renovatebot/renovate 43.0.0 on GitHub

43.0.0 (2026-01-29)

Breaking changes for 43

Allowlisting required for "unsafe commands" #40684

Note

This should only affect you if you work with repositories that have a Gradle Wrapper.

Prior to Renovate 43, when performing updates in a repository that used Gradle, Renovate would execute the Gradle Wrapper (./gradlew or gradlew.bat).

This is a well-documented "insider attack" risk that could lead to remote code execution in the context of the Renovate process, as execution of the Gradle buildscript:

is controlled by the anyone with write access to the repository being processed
can look for specific tasks to execute specific code
can execute code from source-tracked scripts
can execute code from third-party libraries

This can occur during updates to the Gradle wrapper or using Gradle's Dependency Verification Metadata when updating Gradle dependencies.

As of Renovate 43, this long-standing risk is disabled by default to make Renovate more "secure by default".

Self-hosted administrators can re-enable this using the global self-hosted configuration allowedUnsafeExecutions.

`postUpgradeTasks` will no longer run with `shell` mode by default #40230

As noted in #40403 and GHSA-pfq2-hh62-7m96, existing access to a repository could lead to remote code execution due to incorrectly quoted shell commands.

The fix for GHSA-pfq2-hh62-7m96 applied to commands invoked by Renovate, but did not cover postUpgradeTasks, which are allowlisted by a self-hosted administrator.

To provide a safer default, commands that run through postUpgradeTasks will no longer run inside a shell.

Self-hosted administrators can re-enable this using the global self-hosted configuration allowShellExecutorForPostUpgradeCommands=true.

`binarySource=docker` is officially deprecated #40735

As noted in #40747, we have now officially deprecated the binarySource=docker option.

There is no timeline decided on the removal of the functionality.

For more details and/or to provide feedback on your use case and why binarySource=install does not work for you, please see #40747.

Renovate now ships as ESM (ECMAScript Modules) #9890 / #40756

This should not affect users, only cases where Renovate is imported as a library. Given our previous support of Node 22, ESM can still be imported from Common JS (CJS) files.

Out of caution and for visibility, this is part of the major release.

`config:best-practices` will now perform weekly lockfile maintenance #40735

As part of the Renovate maintainers' opinionated "best practices" configuration, Renovate will now perform a weekly lockfile maintenance task, keeping your lockfiles updated.

This is due to an increase in package managers using lock files, but users not necessarily being aware of the need to enable this explicitly.

If this is not applicable to you, you can use ignorePresets, i.e.

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:best-practices"
  ],
  "ignorePresets": [
    ":maintainLockFilesWeekly"
  ]
}

JSON Schema split for repo or global configuration #38619

Renovate now has separate JSON Schemas for repository configuration, repository configuration (and inherit config) for writing org-inherited-config.json, and global self-hosted configuration:

https://docs.renovatebot.com/renovate-schema.json (repository configuration)
https://docs.renovatebot.com/renovate-global-schema.json (global self-hosted configuration)
https://docs.renovatebot.com/renovate-inherited-schema.json (repository configuration, including inherited config options)

This provides better validation for your editor/agent, as you now only see documentation for the relevant configuration type you're writing.

You can read more in the Renovate JSON Schema documentation.

This does not affect renovate-config-validator.

Replacements cannot be grouped with other updates #40758

To prevent replacements being grouped in with other updates, which can sometimes lead to them failing to correctly replace a package, they will no longer be grouped.

This may lead to some PRs being modified/created when you upgrade to this version of Renovate.

Lock file maintenance cannot be grouped with other updates #40781

To prevent lock file maintenance being grouped in with other updates, which can sometimes lead to them failing to perform the lock file maintenance.

This may lead to some PRs being modified/created when you upgrade to this version of Renovate.

Use `wasm-java` build of Bouncy Castle #40678

To improve performance for encryption/decryption of secrets, as well as supporting AEAD, we have moved the default Bouncy Castle build to use wasm-java.

Renovate now requires a minimum of Node 24 #40675

The existing requirements of Node 24.11.0 has not changed.

This only drops support for Node 22.x.

Package name for Node.JS in Mise has changed to `node` #40466

To be more consistent with other package managers, the Node.JS package has been renamed to node.

This ensures that updates to NodeJS (when using Mise) are grouped with other package updates.

The `useCloudMetadataServices` configuration is now environment variable only #40638

As a first step towards solving #38604, we have migrated this configuration option to being environment variable configuration only.

Note that technically Renovate will still detect it if it's set in a config.js, but with changes in #38604 it will not affect the execution.

Default tool version updates #39100

For users of the upstream Renovate container images, the following tools have been updated to new major versions:

Tool	Version
Bundler	4.0.4
Dotnet	10.0.102
Helm	v4.1.0
PHP	8.5.2
Pipenv	2026.0.3
Ruby	4.0.1

Commentary for 43

There aren't any big changes as part of this release to call out - this is a fairly "routine" major version, where we're doing a little cleanup, making some improvements to be "secure by default", and updating our default tool versions.

Deprecations

As part of this release, we want to make you aware of deprecated features which will be removed as of Renovate 44:

Removal of x-access-token: prefix for GitHub

⚠ BREAKING CHANGES

deps: Update ghcr.io/renovatebot/base-image Docker tag to v13 (main) (#40730)
prevent grouping of lockfile maintenance updates (#40781)
Switch to ESM modules (#40756)
prevent grouping of replacement updates (#40758)
config: deprecate binarySource=docker (#40754)
presets: add maintainLockFilesWeekly to best-practices preset (#40735)
config: make useCloudMetadataServices environment-only (#40638)
self-hosted: don't allow any unsafe commands by default (#40684)
self-hosted: don't use shell: true for postUpgradeTasks (#40230)
json-schema: forbid global-only options in repo configuration (#38619)
presets: add hostType=github to :githubComToken (#38975)
use wasm-java build of Bouncy Castle (#40678)
mise: rename packageName from nodejs to node (#40466)
require node v24 (#40675)

Features

config: deprecate binarySource=docker (#40754) (3644ac8), closes #40747
deps: Update ghcr.io/renovatebot/base-image Docker tag to v13 (main) (#40730) (5a2107d)
presets: add hostType=github to :githubComToken (#38975) (0d912db), closes #38961
presets: add maintainLockFilesWeekly to best-practices preset (#40735) (28dccba)
require node v24 (#40675) (dcdd1c3)
Switch to ESM modules (#40756) (2b0e80b)
use wasm-java build of Bouncy Castle (#40678) (4e19e7c)

Bug Fixes

config: make useCloudMetadataServices environment-only (#40638) (a630187), closes #38604
mise: rename packageName from nodejs to node (#40466) (8dc1133)
prevent grouping of lockfile maintenance updates (#40781) (3ed1817)
prevent grouping of replacement updates (#40758) (c7222c6)
self-hosted: don't allow any unsafe commands by default (#40684) (b6ef3e1)
self-hosted: don't use shell: true for postUpgradeTasks (#40230) (cb49754)

Documentation

add announcement bar for v43 (93423cf)

Miscellaneous Chores

json-schema: forbid global-only options in repo configuration (#38619) (192ae36), closes #38728
use updateType in log message (d1e3f13)