From 922f65b444b998dbce7846ca5d18a39fce07166c Mon Sep 17 00:00:00 2001
From: Bryan Beverly <bryan.beverly@trufflesec.com>
Date: Tue, 16 Jun 2026 10:57:06 -0700
Subject: [PATCH] Exempt pin/pinDigest/digest from minimumReleaseAge

The 3-day release-age cooldown is meant for new upstream version
releases (the Axios/golang-jwt supply-chain threat model). Applying it
to pin, pinDigest, and digest updates is both unnecessary and broken:

- pin / pinDigest introduce no new code (locking an already-allowed
  version / capturing a tag's current digest -- a hardening action).
- digest re-pins have no reliable release timestamp for Renovate to
  age, so renovate/stability-days gets stuck pending indefinitely
  (e.g. ldap-verify #9, forager #818 -- both blocked on stale checks
  despite all deps being weeks/months old).

Real version upgrades (major/minor/patch) keep the 3-day delay, and
security updates continue to bypass it via vulnerabilityAlerts.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 renovate-config.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/renovate-config.json b/renovate-config.json
index 8a3d2d0..b2cde20 100644
--- a/renovate-config.json
+++ b/renovate-config.json
@@ -36,6 +36,11 @@
       "matchManagers": ["github-actions"],
       "matchDepNames": ["/^trufflesecurity\\//"],
       "pinDigests": false
+    },
+    {
+      "description": "Don't apply the release-age cooldown to pins and digest re-pins. These introduce no new upstream release to age (a pin locks an already-allowed version; a digest re-pin/pinDigest is a hardening action), and minimumReleaseAge has no reliable timestamp to evaluate for digests, which leaves renovate/stability-days stuck pending. Real version upgrades (major/minor/patch) keep the 3-day delay; security updates already bypass it via vulnerabilityAlerts.",
+      "matchUpdateTypes": ["pin", "pinDigest", "digest"],
+      "minimumReleaseAge": null
     }
   ],
   "env": {