feat(renovate): distinguish library and app npm dependency strategies

[nexus49]

Summary

• Replace the single bump range strategy for npm production dependencies with two explicit rules using matchJsonata:
  • Libraries (publishConfig present): replace strategy — preserves semver ranges (^/~), preventing forced exact versions for downstream consumers
  • Applications (private: true): pin strategy — exact versions for reproducible production builds
• Skip digest pinning for openmfp/gha and openmfp/.github GitHub Actions, since we trust our own shared workflow repos

Aligns with the platform-mesh shared Renovate configuration.

Summary by CodeRabbit

• Chores
  • Refined automated dependency update rules to better preserve existing version range behavior for published packages while enabling deterministic updates for private dependencies.
  • Updated GitHub Actions dependency update settings to avoid digest pinning for relevant repositories, improving consistency of action version updates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a970d222-81e1-4868-8db0-c9205ed6f9ec

📥 Commits

Reviewing files that changed from the base of the PR and between a5dacb4 and eef096a.

📒 Files selected for processing (1)

• renovate-config.json

🚧 Files skipped from review as they are similar to previous changes (1)

• renovate-config.json

---

📝 Walkthrough

Walkthrough

Updated Renovate configuration to apply different dependency version strategies based on project type: rangeStrategy: "replace" for published packages with publishConfig, rangeStrategy: "pin" for private packages without publishConfig, and disabled digest pinning for specific GitHub Actions repositories.

Changes

Renovate Dependency Update Strategies

Layer / File(s)	Summary
npm dependency version strategies renovate-config.json	Replaced production-oriented bump strategy with conditional packageRules applying rangeStrategy: "replace" for published packages with publishConfig and rangeStrategy: "pin" for private packages without publishConfig.
GitHub Actions digest pinning override renovate-config.json	Added packageRule for GitHub Actions manager targeting openmfp/gha and openmfp/.github with pinDigests: false to override inherited digest-pinning behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• openmfp/.github#15: Modifies Renovate digest-pinning behavior for Docker images, complementing this change's handling of digest pinning for GitHub Actions updates.

Suggested reviewers

• aaronschweig
• gkrajniak

Poem

🐰 A config so neat, with strategies clear,
Published or private? Each rule brings good cheer!
Digest pins disabled where needed they're not,
Renovate runs smoother—what a fine plot! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: distinguishing between library and application npm dependency strategies in Renovate configuration, which is the core objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/improve-renovate-npm-strategy

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Biome (2.5.0)

renovate-config.json

File contains syntax errors that prevent linting: Line 13: Expected a property but instead found '// Supply chain protection: delay merging packages until they are at least 7 days; Line 16: End of file expected; Line 16: End of file expected; Line 16: End of file expected; Line 16: End of file expected; Line 17: End of file expected; Line 17: End of file expected; Line 17: End of file expected; Line 17: End of file expected; Line 18: End of file expected; Line 18: End of file expected; Line 18: End of file expected; Line 22: End of file expected; Line 23: End of file expected; Line 23: End of file expected; Line 23: End of file expected; Line 111: End of file expected; Line 112: End of file expected; Line 112: End of file expected; Line 112: End of file expected; Line 113: End of file expected

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}