerability alerts feature bypasses limits/prioritizes security updates like what happens for Dependabot alerts?

[RahulGautamSingh]

isVulnerabilityAlert is used internally ie. not an option/flag you can use.

What you are trying to achieve is not possible. If there is a vulnerability PR for a package then we prioritize it first and hold back the other releases, once the vul PR is merged you will get the other update PRs.

[dencu]

Okay, that makes sense. Thanks for the explanation.

[felipecrs]

I'm confused about this thread. Can this be achieved or not? I was also expecting something like:

{
  "rules": {
    "matchType": "security",
    "prPriority": 999
  }
}

[RahulGautamSingh]

matchType is not a valid field. You should try some pkg rules and if they don't work open a new discussion with the full info.

[felipecrs]

Sorry mate, I wrote it as a pseudo-code wish. I know it's not supported. Maybe someday I'll open a new discussion for it then. Thank you.