ci(renovate): update Node.js Docker rule with semver release notes#684
Conversation
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: CONDITIONAL
The refactor to use sourceUrl for release notes is a clean improvement. One correctness concern with the new regex warrants a fix before merge.
Blocking issues
Regex over-match on matchPackageNames: The new pattern /(?:^|/)node$/ will match any Docker image whose name ends in node — for example alpine/node, custom/node, my-registry.io/team/node, bitnami/node. The old pattern was intentionally narrowed to docker.io/library/node and library/node (i.e. the official Docker Hub library image). If this repo ever pulls in a third-party image whose name ends in /node, Renovate will apply versioning: 'node' and commitMessageTopic: 'Node.js' to it, potentially mis-versioning it. The previous regex was explicit about the namespace; the replacement should be similarly precise.
Suggested fix — keep the intent of matching the official node image only:
matchPackageNames: ['/^(?:(?:docker\.io\/)?library\/)?node$/'],This matches: node, library/node, docker.io/library/node — exactly the old set, but as a single expression.
Non-blocking concerns
- Removing
commitMessageExtradrops the@{digest}from PR titles. That was intentional per the comment ("includes semver in PR titles"), but worth confirming the resulting title format (chore(build): update dependency Node.js to 24.15.0-alpine) meets expectations. changelogUrlwas a direct link to the release tag;sourceUrlpoints at the repo root and relies on Renovate to resolve release notes. Renovate's GitHub release-note fetching requires a PAT withcontents:readon the target repo if it's private — not an issue fornodejs/node(public), but worth noting for the pattern in general.
Missing tests
None — Renovate config changes are not typically unit-tested; the regex can be validated with Renovate's dry-run or the Regex101 tool.
Risk assessment (LOW/MED/HIGH): MED
The regex broadening is the only real risk: unlikely to trigger today (no other /node image in scope), but a latent footgun if the image inventory grows. Everything else is LOW risk.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 26556624193 |
| Cache | hit |
| Session | ses_192eedc90ffe0OH3i7HNq1bXqf |
|
@fro-bot I'm fine with it matching any node |
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
Understood — the broader /(?:^|/)node$/ pattern is intentional and you've accepted the trade-off. The non-blocking items from the prior review (dropped commitMessageExtra / switch from changelogUrl to sourceUrl) are low-risk and the added comment in the config makes the intent clear.
Approving.
Run Summary
| Field | Value |
|---|---|
| Event | issue_comment |
| Repository | fro-bot/agent |
| Run ID | 26556750798 |
| Cache | hit |
| Session | ses_192ec7499ffe1AAg2NfiHYpNkH |
2 participants
No description provided.