Set up Renovate

[Nicolapps]

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Summary by CodeRabbit

• Chores
  • Added configuration for automated dependency management: weekly update checks, a 30-day minimum release age, and selective auto-merge rules that allow routine and development dependency updates to be merged automatically while holding major upgrades for review.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b27cf128-1612-4daf-a79c-c98c6e861b94

📥 Commits

Reviewing files that changed from the base of the PR and between 031f165 and b4a520c.

📒 Files selected for processing (1)

• renovate.json

---

📝 Walkthrough

Walkthrough

Added a new renovate.json file configuring Renovate Bot: extends config:best-practices, schedules weekly runs in America/Los_Angeles, sets minimumReleaseAge: 30, and defines package rules for automerging routine and devDependency updates while blocking automerge for majors.

Changes

Cohort / File(s)	Summary
Configuration renovate.json	New Renovate Bot configuration: extends config:best-practices, weekly schedule (* 0-4 * * 1 TZ America/Los_Angeles), minimumReleaseAge: 30, packageRules to automerge minor/patch/pin/digest and devDependencies, disable automerge for major bumps.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hop through package trees so bright,
Merging tidbits in the night,
Thirty days to let them rest,
Minor tweaks I handle best,
A tidy yard, dependency-light! 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Set up Renovate' directly and clearly summarizes the main change: adding Renovate configuration to the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nicolas/setup-renovate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@convex-dev/persistent-text-streaming@22

commit: b4a520c

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

renovate.json (1)

4-5: Tighten the schedule to a fixed hour to reduce PR churn.

The current schedule "* 0-4 * * 1" spans a 5-hour window (Monday 00:00–04:59 in America/Los_Angeles), potentially creating multiple dependency update PRs within that window. Instead, use a narrower window—for example, "* 2 * * 1" to trigger updates exactly once weekly at 2:00 AM Monday. This reduces noise while maintaining predictable automation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 4 - 5, The schedule currently set as the
"schedule" key with value "* 0-4 * * 1" spans a 5-hour window and can create
multiple PRs; replace that value with a fixed weekly cron like "0 2 * * 1" to
run exactly once at 2:00 AM on Mondays (America/Los_Angeles timezone) to reduce
churn.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@renovate.json`:
- Around line 18-21: The current Renovate package rule that sets "automerge":
true for dependencies matching "matchDepTypes": ["devDependencies"] will
override the earlier "major" rule because Renovate uses the last matching rule
for non-mergeable fields; update this devDependencies rule (the one with
"matchDepTypes": ["devDependencies"] and "automerge": true) to explicitly
exclude major updates by adding "matchUpdateTypes": ["minor", "patch", "pin",
"digest"], or alternatively move this devDependencies rule before the rule
named/targeting "major" so the major rule’s "automerge": false remains
effective.

---

Nitpick comments:
In `@renovate.json`:
- Around line 4-5: The schedule currently set as the "schedule" key with value
"* 0-4 * * 1" spans a 5-hour window and can create multiple PRs; replace that
value with a fixed weekly cron like "0 2 * * 1" to run exactly once at 2:00 AM
on Mondays (America/Los_Angeles timezone) to reduce churn.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 96fd88e2-5f1e-4a39-b2db-6dcb998aab93

📥 Commits

Reviewing files that changed from the base of the PR and between 374195a and 031f165.

📒 Files selected for processing (1)

• renovate.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Renovate configuration, when multiple packageRules match the same dependency, how are conflicting fields like "automerge" resolved? Does a later broad rule (e.g., matchDepTypes=devDependencies) override an earlier matchUpdateTypes=major rule?

💡 Result:

In Renovate configuration, when multiple packageRules match the same dependency, all matching rules are applied in array order to produce a single resulting config for that dependency/update. For each config option, if it is "mergeable" (typically arrays/objects), values from matching rules are merged (e.g., addLabels appends labels). If non-mergeable (e.g., booleans like automerge), the value from the last matching rule overrides previous ones. "automerge" is a boolean and thus non-mergeable (string types are always non-mergeable, and booleans behave similarly as scalars), so the last matching rule sets its value. A later broad rule (e.g., matchDepTypes=devDependencies) will override an earlier specific rule (e.g., matchUpdateTypes=major) for conflicting fields like automerge, because rules are applied sequentially and later ones override non-mergeable options.

Citations:

• 1: What happens when multiple packageRules match? How the individual config elements from these matches are merged? renovatebot/renovate#18437
• 2: https://docs.renovatebot.com/configuration-options/
• 3: https://docs.mend.io/wsk/renovate-package-rules-guide
• 4: https://renovatebot.com/docs/configuration-options/

---

devDependencies automerge rule will override major-update protection due to rule precedence.

This rule (lines 18-21) matches all devDependency updates and sets automerge: true. In Renovate's packageRules, when multiple rules match the same dependency, non-mergeable fields like automerge use the value from the last matching rule. Since this rule comes after the earlier "major" rule that sets automerge: false, it will override that setting for major devDependency updates. Given that your devDependencies include high-impact packages (react, react-dom, openai, convex, typescript), auto-merging their major updates is risky.

Add "matchUpdateTypes": ["minor", "patch", "pin", "digest"] to this rule to explicitly exclude major updates, or move this rule before the major rule and adjust accordingly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 18 - 21, The current Renovate package rule that
sets "automerge": true for dependencies matching "matchDepTypes":
["devDependencies"] will override the earlier "major" rule because Renovate uses
the last matching rule for non-mergeable fields; update this devDependencies
rule (the one with "matchDepTypes": ["devDependencies"] and "automerge": true)
to explicitly exclude major updates by adding "matchUpdateTypes": ["minor",
"patch", "pin", "digest"], or alternatively move this devDependencies rule
before the rule named/targeting "major" so the major rule’s "automerge": false
remains effective.