chore(renovate): group Maven updates by groupId (incl. security)#6710
Merged
vlsi merged 1 commit intoJun 3, 2026
Merged
Conversation
vlsi
force-pushed
the
dependencies/group-maven-updates-by-groupid
branch
from
8661dae to
195a6ba
Compare
Renovate previously needed a separate packageRule for each groupId, and security updates were never grouped: Renovate forces their groupName to null, so log4j-core and log4j-1.2-api opened as separate PRs (apache#6691 and apache#6690) even though both bump to the same 2.25.4. Add a catch-all rule that groups every Maven update by its groupId, and a vulnerabilityAlerts block that applies the same grouping to security updates. Drop the per-groupId rules the catch-all now covers, keeping only the rules that do more than restate a single groupId: groups that span several groupIds (errorprone, classic commons, xalan/xerces, vlsi, helger, gradle, kotlin), version pins (slf4j, xml-apis), disabled entries (guava, internal src:protocol), and the GitHub Actions group. Verified with renovate-config-validator and a `renovate --platform=local` dry run: log4j keeps all four artifacts in one branch, and bouncycastle, activemq, tika, commons, and lets-plot each stay grouped by groupId through the catch-all. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
vlsi
force-pushed
the
dependencies/group-maven-updates-by-groupid
branch
from
195a6ba to
c43db72
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Renovate opens a separate PR per groupId, and security updates are never grouped — Renovate resets their
groupNametonull. The recent Log4j advisory produced two separate security PRs, #6691 (log4j-core) and #6690 (log4j-1.2-api), even though both bump to the same2.25.4.What
packageRule(first,matchDatasources: ["maven"]) that setsgroupNameto the dependency's groupId through thereplacetemplate, so every Maven update groups by groupId by default.vulnerabilityAlertsblock with the same template, so security updates group by groupId too.org.apache.commons, jackson-core, caffeine, miglayout, lets-plot, jodd, jmh, hamcrest, jetty, ftpserver, grgit, httpcomponents 4 and 5, weisj, auto-service, io.burt, net.minidev).com.google.errorprone, classiccommons,xalan/xerces,com.github.vlsi,com.helger,com.gradle,org.jetbrains.kotlin), version pins (slf4j,xml-apis), disabled entries (guava, internalsrc:protocol), and the GitHub Actions group.How to verify
renovate-config-validator renovate.jsonpasses.renovate --platform=local --dry-run=fullon this branch keeps all four Log4j artifacts inrenovate/org.apache.logging.log4j, andorg.bouncycastle,org.apache.activemq,org.apache.tika,org.apache.commons, andorg.jetbrains.lets-ploteach stay grouped by groupId through the catch-all.Note
Grouping is by exact groupId, so a project split across several groupIds (for example Jackson's
coreanddataformat) forms one group per groupId. Where several groupIds should move together, keep an explicit rule after the catch-all, ascom.google.errorpronealready does. The same applies to a project that later adds a sub-groupId (for exampleorg.eclipse.jetty.http2): add a rule if it should stay grouped with the parent.🤖 Generated with Claude Code