42.0.0 (2025-11-06)
Breaking changes for 42
Using minimumReleaseAge will now require a release timestamp #38843
When specifying minimumReleaseAge, Renovate will look for a release timestamp to determine the age of the release, and whether it matched the minimumReleaseAge configuration.
Before Renovate 42, if a release timestamp was not present, Renovate would treat the dependency update as if the release timestamp was present and the dependency had passed that lifetime.
This means that users with artifact proxies, or in cases that the release timestamp wasn't consistently present could lead to dependencies "slipping through", and being updated before Renovate's policy enforced it to.
As of Renovate 42, the configuration minimumReleaseAgeBehaviour (added in 41.150.0) requires the release timestamp to be present.
If the release timestamp isn't present, Renovate will mark it as "awaiting schedule", and will output a debug log message to explain why.
You can revert to the existing behaviour by setting minimumReleaseAgeBehaviour=timestamp-optional.
Note that not all datasources support this functionality, nor do custom registries (such as Artifactory, etc).
For more details on how to verify support for your repository, check out the Minimum Release Age documentation
minimumReleaseAge: 3 days will now be set by default for npm in config:best-practices #37967
For users of config:best-practices, the Minimum Release Age functionality will now apply by default for the npm ecosystem.
This will introduce a delay of 3 days between package publishing and Renovate suggesting an update for the release, so:
- there is time for malware researchers and scanners to (possibly) detect any malicious behaviour in new releases, before your CI infrastructure or developers receive a malicious version upgrade
- you are not at risk of the package being unpublished in the 3 day window that the npm registry allows
This will be enforced by default for packages using the npm datasource via the security:minimumReleaseAgeNpm preset.
Note
This may require additional configuration if using a custom registry, or you have packages that you wish to not have minimum release age checks.
For more details on this functionality, check out the Minimum Release Age documentation.
Renovate now defaults to using Node.JS 24 #38939
With Node 24 now in Long Term Support (LTS) release status, we have moved to target Node.JS 24 (^24.11.0) as our default engine for Node, and retain support for Node 22.
The pre-built Docker containers have been updated to use Node 24.
If you self-host without using our Docker image, you should be able to continue running Renovate with Node 22, for instance if you build your own image, or run the renovate npm package.
Redis clusters now authenticate to all nodes in the cluster with the provided credentials
When running Renovate against a Redis cluster with authentication, it was possible that a NOAUTH Authentication required error may appear:
DEBUG: Redis cache init
DEBUG: Redis cache connected
...
WARN: Error while setting Redis cache value (repository=jcl-test/example)
"err": {"message": "NOAUTH Authentication required."}
Renovate will now use the same authentication for all nodes in a cluster.
Support Yarn Catalogs #38215
We now support the official Yarn Catalog functionality.
As part of this, we have removed support for the yarn-plugin-catalogs community plugin.
If you are using the yarn-plugin-catalogs community plugin, you will need to migrate your catalogs to the official Yarn Catalog functionality before Renovate 42 will update your dependencies.
Remove versioning modules needing to implement rangeStrategy=pin #36261
This is an internal refactor to make it easier for creating and maintaining versioning modules.
This should not be a non-breaking change, as the versioning modules will have defaults available.
However, we're releasing it as part of this major release, and highlighting it, in case it does lead to breaking changes.
PGP encryption is now performed using Bouncy Castle #39032
GPG encryption is no longer performed using kbpgp Keybase's PGP for JavaScript), and has been replaced with a Bouncy Castle version.
Some users have found license compliance issues with the kbpgp package, so this will now resolve them.
Legacy RSA encryption has been removed #39111
Deprecated since 37.315.0 (2024-04-21), the legacy RSA encryption is now no longer available.
Change to the default User Agent #37535
The user-agent header for Renovate's outgoing HTTP calls has changed the default to Renovate/${version}.
Default tool version updates #39100
For users of the upstream Renovate container images, the following tools have been updated to new major versions:
| Tool | Version |
|---|---|
| Erlang | 28 |
| Gradle | 9 |
| Java | 25 |
| Node | 24 |
| Python | 3.14.0 |
Commentary for 42
Focus on minimumReleaseAge
You'll notice that there are a number of big features here - and in recent minor releases - that focus on Minimum Release Age.
With recent supply chain attacks, the Renovate team have been hard at work improving the support we've had in Renovate (since 2019!) for this functionality, and making it as predictable as possible, so we can then enable it by default for users of config:best-practices.
We're starting with the enabling of the npm datasource, but will look to extend this functionality in future major releases, based on community feedback, and ecosystem support.
Deprecations
As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 43:
- the
renovate-schema.jsonwill only support repository configuration, and a separaterenovate-admin-schema.jsonwill be needed for global/self-hosted configuration
42.0.0 (2025-11-06)
⚠ BREAKING CHANGES
- deps: Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) (#39100)
- deps: Needs NodeJS v24.11.0 instead of v24.10.0. NodeJS v22 is still supported.
- npm: communit plugin yarn-catalogs-plugin is not supported anymore
- drop legacy rsa encryption (#39111)
- remove rangeStrategy=pin from versioning modules (#36261)
- minimumReleaseAge: require a release timestamp by default (#38843)
- best-practices: provide default
minimumReleaseAgefor npm (#37967) - redis: add default auth to redis clusters (#37337)
- remove the "Bot" from user-agent header (#37535)
Features
- best-practices: provide default
minimumReleaseAgefor npm (#37967) (e371de1), closes #37952 - deps: Update ghcr.io/renovatebot/base-image Docker tag to v12 (main) (#39100) (f9f810f)
- minimumReleaseAge: require a release timestamp by default (#38843) (1cf9b1c), closes #37952
- npm: support yarn catalogs (#38215) (d7a741b)
- replace
kbpgpwithbcpgp(#39032) (6de0097)
Bug Fixes
- drop legacy rsa encryption (#39111) (f1eefcf)
- redis: add default auth to redis clusters (#37337) (df9844d)
- remove the "Bot" from user-agent header (#37535) (4e4a0f9)