Dependency Dashboard

[bfra-me]

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Abandoned Dependencies

Note

Packages are marked as abandoned when they exceed the abandonmentThreshold since their last release. Unlike deprecated packages with official notices, abandonment is detected by release inactivity.

These dependencies have not received updates for an extended period and may be unmaintained:

View abandoned dependencies (7)

Datasource	Package	Last Updated
npm	@svitejs/changesets-changelog-github-compact	2024-10-13
npm	husky	2024-11-18
npm	mdast-util-to-string	2023-07-07
npm	remark	2023-09-18
npm	remark-parse	2023-09-18
npm	remark-stringify	2023-09-18
npm	unified	2024-06-19

Pending Approval

The following branches are pending approval. To create them, click on a checkbox below.

• chore(dev): update dependency typescript to v6

Awaiting Schedule

The following updates are awaiting their schedule. To get an update now, click on a checkbox below.

• chore(deps): maintain lockfiles

Pending Status Checks

The following updates await pending status checks. To force their creation now, click on a checkbox below.

• fix(deps): update dependency minimatch to v10.2.5

---

Warning

Renovate failed to look up the following dependencies: Failed to look up github-tags package aquasecurity/trivy-action: no-result.

Files affected: .github/workflows/container-scan.yaml

---

Vulnerabilities

Renovate has not found any CVEs on osv.dev.

Detected Dependencies

github-actions (23)

.github/workflows/auto-release.yaml (5)

• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859
• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• pnpm/action-setup v5.0.0@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
• actions/setup-node v6.3.0@53b83947a5a98c8d113130e565377fae1a50d02f
• changesets/action v1.7.0@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf

.github/workflows/codeql-analysis.yaml (4)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13

.github/workflows/container-scan.yaml (4)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• dorny/paths-filter v4.0.1@fbd0ab8f3e69293af611ebaee6363fc25e6d187d
• aquasecurity/trivy-action 0.35.0@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13

.github/workflows/copilot-setup-steps.yaml (3)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• pnpm/action-setup v5.0.0@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
• actions/setup-node v6.3.0@53b83947a5a98c8d113130e565377fae1a50d02f

.github/workflows/dependency-review.yaml (2)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• actions/dependency-review-action v4.9.0@2031cfc080254a8a887f58cffee85186f0e49e48

.github/workflows/fro-bot-autoheal-org.yaml

.github/workflows/fro-bot.yaml (4)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• pnpm/action-setup v5.0.0@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
• actions/setup-node v6.3.0@53b83947a5a98c8d113130e565377fae1a50d02f
• fro-bot/agent v0.35.0@d70f2df9cfec24513cbb0b0b7c9b9a6a9aa7e87d

.github/workflows/license-compliance.yaml (2)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• fossas/fossa-action v1.8.0@c414b9ad82eaad041e47a7cf62a4f02411f427a0

.github/workflows/main.yaml (8)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• pnpm/action-setup v5.0.0@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
• actions/setup-node v6.3.0@53b83947a5a98c8d113130e565377fae1a50d02f
• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859
• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• pnpm/action-setup v5.0.0@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
• actions/setup-node v6.3.0@53b83947a5a98c8d113130e565377fae1a50d02f
• changesets/action v1.7.0@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf

.github/workflows/pr-triage.yaml (4)

• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859
• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• actions/labeler v6.0.1@634933edcd8ababfe52f92936142cc22ac488b1b
• kentaro-m/auto-assign-action v2.0.2@0a2c53d3721e4c5cfcce6afd4014aecc337979f6

.github/workflows/renovate-changeset.yaml (3)

• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859
• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd

.github/workflows/renovate.yaml (4)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859
• dorny/paths-filter v4.0.1@fbd0ab8f3e69293af611ebaee6363fc25e6d187d
• bfra-me/renovate-action 9.25.1@83f77150d69ed5222b6b53952305e5b0a32c853d

.github/workflows/scorecard.yaml (4)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• ossf/scorecard-action v2.4.3@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
• actions/upload-artifact v7.0.0@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13

.github/workflows/secret-scan.yaml (1)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd

.github/workflows/trigger-org-renovate.yaml (1)

• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859

.github/workflows/update-metadata.yaml (5)

• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859
• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• pnpm/action-setup v5.0.0@fc06bc1257f339d1d5d8b3a19a8cae5388b55320
• actions/setup-node v6.3.0@53b83947a5a98c8d113130e565377fae1a50d02f
• peter-evans/create-pull-request v8.1.0@c0f553fe549906ede9cf27b5156039d195d2ece0

.github/workflows/update-repo-settings.yaml (4)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• dorny/paths-filter v4.0.1@fbd0ab8f3e69293af611ebaee6363fc25e6d187d
• actions/create-github-app-token v3.0.0@f8d387b68d61c58ab83c6c016672934102569859
• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd

workflow-templates/codeql-analysis.yaml (3)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13

workflow-templates/dependency-review.yaml (2)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• actions/dependency-review-action v4.9.0@2031cfc080254a8a887f58cffee85186f0e49e48

workflow-templates/renovate-changesets.yaml (1)

• bfra-me/.github v4.14.4@5be29d8f0114fe4c5e46ade85c1abd7295ef1d65

workflow-templates/renovate.yaml (1)

• bfra-me/.github v4.14.4@5be29d8f0114fe4c5e46ade85c1abd7295ef1d65

workflow-templates/scorecard.yaml (4)

• actions/checkout v6.0.2@de0fac2e4500dabe0009e67214ff5f5447ce83dd
• ossf/scorecard-action v2.4.3@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
• actions/upload-artifact v7.0.0@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
• github/codeql-action v4.35.1@c10b8064de6f491fea524254123dbe5e09572f13

workflow-templates/update-repo-settings.yaml (1)

• bfra-me/.github v4.14.4@5be29d8f0114fe4c5e46ade85c1abd7295ef1d65

nodenv (1)

.node-version (1)

• node 24.14.1

npm (5)

.github/actions/renovate-changesets/package.json (10)

• @actions/core ^3.0.0
• @actions/exec ^3.0.0
• @actions/github ^9.0.0
• @changesets/parse ^0.4.0
• @changesets/write ^0.4.0
• @octokit/rest ^22.0.0
• js-yaml ^4.1.0
• minimatch 10.2.4 → [Updates: 10.2.5]
• @types/js-yaml 4.0.9
• tsup 8.5.1

.github/actions/update-metadata/package.json (5)

• @actions/core ^3.0.0
• @octokit/rest ^22.0.0
• js-yaml ^4.1.0
• @types/js-yaml 4.0.9
• tsup 8.5.1

.github/actions/update-repository-settings/package.json (6)

• @actions/core ^3.0.0
• @actions/github ^9.0.0
• @octokit/rest ^22.0.0
• js-yaml ^4.1.0
• @types/js-yaml 4.0.9
• tsup 8.5.1

package.json (30)

• @bfra.me/eslint-config 0.50.1
• @bfra.me/prettier-config 0.16.7
• @bfra.me/tsconfig 0.12.2
• @changesets/cli 2.30.0
• @changesets/config 3.1.3
• @changesets/should-skip-package 0.1.2
• @changesets/types 6.1.0
• @manypkg/cli 0.25.1
• @manypkg/get-packages 3.1.0
• @svitejs/changesets-changelog-github-compact 1.2.0
• @types/node 24.12.0
• @vitest/coverage-v8 4.1.2
• eslint 10.1.0
• eslint-config-prettier 10.1.8
• eslint-plugin-prettier 5.5.5
• glob 13.0.6
• husky 9.1.7
• jiti 2.6.1
• lint-staged 16.4.0
• mdast-util-to-string 4.0.0
• prettier 3.8.1
• remark 15.0.1
• remark-parse 11.0.0
• remark-stringify 11.0.0
• tsx 4.21.0
• typescript 5.9.3 → [Updates: 6.0.2]
• unified 11.0.5
• vitest 4.1.2
• pnpm 10.33.0
• flatted 3.4.2

pnpm-workspace.yaml

regex (1)

.github/renovate.json5 (2)

• bfra-me/renovate-config 5.2.0
• bfra-me/renovate-config 5.2.0

renovate-config-presets (1)

.github/renovate.json5 (2)

• bfra-me/renovate-config 5.2.0
• bfra-me/renovate-config 5.2.0

---

• Check here to trigger a Renovate run on this repository

[marcusrbrown]

With the release of bfra-me/renovate-config@v1.9.3, this issue is titled Renovate Dashboard (#16).

[fro-bot]

Investigation Complete: [Updates: undefined] Root Cause Identified

Summary

The undefined version detection for bfra-me/.github dependencies is caused by ineffective Renovate configuration. The fix has been prepared locally.

Root Cause Analysis

1. Package Name Mismatch

   • The existing matchPackageNames patterns use full paths: bfra-me/.github/.github/actions/renovate-changesets
   • Renovate's github-actions manager normalizes package names to owner/repo format only
   • The full path patterns never matched any dependencies

2. Unsupported Version Extraction

   • The extractVersion patterns expect tags like renovate-changesets@0.2.15
   • But the actual workflow references use SHA pinning: @2c3d82d... # renovate-changesets@0.2.15
   • Renovate cannot extract version from SHA references or parse the @ separator in comments

Evidence from Renovate Source Code

From lib/modules/manager/github-actions/extract.ts:

const packageName = \`\${owner}/\${repo}\`;
const depName = \`\${registryUrl}\${packageName}\`;

The path component (.github/actions/renovate-changesets) is stored separately and not used for package matching.

Fix Prepared

{
  description: 'Disable updates for self-referential actions within the bfra-me/.github repository...',
  matchPackageNames: ['bfra-me/.github'],
  enabled: false,
}

This replaces the two ineffective package rules with a single rule that:

1. Uses correct package name: bfra-me/.github (how Renovate detects it)
2. Disables updates: Self-referential actions should be managed through the release process, not Renovate

Status

• ✅ Fix prepared in local working directory (.github/renovate.json5)
• ⏳ Awaiting manual commit by someone with push access
• ✅ Detailed analysis posted on PR #1710

Recommendations

1. Commit the fix to prevent future incorrect PRs
2. Consider updating workflow templates to use semantic version tags (@v3, @v4) instead of SHA pinning for external consumers
3. For internal workflows, continueusing SHA pinning with version comments for security