Aroy/Paws
Aroy/Paws
1
0
Fork 0
Code Issues 1 Pull requests 10 Projects Releases Packages 2 Wiki Activity Actions

Update ghcr.io/renovatebot/renovate Docker tag to v43 #71

Open
Renovate wants to merge 1 commit from renovate/ghcr.io-renovatebot-renovate-43.x into main
pull from: renovate/ghcr.io-renovatebot-renovate-43.x
merge into: Aroy:main
Conversation 0 Commits 1 Files changed 1 +1 -1
Renovate commented 2026-01-30 00:13:20 +01:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
ghcr.io/renovatebot/renovate (source) major 42.95.143.2.1

Release Notes

renovatebot/renovate (ghcr.io/renovatebot/renovate)

v43.2.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.10 (main) (#​40863) (179abe4)
Miscellaneous Chores

v43.2.0

Compare Source

Features

v43.1.0

Compare Source

Features

v43.0.10

Compare Source

Bug Fixes
Documentation
  • update references to renovate/renovate to v43.0.9 (main) (#​40836) (38ab16b)
  • update references to renovatebot/github-action to v46.0.1 (main) (#​40843) (8dfe853)
Miscellaneous Chores

v43.0.9

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.9 (main) (#​40833) (8797acc)

v43.0.8

Compare Source

Build System

v43.0.7

Compare Source

Code Refactoring
Build System

v43.0.6

Compare Source

Miscellaneous Chores
Build System

v43.0.5

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.8 (main) (#​40803) (a73b6e1)

v43.0.4

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.7 (main) (#​40801) (2b958f3)

v43.0.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.6 (main) (#​40795) (7394478)
Miscellaneous Chores

v43.0.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.5 (main) (#​40793) (00a1006)
Documentation

v43.0.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.1.4 (main) (#​40788) (1e4f4d3)
Documentation

v43.0.0

Compare Source

Breaking changes for 43

Allowlisting required for "unsafe commands" #​40684

[!NOTE]
This should only affect you if you work with repositories that have a Gradle Wrapper.

Prior to Renovate 43, when performing updates in a repository that used Gradle, Renovate would execute the Gradle Wrapper (./gradlew or gradlew.bat).

This is a well-documented "insider attack" risk that could lead to remote code execution in the context of the Renovate process, as execution of the Gradle buildscript:

  • is controlled by the anyone with write access to the repository being processed
  • can look for specific tasks to execute specific code
  • can execute code from source-tracked scripts
  • can execute code from third-party libraries

This can occur during updates to the Gradle wrapper or using Gradle's Dependency Verification Metadata when updating Gradle dependencies.

As of Renovate 43, this long-standing risk is disabled by default to make Renovate more "secure by default".

Self-hosted administrators can re-enable this using the global self-hosted configuration allowedUnsafeExecutions.

postUpgradeTasks will no longer run with shell mode by default #​40230

As noted in #​40403 and GHSA-pfq2-hh62-7m96, existing access to a repository could lead to remote code execution due to incorrectly quoted shell commands.

The fix for GHSA-pfq2-hh62-7m96 applied to commands invoked by Renovate, but did not cover postUpgradeTasks, which are allowlisted by a self-hosted administrator.

To provide a safer default, commands that run through postUpgradeTasks will no longer run inside a shell.

Self-hosted administrators can re-enable this using the global self-hosted configuration allowShellExecutorForPostUpgradeCommands=true.

binarySource=docker is officially deprecated #​40735

As noted in #​40747, we have now officially deprecated the binarySource=docker option.

There is no timeline decided on the removal of the functionality.

For more details and/or to provide feedback on your use case and why binarySource=install does not work for you, please see #​40747.

Renovate now ships as ESM (ECMAScript Modules) #​9890 / #​40756

This should not affect users, only cases where Renovate is imported as a library. Given our previous support of Node 22, ESM can still be imported from Common JS (CJS) files.

Out of caution and for visibility, this is part of the major release.

config:best-practices will now perform weekly lockfile maintenance #​40735

As part of the Renovate maintainers' opinionated "best practices" configuration, Renovate will now perform a weekly lockfile maintenance task, keeping your lockfiles updated.

This is due to an increase in package managers using lock files, but users not necessarily being aware of the need to enable this explicitly.

If this is not applicable to you, you can use ignorePresets, i.e.

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:best-practices"
  ],
  "ignorePresets": [
    ":maintainLockFilesWeekly"
  ]
}
JSON Schema split for repo or global configuration #​38619

Renovate now has separate JSON Schemas for repository configuration, repository configuration (and inherit config) for writing org-inherited-config.json, and global self-hosted configuration:

This provides better validation for your editor/agent, as you now only see documentation for the relevant configuration type you're writing.

You can read more in the Renovate JSON Schema documentation.

This does not affect renovate-config-validator.

Replacements cannot be grouped with other updates #​40758

To prevent replacements being grouped in with other updates, which can sometimes lead to them failing to correctly replace a package, they will no longer be grouped.

This may lead to some PRs being modified/created when you upgrade to this version of Renovate.

Lock file maintenance cannot be grouped with other updates #​40781

To prevent lock file maintenance being grouped in with other updates, which can sometimes lead to them failing to perform the lock file maintenance.

This may lead to some PRs being modified/created when you upgrade to this version of Renovate.

Use wasm-java build of Bouncy Castle #​40678

To improve performance for encryption/decryption of secrets, as well as supporting AEAD, we have moved the default Bouncy Castle build to use wasm-java.

Renovate now requires a minimum of Node 24 #​40675

The existing requirements of Node 24.11.0 has not changed.

This only drops support for Node 22.x.

Package name for Node.JS in Mise has changed to node #​40466

To be more consistent with other package managers, the Node.JS package has been renamed to node.

This ensures that updates to NodeJS (when using Mise) are grouped with other package updates.

The useCloudMetadataServices configuration is now environment variable only #​40638

As a first step towards solving #​38604, we have migrated this configuration option to being environment variable configuration only.

Note that technically Renovate will still detect it if it's set in a config.js, but with changes in #​38604 it will not affect the execution.

Default tool version updates #​39100

For users of the upstream Renovate container images, the following tools have been updated to new major versions:

Tool Version
Bundler 4.0.4
Dotnet 10.0.102
Helm v4.1.0
PHP 8.5.2
Pipenv 2026.0.3
Ruby 4.0.1

Commentary for 43

There aren't any big changes as part of this release to call out - this is a fairly "routine" major version, where we're doing a little cleanup, making some improvements to be "secure by default", and updating our default tool versions.

Deprecations

As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 44:

⚠ BREAKING CHANGES
  • deps: Update ghcr.io/renovatebot/base-image Docker tag to v13 (main) (#​40730)
  • prevent grouping of lockfile maintenance updates (#​40781)
  • Switch to ESM modules (#​40756)
  • prevent grouping of replacement updates (#​40758)
  • config: deprecate binarySource=docker (#​40754)
  • presets: add maintainLockFilesWeekly to best-practices preset (#​40735)
  • config: make useCloudMetadataServices environment-only (#​40638)
  • self-hosted: don't allow any unsafe commands by default (#​40684)
  • self-hosted: don't use shell: true for postUpgradeTasks (#​40230)
  • json-schema: forbid global-only options in repo configuration (#​38619)
  • presets: add hostType=github to :githubComToken (#​38975)
  • use wasm-java build of Bouncy Castle (#​40678)
  • mise: rename packageName from nodejs to node (#​40466)
  • require node v24 (#​40675)
Features
Bug Fixes
Documentation
  • add announcement bar for v43 (93423cf)
Miscellaneous Chores

v42.95.2

Compare Source

Bug Fixes
  • onboardingAutoCloseAge: don't allow higher inherited value than global (#​40810) (ffb95ed)
Build System
  • trim channel for docker builds (cd27b1d)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/renovatebot/renovate](https://renovatebot.com) ([source](https://github.com/renovatebot/renovate)) | major | `42.95.1` → `43.2.1` | --- ### Release Notes <details> <summary>renovatebot/renovate (ghcr.io/renovatebot/renovate)</summary> ### [`v43.2.1`](https://github.com/renovatebot/renovate/releases/tag/43.2.1) [Compare Source](https://github.com/renovatebot/renovate/compare/43.2.0...43.2.1) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.1.10 (main) ([#&#8203;40863](https://github.com/renovatebot/renovate/issues/40863)) ([179abe4](https://github.com/renovatebot/renovate/commit/179abe488afe8030b213130578e62791af35efcd)) ##### Miscellaneous Chores - **deps:** update dependency pnpm to v10.28.2 (main) ([#&#8203;40860](https://github.com/renovatebot/renovate/issues/40860)) ([9293099](https://github.com/renovatebot/renovate/commit/9293099604dd534481b49be577782066dfa3b01c)) - **deps:** update github/codeql-action action to v4.32.1 (main) ([#&#8203;40862](https://github.com/renovatebot/renovate/issues/40862)) ([c4a2919](https://github.com/renovatebot/renovate/commit/c4a291953d235f2bdb053fe25ac9f401ca5dcdc9)) - **deps:** update linters to v1.42.0 (main) ([#&#8203;40861](https://github.com/renovatebot/renovate/issues/40861)) ([d9e7a28](https://github.com/renovatebot/renovate/commit/d9e7a28d3dc8e477cab011b4a28159a6c0053e0c)) ### [`v43.2.0`](https://github.com/renovatebot/renovate/releases/tag/43.2.0) [Compare Source](https://github.com/renovatebot/renovate/compare/43.1.0...43.2.0) ##### Features - Add `github-digest` datasource ([#&#8203;40226](https://github.com/renovatebot/renovate/issues/40226)) ([c246f81](https://github.com/renovatebot/renovate/commit/c246f814d545b845c7dba6b6a9b24f812c704ffc)) ### [`v43.1.0`](https://github.com/renovatebot/renovate/releases/tag/43.1.0) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.10...43.1.0) ##### Features - **bitbucket-server:** add support for platformAutomerge ([#&#8203;39885](https://github.com/renovatebot/renovate/issues/39885)) ([2254178](https://github.com/renovatebot/renovate/commit/2254178a7bd9a3425cd12d6b45c4b6457a79a1df)) - **pip-compile:** Support the `--group` uv pip compile option ([#&#8203;40665](https://github.com/renovatebot/renovate/issues/40665)) ([2062788](https://github.com/renovatebot/renovate/commit/2062788d8293d42908a7ce03075d221aba7c710a)) ### [`v43.0.10`](https://github.com/renovatebot/renovate/releases/tag/43.0.10) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.9...43.0.10) ##### Bug Fixes - **onboardingAutoCloseAge:** don't allow higher inherited value than global ([#&#8203;40810](https://github.com/renovatebot/renovate/issues/40810)) ([#&#8203;40817](https://github.com/renovatebot/renovate/issues/40817)) ([dc9f868](https://github.com/renovatebot/renovate/commit/dc9f86873dfeb115cfe808ed71a83b0ccf2e6337)) ##### Documentation - update references to renovate/renovate to v43.0.9 (main) ([#&#8203;40836](https://github.com/renovatebot/renovate/issues/40836)) ([38ab16b](https://github.com/renovatebot/renovate/commit/38ab16b39da6ba1bd6af003b9813787719834aab)) - update references to renovatebot/github-action to v46.0.1 (main) ([#&#8203;40843](https://github.com/renovatebot/renovate/issues/40843)) ([8dfe853](https://github.com/renovatebot/renovate/commit/8dfe8533ad805534b30331302a95d5eb6322d363)) ##### Miscellaneous Chores - **deps:** lock file maintenance (main) ([#&#8203;40837](https://github.com/renovatebot/renovate/issues/40837)) ([3ad3cf2](https://github.com/renovatebot/renovate/commit/3ad3cf272a49d80e7e265a139a398657aff27790)) - **deps:** update containerbase/internal-tools action to v4.0.6 (main) ([#&#8203;40838](https://github.com/renovatebot/renovate/issues/40838)) ([d53a5ac](https://github.com/renovatebot/renovate/commit/d53a5ac824cf3cbeb53b9cdf290cab2f58f63c1a)) - **deps:** update containerbase/internal-tools action to v4.0.7 (main) ([#&#8203;40841](https://github.com/renovatebot/renovate/issues/40841)) ([2be2969](https://github.com/renovatebot/renovate/commit/2be2969010aca8412d987596627105ebe50ed92f)) - **deps:** update dependency [@&#8203;containerbase/eslint-plugin](https://github.com/containerbase/eslint-plugin) to v1.1.30 (main) ([#&#8203;40839](https://github.com/renovatebot/renovate/issues/40839)) ([f95f33b](https://github.com/renovatebot/renovate/commit/f95f33bc08902a090625ab7739ec88ded0d71d93)) - **deps:** update dependency [@&#8203;containerbase/istanbul-reports-html](https://github.com/containerbase/istanbul-reports-html) to v1.1.28 (main) ([#&#8203;40842](https://github.com/renovatebot/renovate/issues/40842)) ([f607cbe](https://github.com/renovatebot/renovate/commit/f607cbe54da55dc3a2c106f554766bca9e69ab76)) - **logging:** include PR number when detecting existing branch PR ([#&#8203;40832](https://github.com/renovatebot/renovate/issues/40832)) ([7373eae](https://github.com/renovatebot/renovate/commit/7373eae4661dfa1890f59740414dd52783a1e3fa)), closes [#&#8203;123](https://github.com/renovatebot/renovate/issues/123) ### [`v43.0.9`](https://github.com/renovatebot/renovate/releases/tag/43.0.9) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.8...43.0.9) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.1.9 (main) ([#&#8203;40833](https://github.com/renovatebot/renovate/issues/40833)) ([8797acc](https://github.com/renovatebot/renovate/commit/8797acc7d3693511a90c584b42b000fd3ecf7112)) ### [`v43.0.8`](https://github.com/renovatebot/renovate/releases/tag/43.0.8) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.7...43.0.8) ##### Build System - **deps:** update dependency re2 to v1.23.1 (main) ([#&#8203;40831](https://github.com/renovatebot/renovate/issues/40831)) ([39dbc07](https://github.com/renovatebot/renovate/commit/39dbc070bf43ab28254500f5c5030f683c4b7252)) ### [`v43.0.7`](https://github.com/renovatebot/renovate/releases/tag/43.0.7) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.6...43.0.7) ##### Code Refactoring - typo ([#&#8203;40825](https://github.com/renovatebot/renovate/issues/40825)) ([9327821](https://github.com/renovatebot/renovate/commit/932782147270441e005cee0028c6d0ccadc4dffe)) ##### Build System - **deps:** update aws-sdk-js-v3 monorepo to v3.980.0 (main) ([#&#8203;40828](https://github.com/renovatebot/renovate/issues/40828)) ([da2c4b9](https://github.com/renovatebot/renovate/commit/da2c4b9f36c06855fe6e3978ee7373bcda96ea32)) ### [`v43.0.6`](https://github.com/renovatebot/renovate/releases/tag/43.0.6) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.5...43.0.6) ##### Miscellaneous Chores - **deps:** update actions/cache action to v5 (main) ([#&#8203;40820](https://github.com/renovatebot/renovate/issues/40820)) ([eb7d33c](https://github.com/renovatebot/renovate/commit/eb7d33ce6fec532be4e61e31d3869bb657f09343)) - **deps:** update containerbase/internal-tools action to v4.0.4 (main) ([#&#8203;40819](https://github.com/renovatebot/renovate/issues/40819)) ([fb0a354](https://github.com/renovatebot/renovate/commit/fb0a35494b57bc63226198ef74f6a8a77e7c5575)) - **deps:** update dependency [@&#8203;types/node](https://github.com/types/node) to v24 (main) ([#&#8203;40821](https://github.com/renovatebot/renovate/issues/40821)) ([5997152](https://github.com/renovatebot/renovate/commit/5997152f9d5d3c7b00ac7a191c58c27f61275687)) - **deps:** update dependency eslint-formatter-gha to v2 (main) ([#&#8203;40822](https://github.com/renovatebot/renovate/issues/40822)) ([6064667](https://github.com/renovatebot/renovate/commit/60646676dd85caad3bc3eeb19bc734dbe92d9e15)) - **deps:** update dependency globals to v17 (main) ([#&#8203;40823](https://github.com/renovatebot/renovate/issues/40823)) ([ac23ffc](https://github.com/renovatebot/renovate/commit/ac23ffcb964268f094e2dca28bda1de2bec4d05d)) - **deps:** update dependency renovatebot/github-action to v46 (main) ([#&#8203;40814](https://github.com/renovatebot/renovate/issues/40814)) ([48de4a1](https://github.com/renovatebot/renovate/commit/48de4a122ae5f994ff876e2467a251744295abc6)) - **deps:** update renovate/renovate docker tag to v43 (main) ([#&#8203;40807](https://github.com/renovatebot/renovate/issues/40807)) ([b44d3d5](https://github.com/renovatebot/renovate/commit/b44d3d5c6daeb130ae682fcb05dc7ad0de497df6)) ##### Build System - trim channel for docker builds ([#&#8203;40818](https://github.com/renovatebot/renovate/issues/40818)) ([e004f84](https://github.com/renovatebot/renovate/commit/e004f84c58740610220e242299bbbbf044e89241)) ### [`v43.0.5`](https://github.com/renovatebot/renovate/releases/tag/43.0.5) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.4...43.0.5) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.1.8 (main) ([#&#8203;40803](https://github.com/renovatebot/renovate/issues/40803)) ([a73b6e1](https://github.com/renovatebot/renovate/commit/a73b6e194f4a27aac6bdb105c3d00f4bbc4c9918)) ### [`v43.0.4`](https://github.com/renovatebot/renovate/releases/tag/43.0.4) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.3...43.0.4) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.1.7 (main) ([#&#8203;40801](https://github.com/renovatebot/renovate/issues/40801)) ([2b958f3](https://github.com/renovatebot/renovate/commit/2b958f3ea626a3fdba61adf36e254c50e331ee74)) ### [`v43.0.3`](https://github.com/renovatebot/renovate/releases/tag/43.0.3) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.2...43.0.3) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.1.6 (main) ([#&#8203;40795](https://github.com/renovatebot/renovate/issues/40795)) ([7394478](https://github.com/renovatebot/renovate/commit/73944783c256b1a1d838683499f7fefd6f7c5a4d)) ##### Miscellaneous Chores - **onboarding:** capitalise the `prHourlyLimit` ([#&#8203;39443](https://github.com/renovatebot/renovate/issues/39443)) ([991fdbf](https://github.com/renovatebot/renovate/commit/991fdbfd6bc27b7f2fa20d572cf7e99aa2368d84)) ### [`v43.0.2`](https://github.com/renovatebot/renovate/releases/tag/43.0.2) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.1...43.0.2) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.1.5 (main) ([#&#8203;40793](https://github.com/renovatebot/renovate/issues/40793)) ([00a1006](https://github.com/renovatebot/renovate/commit/00a100629934d8deebd5680f6b7189d76ccf022a)) ##### Documentation - **mise:** Fix invalid configuration example ([#&#8203;40792](https://github.com/renovatebot/renovate/issues/40792)) ([24ae070](https://github.com/renovatebot/renovate/commit/24ae07037ce7835f9a49b07b546f8ae98e37a990)) ### [`v43.0.1`](https://github.com/renovatebot/renovate/releases/tag/43.0.1) [Compare Source](https://github.com/renovatebot/renovate/compare/43.0.0...43.0.1) ##### Bug Fixes - **deps:** update ghcr.io/renovatebot/base-image docker tag to v13.1.4 (main) ([#&#8203;40788](https://github.com/renovatebot/renovate/issues/40788)) ([1e4f4d3](https://github.com/renovatebot/renovate/commit/1e4f4d35af25e43b5690d727d2b5d3481a7a4d44)) ##### Documentation - **opentelemetry:** revamp documentation ([#&#8203;40765](https://github.com/renovatebot/renovate/issues/40765)) ([18c7915](https://github.com/renovatebot/renovate/commit/18c7915000dda60d8a93bf8083197750b8a4f9db)), closes [#&#8203;40126](https://github.com/renovatebot/renovate/issues/40126) ### [`v43.0.0`](https://github.com/renovatebot/renovate/releases/tag/43.0.0) [Compare Source](https://github.com/renovatebot/renovate/compare/42.95.2...43.0.0) #### Breaking changes for 43 ##### Allowlisting required for "unsafe commands" [#&#8203;40684](https://github.com/renovatebot/renovate/issues/40684) > \[!NOTE] > This should only affect you if you work with repositories that have a Gradle Wrapper. Prior to Renovate 43, when performing updates in a repository that used Gradle, Renovate would execute the Gradle Wrapper (`./gradlew` or `gradlew.bat`). This is [a well-documented "insider attack" risk](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) that could lead to remote code execution in the context of the Renovate process, as execution of the Gradle buildscript: - is controlled by the anyone with write access to the repository being processed - can look for specific tasks to execute specific code - can execute code from source-tracked scripts - can execute code from third-party libraries This can occur during updates to [the Gradle wrapper](https://docs.renovatebot.com/modules/manager/gradle-wrapper/) or using [Gradle's Dependency Verification Metadata](https://docs.renovatebot.com/modules/manager/gradle/#dependency-verification) when updating Gradle dependencies. As of Renovate 43, this long-standing risk is disabled by default to make Renovate more "secure by default". Self-hosted administrators can re-enable this using the global self-hosted configuration [`allowedUnsafeExecutions`](https://docs.renovatebot.com/self-hosted-configuration/#allowedunsafeexecutions). ##### `postUpgradeTasks` will no longer run with `shell` mode by default [#&#8203;40230](https://github.com/renovatebot/renovate/issues/40230) As noted in [#&#8203;40403](https://github.com/renovatebot/renovate/issues/40403) and GHSA-pfq2-hh62-7m96, existing access to a repository could lead to remote code execution due to incorrectly quoted shell commands. The fix for GHSA-pfq2-hh62-7m96 applied to commands invoked by Renovate, but did not cover `postUpgradeTasks`, which are allowlisted by a self-hosted administrator. To provide a safer default, commands that run through `postUpgradeTasks` will no longer run inside a shell. Self-hosted administrators can re-enable this using the global self-hosted configuration [`allowShellExecutorForPostUpgradeCommands=true`](https://docs.renovatebot.com/self-hosted-configuration/#allowshellexecutorforpostupgradecommands). ##### `binarySource=docker` is officially deprecated [#&#8203;40735](https://github.com/renovatebot/renovate/issues/40735) As noted in [#&#8203;40747](https://github.com/renovatebot/renovate/issues/40747), we have now officially deprecated the `binarySource=docker` option. There is no timeline decided on the removal of the functionality. For more details and/or to provide feedback on your use case and why `binarySource=install` does not work for you, please see [#&#8203;40747](https://github.com/renovatebot/renovate/issues/40747). ##### Renovate now ships as ESM (ECMAScript Modules) [#&#8203;9890](https://github.com/renovatebot/renovate/issues/9890) / [#&#8203;40756](https://github.com/renovatebot/renovate/issues/40756) This should not affect users, only cases where Renovate is imported as a library. Given our previous support of Node 22, ESM can still be imported from Common JS (CJS) files. Out of caution and for visibility, this is part of the major release. ##### `config:best-practices` will now perform weekly lockfile maintenance [#&#8203;40735](https://github.com/renovatebot/renovate/issues/40735) As part of the Renovate maintainers' opinionated "best practices" configuration, Renovate will now perform a weekly lockfile maintenance task, keeping your lockfiles updated. This is due to an increase in package managers using lock files, but users not necessarily being aware of the need to enable this explicitly. If this is not applicable to you, you can use [`ignorePresets`](https://docs.renovatebot.com/configuration-options/#ignorepresets), i.e. ```json { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:best-practices" ], "ignorePresets": [ ":maintainLockFilesWeekly" ] } ``` ##### JSON Schema split for repo or global configuration [#&#8203;38619](https://github.com/renovatebot/renovate/issues/38619) Renovate now has separate JSON Schemas for repository configuration, repository configuration (and inherit config) for writing `org-inherited-config.json`, and global self-hosted configuration: - <https://docs.renovatebot.com/renovate-schema.json> ([repository configuration](https://docs.renovatebot.com/configuration-options/)) - <https://docs.renovatebot.com/renovate-global-schema.json> ([global self-hosted configuration](https://docs.renovatebot.com/self-hosted-configuration/)) - <https://docs.renovatebot.com/renovate-inherited-schema.json> (repository configuration, including [inherited config options](https://docs.renovatebot.com/config-overview/#inherited-config)) This provides better validation for your editor/agent, as you now only see documentation for the relevant configuration type you're writing. You can read more [in the Renovate JSON Schema documentation](https://docs.renovatebot.com/json-schema/). This does not affect `renovate-config-validator`. ##### Replacements cannot be grouped with other updates [#&#8203;40758](https://github.com/renovatebot/renovate/issues/40758) To prevent replacements being grouped in with other updates, which can sometimes lead to them failing to correctly replace a package, they will no longer be grouped. This may lead to some PRs being modified/created when you upgrade to this version of Renovate. ##### Lock file maintenance cannot be grouped with other updates [#&#8203;40781](https://github.com/renovatebot/renovate/issues/40781) To prevent [lock file maintenance](https://docs.renovatebot.com/configuration-options/#lockfilemaintenance) being grouped in with other updates, which can sometimes lead to them failing to perform the lock file maintenance. This may lead to some PRs being modified/created when you upgrade to this version of Renovate. ##### Use `wasm-java` build of Bouncy Castle [#&#8203;40678](https://github.com/renovatebot/renovate/issues/40678) To improve performance for encryption/decryption of secrets, as well as [supporting AEAD](https://github.com/renovatebot/renovate/discussions/28934), we have moved the default Bouncy Castle build to use `wasm-java`. ##### Renovate now requires a minimum of Node 24 [#&#8203;40675](https://github.com/renovatebot/renovate/issues/40675) The existing requirements of Node 24.11.0 has not changed. This only drops support for Node 22.x. ##### Package name for Node.JS in Mise has changed to `node` [#&#8203;40466](https://github.com/renovatebot/renovate/issues/40466) To be more consistent with other package managers, the Node.JS package has been renamed to `node`. This ensures that updates to NodeJS (when using [Mise](https://docs.renovatebot.com/modules/manager/mise/)) are grouped with other package updates. ##### The [`useCloudMetadataServices`](https://docs.renovatebot.com/self-hosted-configuration/#usecloudmetadataservices) configuration is now environment variable only [#&#8203;40638](https://github.com/renovatebot/renovate/issues/40638) As a first step towards solving [#&#8203;38604](https://github.com/renovatebot/renovate/issues/38604), we have migrated this configuration option to being environment variable configuration only. Note that *technically* Renovate will still detect it if it's set in a `config.js`, but with changes in [#&#8203;38604](https://github.com/renovatebot/renovate/issues/38604) it will not affect the execution. ##### Default tool version updates [#&#8203;39100](https://github.com/renovatebot/renovate/issues/39100) For users of the upstream Renovate container images, the following tools have been updated to new major versions: | Tool | Version | | ------- | -------- | | Bundler | 4.0.4 | | Dotnet | 10.0.102 | | Helm | v4.1.0 | | PHP | 8.5.2 | | Pipenv | 2026.0.3 | | Ruby | 4.0.1 | #### Commentary for 43 There aren't any big changes as part of this release to call out - this is a fairly "routine" major version, where we're doing a little cleanup, making some improvements to be "secure by default", and updating our default tool versions. #### Deprecations As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 44: - [Removal of `x-access-token:` prefix for GitHub](https://github.com/renovatebot/renovate/issues/38952) ##### ⚠ BREAKING CHANGES - **deps:** Update ghcr.io/renovatebot/base-image Docker tag to v13 (main) ([#&#8203;40730](https://github.com/renovatebot/renovate/issues/40730)) - prevent grouping of lockfile maintenance updates ([#&#8203;40781](https://github.com/renovatebot/renovate/issues/40781)) - Switch to ESM modules ([#&#8203;40756](https://github.com/renovatebot/renovate/issues/40756)) - prevent grouping of replacement updates ([#&#8203;40758](https://github.com/renovatebot/renovate/issues/40758)) - **config:** deprecate `binarySource=docker` ([#&#8203;40754](https://github.com/renovatebot/renovate/issues/40754)) - **presets:** add `maintainLockFilesWeekly` to `best-practices` preset ([#&#8203;40735](https://github.com/renovatebot/renovate/issues/40735)) - **config:** make `useCloudMetadataServices` environment-only ([#&#8203;40638](https://github.com/renovatebot/renovate/issues/40638)) - **self-hosted:** don't allow any unsafe commands by default ([#&#8203;40684](https://github.com/renovatebot/renovate/issues/40684)) - **self-hosted:** don't use `shell: true` for `postUpgradeTasks` ([#&#8203;40230](https://github.com/renovatebot/renovate/issues/40230)) - **json-schema:** forbid global-only options in repo configuration ([#&#8203;38619](https://github.com/renovatebot/renovate/issues/38619)) - **presets:** add `hostType=github` to `:githubComToken` ([#&#8203;38975](https://github.com/renovatebot/renovate/issues/38975)) - use `wasm-java` build of Bouncy Castle ([#&#8203;40678](https://github.com/renovatebot/renovate/issues/40678)) - **mise:** rename packageName from `nodejs` to `node` ([#&#8203;40466](https://github.com/renovatebot/renovate/issues/40466)) - require node v24 ([#&#8203;40675](https://github.com/renovatebot/renovate/issues/40675)) ##### Features - **config:** deprecate `binarySource=docker` ([#&#8203;40754](https://github.com/renovatebot/renovate/issues/40754)) ([3644ac8](https://github.com/renovatebot/renovate/commit/3644ac89d0e255cf008a61693696fc93d1040d75)), closes [#&#8203;40747](https://github.com/renovatebot/renovate/issues/40747) - **deps:** Update ghcr.io/renovatebot/base-image Docker tag to v13 (main) ([#&#8203;40730](https://github.com/renovatebot/renovate/issues/40730)) ([5a2107d](https://github.com/renovatebot/renovate/commit/5a2107d5c77081879551b97970b21b7ccaf29ef4)) - **presets:** add `hostType=github` to `:githubComToken` ([#&#8203;38975](https://github.com/renovatebot/renovate/issues/38975)) ([0d912db](https://github.com/renovatebot/renovate/commit/0d912db883142ae365a97d95fce02f660aebbe05)), closes [#&#8203;38961](https://github.com/renovatebot/renovate/issues/38961) - **presets:** add `maintainLockFilesWeekly` to `best-practices` preset ([#&#8203;40735](https://github.com/renovatebot/renovate/issues/40735)) ([28dccba](https://github.com/renovatebot/renovate/commit/28dccbaf9f4f3aecd562ba09dcfe9470a0c0e6d5)) - require node v24 ([#&#8203;40675](https://github.com/renovatebot/renovate/issues/40675)) ([dcdd1c3](https://github.com/renovatebot/renovate/commit/dcdd1c3bce2ed451db7b6d2806c3064d2d5bfcbd)) - Switch to ESM modules ([#&#8203;40756](https://github.com/renovatebot/renovate/issues/40756)) ([2b0e80b](https://github.com/renovatebot/renovate/commit/2b0e80b884543cf2bdfb96ca49b1b51adec068ad)) - use `wasm-java` build of Bouncy Castle ([#&#8203;40678](https://github.com/renovatebot/renovate/issues/40678)) ([4e19e7c](https://github.com/renovatebot/renovate/commit/4e19e7c122f04baf017ef48cc06317eaa3812c5d)) ##### Bug Fixes - **config:** make `useCloudMetadataServices` environment-only ([#&#8203;40638](https://github.com/renovatebot/renovate/issues/40638)) ([a630187](https://github.com/renovatebot/renovate/commit/a6301877c6abb58370a087367905a7c3afa82564)), closes [#&#8203;38604](https://github.com/renovatebot/renovate/issues/38604) - **mise:** rename packageName from `nodejs` to `node` ([#&#8203;40466](https://github.com/renovatebot/renovate/issues/40466)) ([8dc1133](https://github.com/renovatebot/renovate/commit/8dc1133ebeab592d5fda7f5c9fef5222ca8543f5)) - prevent grouping of lockfile maintenance updates ([#&#8203;40781](https://github.com/renovatebot/renovate/issues/40781)) ([3ed1817](https://github.com/renovatebot/renovate/commit/3ed1817e2b454f2d0a93b478004404a06a5ec1a2)) - prevent grouping of replacement updates ([#&#8203;40758](https://github.com/renovatebot/renovate/issues/40758)) ([c7222c6](https://github.com/renovatebot/renovate/commit/c7222c643d4963f27db2d370557a666ea44d17b7)) - **self-hosted:** don't allow any unsafe commands by default ([#&#8203;40684](https://github.com/renovatebot/renovate/issues/40684)) ([b6ef3e1](https://github.com/renovatebot/renovate/commit/b6ef3e129034592659335064a0c986de2ce8e1a6)) - **self-hosted:** don't use `shell: true` for `postUpgradeTasks` ([#&#8203;40230](https://github.com/renovatebot/renovate/issues/40230)) ([cb49754](https://github.com/renovatebot/renovate/commit/cb4975439112166f1ddef8ba4f972516b90fa14e)) ##### Documentation - add announcement bar for v43 ([93423cf](https://github.com/renovatebot/renovate/commit/93423cfafe8914883cc1a9b0040b1e9d9da18dcc)) ##### Miscellaneous Chores - **json-schema:** forbid global-only options in repo configuration ([#&#8203;38619](https://github.com/renovatebot/renovate/issues/38619)) ([192ae36](https://github.com/renovatebot/renovate/commit/192ae368fae5b27812dd6289696b928bf9049af9)), closes [#&#8203;38728](https://github.com/renovatebot/renovate/issues/38728) - use `updateType` in log message ([d1e3f13](https://github.com/renovatebot/renovate/commit/d1e3f13874a4505a2926eb76f25b74529509c0b8)) ### [`v42.95.2`](https://github.com/renovatebot/renovate/releases/tag/42.95.2) [Compare Source](https://github.com/renovatebot/renovate/compare/42.95.1...42.95.2) ##### Bug Fixes - **onboardingAutoCloseAge:** don't allow higher inherited value than global ([#&#8203;40810](https://github.com/renovatebot/renovate/issues/40810)) ([ffb95ed](https://github.com/renovatebot/renovate/commit/ffb95ed848ded2ee8124d3e44956403df5a22fde)) ##### Build System - trim channel for docker builds ([cd27b1d](https://github.com/renovatebot/renovate/commit/cd27b1ddbfae5cac7085096cdc70f8ba22ea12e8)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Update ghcr.io/renovatebot/renovate Docker tag to v43
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
8c1fdd439b
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from 8c1fdd439b
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
to 86b81b9ef8
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 24s
Details
2026-01-30 00:47:11 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from 86b81b9ef8
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 24s
Details
to 28580556f0
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
2026-01-30 23:21:54 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from 28580556f0
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
to 0d0efad164
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
2026-02-01 01:54:25 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from 0d0efad164
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
to 0e4bf59743
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 15s
Details
2026-02-01 12:08:24 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from 0e4bf59743
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 15s
Details
to e341b1fadf
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
2026-02-01 18:58:46 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from e341b1fadf
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 20s
Details
to aad54be668
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 19s
Details
2026-02-02 10:23:14 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from aad54be668
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 19s
Details
to 94d7aee89b
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 17s
Details
2026-02-02 11:33:11 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from 94d7aee89b
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 17s
Details
to 4457111391
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 18s
Details
2026-02-02 12:41:02 +01:00 Compare
Renovate force-pushed renovate/ghcr.io-renovatebot-renovate-43.x from 4457111391
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 18s
Details
to 2c08beacb2
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 24s
Details
2026-02-02 17:46:48 +01:00 Compare
Some checks failed
Validate Docker Compose Files / validate-compose (pull_request) Failing after 24s
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/ghcr.io-renovatebot-renovate-43.x:renovate/ghcr.io-renovatebot-renovate-43.x
git switch renovate/ghcr.io-renovatebot-renovate-43.x

Merge

Merge the changes and update on Forgejo.
git switch main
git merge --no-ff renovate/ghcr.io-renovatebot-renovate-43.x
git switch renovate/ghcr.io-renovatebot-renovate-43.x
git rebase main
git switch main
git merge --ff-only renovate/ghcr.io-renovatebot-renovate-43.x
git switch renovate/ghcr.io-renovatebot-renovate-43.x
git rebase main
git switch main
git merge --no-ff renovate/ghcr.io-renovatebot-renovate-43.x
git switch main
git merge --squash renovate/ghcr.io-renovatebot-renovate-43.x
git switch main
git merge --ff-only renovate/ghcr.io-renovatebot-renovate-43.x
git switch main
git merge renovate/ghcr.io-renovatebot-renovate-43.x
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Aroy/Paws!71
No description provided.