ci: hold Renovate PRs until packages pass sfw minimumReleaseAge

[fengmk2]

Problem

Renovate PRs fail at the Setup Vite+ step because CI runs sfw vp install (Socket Firewall Free), which enforces pnpm's minimumReleaseAge cooldown. Renovate opens update PRs the moment a version is published, so the lockfile fails the supply-chain policy check:

[ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION] 1 lockfile entries failed verification

Seen on the undici 8.4.1 -> 8.5.0 PR (#824).

Fix

• minimumReleaseAge: "3 days" for all npm packages, so updates age past the sfw cooldown before a PR opens.
• minimumReleaseAge: "0 days" for the vite-plus group, which is already in minimumReleaseAgeExclude in pnpm-workspace.yaml and can update immediately.

Values mirror voidzero's Boshen/renovate preset used with the same sfw setup.

Summary by CodeRabbit

• Chores
  • Updated dependency update configuration to adjust how quickly new package releases are considered available (reduced minimum release age for certain rules and broadened matching patterns).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9081847c-914c-4dd4-9f0a-078c02c0610b

📥 Commits

Reviewing files that changed from the base of the PR and between 5ec3a81 and 778f558.

📒 Files selected for processing (1)

• renovate.json

🚧 Files skipped from review as they are similar to previous changes (1)

• renovate.json

---

📝 Walkthrough

Walkthrough

The renovate.json configuration adds a new npm-based packageRule with minimumReleaseAge set to "3 days", and updates the existing vite-plus group rule to use minimumReleaseAge of "0 days" while changing its matchPackageNames from explicit package names to wildcard patterns (@voidzero-dev/*, @vitest/*).

Changes

Renovate Config Update

Layer / File(s)	Summary
packageRules: new npm rule and vite-plus updates renovate.json	New npm packageRule added with "minimumReleaseAge": "3 days"; vite-plus rule updated to "minimumReleaseAge": "0 days" and matchPackageNames changed to wildcard patterns (@voidzero-dev/*, @vitest/*).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A bunny hops through config land, 🐇
With zero days and wildcards grand,
The vite-plus group shall update fast,
While npm waits three days to last,
Fresh releases at their best! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: configuring Renovate to delay package updates until they meet the minimumReleaseAge requirement to pass sfw checks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/renovate-minimum-release-age

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/node-modules/urllib@825

commit: 778f558

[gemini-code-assist]

Code Review

This pull request updates the Renovate configuration in renovate.json by setting a minimum release age of 3 days for npm packages and 0 days for the vite-plus group. The reviewer suggested using glob patterns for package name matching to simplify the configuration and ensure future packages from the same scopes are automatically included.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.91%. Comparing base (5bc5529) to head (778f558).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #825   +/-   ##
=======================================
  Coverage   94.91%   94.91%           
=======================================
  Files          10       10           
  Lines         747      747           
  Branches      235      235           
=======================================
  Hits          709      709           
  Misses         35       35           
  Partials        3        3           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adjusts Renovate configuration to reduce CI failures caused by Socket Firewall Free (sfw vp install) enforcing pnpm’s minimumReleaseAge cooldown, by delaying most npm updates while allowing the Vite+ toolchain to update immediately.

Changes:

• Add a Renovate packageRules entry applying minimumReleaseAge: "3 days" to all npm datasource updates.
• Set minimumReleaseAge: "0 days" for the vite-plus grouped dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.