Renovate 42 Is Coming

Breaking changes for 42

Using minimumReleaseAge will now require a release timestamp

When specifying minimumReleaseAge, Renovate will look for a release timestamp to determine the age of the release, and whether it matched the minimumReleaseAge configuration.

Before Renovate 42, if a release timestamp was not present, Renovate would treat the dependency update as if the release timestamp was present and the dependency had passed that lifetime.

This means that users with artifact proxies, or in cases that the release timestamp wasn't consistently present could lead to dependencies "slipping through", and being updated before Renovate's policy enforced it to.

As of Renovate 42, the configuration minimumReleaseAgeBehaviour (added in 41.150.0) requires the release timestamp to be present.

If the release timestamp isn't present, Renovate will mark it as "awaiting schedule", and will output a debug log message to explain why.

You can revert to the existing behaviour by setting minimumReleaseAgeBehaviour=timestamp-optional.

Note that not all datasources support this functionality, nor do custom registries (such as Artifactory, etc).
For more details on how to verify support for your repository, check out the Minimum Release Age documentation

minimumReleaseAge: 3 days will now be set by default for npm in config:best-practices

For users of config:best-practices, the Minimum Release Age functionality will now apply by default for the npm ecosystem.

This will ensure that there is a short window for ??.

you'll notice that dependencies in the npm ecosystem will now be governed by jjjjjjj ??

This will be enforced by default for packages using the ??, via the security:minimumReleaseAgeNpm ??.

...

For more details on this functionality, check out the Minimum Release Age documentation.

Release timestamps for digest ?? Docker Hub

Related to the minimumReleaseAge work, ?? - this was incorrectly ?? that a ?? would ??.

Renovate now defaults to using Node.JS 24

With Node 24 now in Long Term Support (LTS) release status, we have moved to target Node.JS 24 (^24.10.0) as our default engine for Node, and retain support for Node 22.

The pre-built Docker containers have been updated to use Node 24.

If you self-host without using our Docker image, then you must update the version of Node.js, for instance if you build your own image, or run the renovate npm package.

Redis clusters now authenticate to all nodes in the cluster with the provided credentials

When running Renovate against a Redis cluster with authentication, it was possible that a NOAUTH Authentication required error may appear:

Renovate will now use the same authentication for all nodes in a cluster.

Change to the default User Agent

The user-agent header for Renovate's outgoing HTTP calls has changed the default to Renovate/${version}.

Support Yarn Catalogs

Commentary for 42

Focus on minimumReleaseAge

You'll notice that there are a number of big features here - and in recent minor releases - that focus on Minimum Release Age.

Recent supply chain security attacks - most prominently in the npm ecosystem - have led to ??.

With this in mind, we've made the decision (as Renovate maintainers) to take a step to apply ??

There have been a number of ?? behind the scenes that have gone into making sure that for folks using this configuration, it's as predictable as possible.

Additionally, this starts with making the ??.

Over time, this may increase as more package ecosystems ??.

Due to ??, it's Minimum Release Age documentation ??

...

{Autogenerated notes here}