๐ Feature: Increase Renovate minimumReleaseAge to 7 days
JoshuaKGoldberg opened this issue ยท 4 comments
Bug Report Checklist
- I have pulled the latest
mainbranch of the repository. - I have searched for related issues and found none that matched my issue.
Overview
For a while now, this template has set Renovate's minimumReleaseAge to 3 days. That's the time threshold for an npm package to be unable to be unpublished. It also has the nice benefit of giving some time for the community to catch & patch a malicious version of a previously ok package.
But, 3 days isn't a super long amount of time. If something releases on a Friday then folks might not have fully caught+patched it by Monday. I've been thinking for a while of increasing it to a full week.
Request: every place in this repo that says "3 days" should instead say "7 days". That includes .github/renovate.json and createDotGitHubFiles.ts.
Additional Info
See docs on: https://docs.renovatebot.com/configuration-options/#minimumreleaseage
I don't think setting minimumReleaseAge to 7 days will help with the case you are thinking. If library publishes version X on Friday, but then patches it on Monday then using 7 minimum 7 days will mean: Your project will update to broken version on next Friday and it will get the fixed version on next Monday. So you are in any case lagging behind and you can get some broken version.
Better ways to handle this would be to disable automerge or disabling automerge for major versions, so you could be more sure that there is no breaking changes. But neither is really what you are hoping here. :/
Oop sorry @rubiesonthesky I dropped responding to your comment! Just re-seeing it now.
will mean: Your project will update to broken version on next Friday
I don't think that'll happen in the cases I'm thinking of. "Broken" here means malicious publishing. As in, something so bad that a security advisory and vulnerability alert come out. Renovate won't update to the package in that case.
But neither is really what you are hoping here. :/
Yeah ๐ the situation isn't super ideal. Just to be safe, I'll go ahead and bump this to 7 days. Thanks for the comments though!