Skip to content

🔧 Disable renovate immortal PRs for expo and react#101

Open
Friedinger wants to merge 1 commit into
mainfrom
chore/disable-renovate-immortal
Open

🔧 Disable renovate immortal PRs for expo and react#101
Friedinger wants to merge 1 commit into
mainfrom
chore/disable-renovate-immortal

Conversation

@Friedinger
Copy link
Copy Markdown
Member

@Friedinger Friedinger commented Jun 3, 2026

This pull request updates the Renovate configuration to improve control over dependency update behavior, specifically for the Expo and React ecosystems, as well as for dependencies sourced from Facebook's React repository.

Dependency update configuration changes:

  • Updated the Expo ecosystem group rule in .github/renovate.json to set "recreateWhen": "never", preventing Renovate from recreating pull requests for these dependencies.
  • Added a new rule to .github/renovate.json that prevents the recreation of pull requests for dependencies with source URLs from https://github.com/facebook/react.

@Friedinger Friedinger added the 🔧 Configuration Changes to configuration files or settings label Jun 3, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 3, 2026
edited
Loading

Review Change Stack

Walkthrough

Renovate configuration is updated to prevent automatic package recreation for expo ecosystem dependencies and React source packages by setting recreateWhen to "never" on matching packageRules.

Changes

Renovate Configuration

Layer / File(s) Summary
Package recreation rules
.github/renovate.json		 The "expo ecosystem" rule and a new React source rule are updated to set recreateWhen: "never", preventing Renovate from recreating these package branches automatically.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • RubberDuckCrew/EcoScan#3: Updates the same .github/renovate.json file and modifies the "expo ecosystem" packageRule configuration.

Suggested reviewers

  • Sophie235

Poem

🐰 A rabbit hops through config files so bright,
Renovate rules now set just right—
No more recreation, just smooth repose,
For React and Expo, the configuration flows!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: disabling Renovate's immortal PRs (recreateWhen: never) for Expo and React ecosystems.
Description check ✅ Passed The description is directly related to the changeset, explaining the Renovate configuration updates for Expo and React with specific details about the recreateWhen setting.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/disable-renovate-immortal

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added the 🛠️ Maintenance General maintenance and updates label Jun 3, 2026
@Friedinger Friedinger requested a review from a team June 3, 2026 19:47
coderabbitai[bot]
coderabbitai Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
.github/renovate.json (3)

12-15: 💤 Low value

Consider adding a groupName for clarity.

Adding a descriptive groupName (e.g., "react core packages") would improve consistency with the expo ecosystem rule and make Renovate's PR grouping behavior more transparent.

♻️ Suggested addition 
   {
     "matchSourceUrls": ["https://github.com/facebook/react"],
+    "groupName": "react core packages",
     "recreateWhen": "never"
   }
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate.json around lines 12 - 15, Add a descriptive Renovate group
name to the rule that matches React source URLs: in the JSON object containing
"matchSourceUrls": ["https://github.com/facebook/react"] and "recreateWhen":
"never", add a "groupName" property (for example "react core packages") so PRs
from this rule are clearly grouped and consistent with the expo ecosystem rule.

10-10: Operational consideration: Impact on security updates.

Setting recreateWhen: "never" means that if dependency update PRs are closed (intentionally or accidentally), Renovate will not recreate them. While this reduces "immortal PR" noise, it may cause important security updates to be missed if PRs are dismissed without merging.

Consider establishing a process to periodically review dismissed PRs or use Renovate's dashboard to track skipped updates for these critical dependencies.

Also applies to: 14-14

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate.json at line 10, The config currently sets "recreateWhen":
"never", which prevents Renovate from recreating closed dependency PRs and risks
missing security fixes; update the Renovate config so critical/security updates
can be recreated—either remove or relax the global "recreateWhen" setting and
add a packageRules entry that targets security/critical dependencies (or
specific packages) with "recreateWhen": "always" (or a less restrictive value)
to ensure those PRs are reprovisioned; keep the global setting only if you
implement a periodic review process or dashboard monitoring for dismissed PRs.

12-15: matchSourceUrls supports exact URL strings; .git suffix isn’t required

  • "https://github.com/facebook/react" is a valid literal for matchSourceUrls (it also supports glob/regex patterns).
  • Renovate matches against the package sourceUrl it learns/infers, so whether sources include .git isn’t enforced—use the format you actually see, or switch to a glob/regex if matching is inconsistent.
  • Adding groupName is optional (not needed for correctness).
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate.json around lines 12 - 15, The Renovate config uses
matchSourceUrls with the literal "https://github.com/facebook/react"; ensure you
keep the exact URL string that Renovate will see (no .git suffix needed) in the
matchSourceUrls array and leave recreateWhen as "never" unchanged, or if you
need broader matching switch matchSourceUrls to a glob/regex pattern (e.g., a
GitHub repo pattern) instead of altering the literal; you can also omit
groupName since it’s optional.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/renovate.json:
- Around line 12-15: Add a descriptive Renovate group name to the rule that
matches React source URLs: in the JSON object containing "matchSourceUrls":
["https://github.com/facebook/react"] and "recreateWhen": "never", add a
"groupName" property (for example "react core packages") so PRs from this rule
are clearly grouped and consistent with the expo ecosystem rule.
- Line 10: The config currently sets "recreateWhen": "never", which prevents
Renovate from recreating closed dependency PRs and risks missing security fixes;
update the Renovate config so critical/security updates can be recreated—either
remove or relax the global "recreateWhen" setting and add a packageRules entry
that targets security/critical dependencies (or specific packages) with
"recreateWhen": "always" (or a less restrictive value) to ensure those PRs are
reprovisioned; keep the global setting only if you implement a periodic review
process or dashboard monitoring for dismissed PRs.
- Around line 12-15: The Renovate config uses matchSourceUrls with the literal
"https://github.com/facebook/react"; ensure you keep the exact URL string that
Renovate will see (no .git suffix needed) in the matchSourceUrls array and leave
recreateWhen as "never" unchanged, or if you need broader matching switch
matchSourceUrls to a glob/regex pattern (e.g., a GitHub repo pattern) instead of
altering the literal; you can also omit groupName since it’s optional.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8ec682c6-9452-4fae-b903-74e8ae466492

📥 Commits

Reviewing files that changed from the base of the PR and between 3f70a93 and 289a2a1.

📒 Files selected for processing (1)
  • .github/renovate.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

🔧 Configuration Changes to configuration files or settings 🛠️ Maintenance General maintenance and updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Friedinger