From 3ec806e26c08f446605ab7705565d2c4c1e5c2e7 Mon Sep 17 00:00:00 2001
From: A Ibrahim <aibrahim@tigrisdata.com>
Date: Thu, 14 May 2026 10:43:54 +0200
Subject: [PATCH 1/2] chore: enable OSV vulnerability alerts

Turn on osvVulnerabilityAlerts so Renovate flags packages with known
CVE/OSV entries, and let vulnerability alert PRs bypass the regular
weekly schedule so security fixes can open any time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 renovate.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/renovate.json b/renovate.json
index 2c1237d..88b0800 100644
--- a/renovate.json
+++ b/renovate.json
@@ -6,6 +6,10 @@
 	"prConcurrentLimit": 5,
 	"prHourlyLimit": 2,
 	"labels": ["dependencies"],
+	"osvVulnerabilityAlerts": true,
+	"vulnerabilityAlerts": {
+		"schedule": ["at any time"]
+	},
 	"packageRules": [
 		{
 			"description": "Bundle all minor and patch updates (npm, GitHub Actions, Docker) into a single weekly PR",

From 2e1f5ffe0b869966d51a0ce0dc3da8004906d6e3 Mon Sep 17 00:00:00 2001
From: A Ibrahim <aibrahim@tigrisdata.com>
Date: Thu, 14 May 2026 10:55:53 +0200
Subject: [PATCH 2/2] chore: restore bi-weekly cadence for major updates via
 cron

Add a cron schedule to the bundled major-updates rule that matches the
first and third Monday of each month (days 1-7 and 15-21), giving
exact 14-day spacing. Without this, minimumReleaseAge alone only acts
as a staleness floor and the bundled PR can refresh weekly. With the
cron, the major dependencies PR only refreshes bi-weekly, honoring the
original "every 2 weeks" intent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 renovate.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index 88b0800..7580543 100644
--- a/renovate.json
+++ b/renovate.json
@@ -17,10 +17,11 @@
 			"groupName": "non-major dependencies"
 		},
 		{
-			"description": "Major dependency updates: bundled, only after 14 days of release age (~bi-weekly cadence)",
+			"description": "Major dependency updates: bundled, bi-weekly cadence (first and third Monday) with a 14-day staleness floor",
 			"matchUpdateTypes": ["major"],
 			"groupName": "major dependencies",
-			"minimumReleaseAge": "14 days"
+			"minimumReleaseAge": "14 days",
+			"schedule": ["* 0-5 1-7,15-21 * 1"]
 		},
 		{
 			"description": "TypeScript and @types/node major updates: held 60 days post-release (~every 2 months)",