From ec2c40a56589ce973ae063ea2d678c09f2b15f18 Mon Sep 17 00:00:00 2001
From: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
Date: Sat, 30 Aug 2025 08:58:24 +1000
Subject: [PATCH] Exclude yao-pkg from renovate with comment (#859)

---
 .github/renovate.json  | 18 ------------------
 .github/renovate.json5 | 25 +++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 18 deletions(-)
 delete mode 100644 .github/renovate.json
 create mode 100644 .github/renovate.json5

diff --git a/.github/renovate.json b/.github/renovate.json
deleted file mode 100644
index 1cd5024f..00000000
--- a/.github/renovate.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>bitwarden/renovate-config"],
-  "enabledManagers": ["github-actions", "npm"],
-  "packageRules": [
-    {
-      "groupName": "gh minor",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"]
-    },
-    {
-      "groupName": "Google Libraries",
-      "matchPackagePatterns": ["google-auth-library", "googleapis"],
-      "matchManagers": ["npm"],
-      "groupSlug": "google-libraries"
-    }
-  ]
-}
diff --git a/.github/renovate.json5 b/.github/renovate.json5
new file mode 100644
index 00000000..bcf59346
--- /dev/null
+++ b/.github/renovate.json5
@@ -0,0 +1,25 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["github>bitwarden/renovate-config"],
+  enabledManagers: ["github-actions", "npm"],
+  packageRules: [
+    {
+      groupName: "gh minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor", "patch"],
+    },
+    {
+      groupName: "Google Libraries",
+      matchPackagePatterns: ["google-auth-library", "googleapis"],
+      matchManagers: ["npm"],
+      groupSlug: "google-libraries",
+    },
+  ],
+  ignoreDeps: [
+    // yao-pkg is used to create a single executable application bundle for the CLI.
+    // It is a third party build of node which carries a high supply chain risk.
+    // This must be manually vetted by our appsec team before upgrading.
+    // It is excluded from renovate to avoid accidentally upgrading to a non-vetted version.
+    "@yao-pkg/pkg",
+  ],
+}