Regression in 43.113.0: security:only-security-updates preset autocloses all vulnerability PRs and stops creating new ones

[mmserega]

Originally posted as issue #42655, closed by maintainer request to re-open as a Discussion.

How are you running Renovate?

Self-hosted (renovate/renovate:43 docker image on GitLab SaaS runner).

Renovate version

43.113.0 (regression first observed). Working on 43.111.x and 43.112.x; still broken on 43.120.x–43.122.x.

Describe the bug

After Renovate self-updated from 43.111.x to 43.113.0, our bot config which only uses the internal preset security:only-security-updates stopped producing security MRs. On the first run under 43.113.0, every previously open security MR across every onboarded repo was autoclosed (33 MRs in one run), and no replacement MRs have been created on subsequent runs (43.113.0, 43.120.x–43.122.x).

Minimal repro config:

{
  "extends": ["security:only-security-updates"]
}

Root cause

PR #42595 ("fix(workers/repository): don't include skipReason'd dependencies in flattened updates") added this filter in lib/workers/repository/updates/flatten.ts:

const filteredUpdates = updates
  .filter((update) => update.enabled !== false)
  .filter((update) => isUndefined(update.skipReason))   // ← new

Interaction with the security:only-security-updates preset:

1. The preset sets packageRules: [{ matchPackageNames: ['*'], enabled: false }] → Renovate marks every dep with skipReason: 'disabled'.
2. For vulnerable deps, the vulnerabilityAlerts: { enabled: true } override flips enabled back to true — but it does not clear skipReason.
3. Pre-43.113.0 the enabled !== false filter was sufficient and the dep passed through to branch preparation → MR created/updated.
4. Post-43.113.0 the new skipReason filter drops the dep even though enabled was restored → flattenUpdates returns 0 security updates → existing security branches are considered orphaned and autoclosed, and no new ones are created.

Expected behavior

vulnerabilityAlerts override for vulnerable deps should either clear skipReason, or the flatten filter should ignore skipReason: 'disabled' when the dep was re-enabled by the override / has isVulnerabilityAlert: true. The security:only-security-updates preset must continue to work as documented.

Relevant log fragment

INFO: Renovate started
       "renovateVersion": "43.113.0"
...
INFO: Autoclosing PR
       "branchName": "renovate/security/maven-org.apache.commons-commons-lang3-vulnerability"
       "prTitle": "Update dependency org.apache.commons:commons-lang3 to v3.18.0 [SECURITY]"
INFO: Autoclosing PR
       "branchName": "renovate/security/npm-axios-vulnerability"
       "prTitle": "Update dependency axios to v1.15.0 [SECURITY]"
...

33 Autoclosing PR entries in a single run across all onboarded repos; subsequent runs produce zero new MRs.

Workaround

Pin to renovate/renovate:43.111.3 until a fix lands.

[github-actions[bot]]

Hi there,

Please locate the debug message packageFiles with updates in your logs and paste the contents here. Depending on your question, we may need the full list of packages or only one.

If you self-host Renovate: make sure you run Renovate with LOG_LEVEL=debug to get the debug log messages! Next, open the debug-level logs and search for packageFiles with updates. This text marks the start of a structured log message that shows every package file, dependency, and update that Renovate found.

Find the relevant dependency/dependencies in the log message, and copy/paste those parts into this discussion. If you do not know which bits we need, you can copy/paste the full log message.

Read the Renovate docs, Troubleshooting to learn more about getting the docs, and getting the correct type of logs.

Thanks, the Renovate team

[jamietanna]

This would be useful to help debug this - especially as you don't seem to be following the Discussion template :)

[vroy2]

@mmserega Where do you made the following changes 👍
const filteredUpdates = updates
.filter((update) => update.enabled !== false)
.filter((update) => isUndefined(update.skipReason)) // ← new

i am also running a self hoster dockerized version of renovate but all MRs are getting created but I wanted only vulenrability related MRs to be created.

[mmserega]

@vroy2 just to clarify: the code block in the original post is a quote of the upstream change in #42595 that introduced the regression, I didn't modify that file myself.

About your setup: to get only vulnerability-related MRs, use extends: ["security:only-security-updates"] in your Renovate config. That's exactly what we use on our side.

[jamietanna]

I've raised #42666 as a bug for this

[mmserega]

Thanks @jamietanna for raising #42666 so quickly, and fair point on the template, apologies for skipping it.

The root cause was already pretty clear from the diff of #42595 and the behaviour we saw (mass autoclose across all repos with the minimal config {"extends": ["security:only-security-updates"]}), so I led with that instead of raw debug logs. Happy to still paste packageFiles with updates from a fresh LOG_LEVEL=debug run if it's useful for validating the fix, just let me know.

[jamietanna]

Yes, as requested, please provide the information asked for, as it'll help triage

[jamietanna]

Resolved by #42679