chore(deps): update dependency chainguard-dev/melange to v0.50.4#1701
Merged
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
renovate
Bot
force-pushed
the
renovate/chainguard-dev-melange-0.x
branch
5 times, most recently
from
613dd95 to
1e5e95c
Compare
renovate
Bot
force-pushed
the
renovate/chainguard-dev-melange-0.x
branch
from
1e5e95c to
4c9200c
Compare
Aureliolo
added a commit
that referenced
this pull request
May 3, 2026
## Summary Adds a cross-PR file-overlap analysis step to the `/review-dep-pr` skill so that batch reviews surface merge conflicts upfront and the user can pick a sequencing strategy before triage. ### What changed - **New Phase 5 — Cross-PR File Overlap Analysis** (skipped for single-PR runs): - Pulls each PR's changed-file list via `gh pr view --json files`. - Builds a per-file conflict map and classifies overlaps as **none / lockfile-only / config / source**. - Treats `package-lock.json`, `pnpm-lock.yaml`, `uv.lock`, `go.sum`, `atlas.sum`, etc. as lockfile-only (rebase needed, not a hard blocker). - Groups PRs into merge **waves** (Wave 1 = parallel-safe, Wave 2+ = sequential after rebase). - **Phase 6 (Present Findings)** now leads with a "Batch Overlap Summary" header and adds a `Files touched / conflicts with` row to each per-PR card. - **Phase 7 (User Decision)** opens with a strategy question whenever ≥ 2 PRs share files: - Wave-based parallel - Strict sequential - Combine into one PR - Defer the conflicting subset - **Phase 8 (Execute Decisions)** honours the chosen strategy when sequencing merges (parallel waves, rebase between waves, etc.). - New rule: multi-PR runs always compute the conflict map; lockfile-only overlaps are acceptable but expect rebase between merges. ### Why Without this, the skill would propose merging in parallel any PRs whose CI is green, then run into surprise conflicts on the second/third merge — most often on workflow YAMLs and lockfiles. The new phase makes the conflict surface explicit before the user picks a strategy, and the strategy choice is then carried through to execution. ### Test plan Dogfooded against the 8 open Renovate PRs in this repo (#1698-#1705). Surfaced three conflict clusters (`docker.yml` between #1698/#1701/#1703, `cli.yml` between #1702/#1703, `web/package.json` between #1700/#1704) plus the expected lockfile-only overlaps. The Wave-based strategy successfully merged 5 PRs sequentially with `--squash --admin` and the lockfile PR (#1705) was rebased via Renovate. ### Review coverage `/pre-pr-review quick` — docs-only change to a `.claude/` skill file, no code/agents required. Pre-commit hooks passed (trailing whitespace, EOF, secrets, em-dashes).
Aureliolo
pushed a commit
that referenced
this pull request
May 3, 2026
<!-- HIGHLIGHTS_START --> ## Highlights > _AI-generated summary (model: `openai/gpt-4.1-mini` via GitHub Models). Commit-based changelog below._ ### What you'll notice - Frontend and UX polishing improves user interface responsiveness and visual consistency. - API hygiene and validation enhancements provide smoother and more reliable interactions. ### What's new - Introduced typed-boundary helpers enabling better type safety and parse_typed workflows. - Added codebase-audit skill prompt tuning for improved project auditing. ### Under the hood - Eliminated flaky tests caused by module-level state for more stable test outcomes. - Unified image tag management under CLI and Renovate for consistent dependency updates. - Added cross-PR file-overlap analysis to the review dependency pull request skill. - Updated multiple dependencies including Python, Web, CLI, and container libraries. - Improved CI tooling and lock file maintenance for better build reliability. <!-- HIGHLIGHTS_END --> :robot: I have created a release *beep* *boop* --- ## [0.7.8](v0.7.7...v0.7.8) (2026-05-03) ### Features * **api:** typed-boundary helper + codebase-audit skill prompt tuning ([#1712](#1712)) ([40ee65b](40ee65b)) * **boundary:** RFC [#1711](#1711) Phases 2 + 3 — typed boundaries via parse_typed ([#1720](#1720)) ([7b9f409](7b9f409)) ### Bug Fixes * **api:** audit cleanup B -- API hygiene & validation ([#1719](#1719)) ([3d790d9](3d790d9)) * audit cleanup C - persistence, concurrency & data integrity ([#1708](#1708)) ([#1717](#1717)) ([bcce097](bcce097)) * **test:** exterminate xdist-flaky tests with module-level state ([#1713](#1713)) ([#1721](#1721)) ([8d258dd](8d258dd)) * **web:** audit cleanup E -- frontend & UX polish ([#1710](#1710)) ([#1718](#1718)) ([3a3591a](3a3591a)) ### Refactoring * **cli:** single source of truth for DHI image tags + Renovate manager ([#1723](#1723)) ([57980a2](57980a2)) ### Documentation * audit cleanup D -- public-facing & docs sync ([#1709](#1709)) ([#1715](#1715)) ([ade03b7](ade03b7)) ### Tests * **engine:** make TestDrainTimeout deterministic + preserve subclass type in [@Ontology](https://github.com/ontology)_entity ([#1729](#1729)) ([b00fb05](b00fb05)) ### CI/CD * Update CI tool dependencies ([#1703](#1703)) ([355a9ff](355a9ff)) ### Maintenance * add cross-PR file-overlap analysis to review-dep-pr skill ([#1722](#1722)) ([3861d8a](3861d8a)) * **ci:** unify apko-version under workflow env so Renovate manages it everywhere ([#1724](#1724)) ([9c0a7fd](9c0a7fd)) * consolidate DHI image-pin custom regex managers ([#1726](#1726)) ([b8b0cba](b8b0cba)) * **deps:** update dependency chainguard-dev/melange to v0.50.4 ([#1701](#1701)) ([8cbf83a](8cbf83a)) * Lock file maintenance ([#1705](#1705)) ([414cfea](414cfea)) * Lock file maintenance ([#1727](#1727)) ([5cb1212](5cb1212)) * Update CLI dependencies ([#1702](#1702)) ([9fb57b9](9fb57b9)) * Update Container dependencies ([#1698](#1698)) ([6d24fd6](6d24fd6)) * Update dependency @eslint-react/eslint-plugin to v5 ([#1704](#1704)) ([1cb1294](1cb1294)) * Update Python dependencies ([#1699](#1699)) ([8e7af3a](8e7af3a)) * Update Python dependencies to v4.15.0 ([#1725](#1725)) ([69164c8](69164c8)) * Update Web dependencies ([#1700](#1700)) ([715300d](715300d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: synthorg-repo-bot[bot] <279117679+synthorg-repo-bot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.50.3→v0.50.4Release Notes
chainguard-dev/melange (chainguard-dev/melange)
v0.50.4Compare Source
What's Changed
Full Changelog: chainguard-dev/melange@v0.50.3...v0.50.4
Configuration
📅 Schedule: (in timezone Etc/UTC)
* 0-6 * * 6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.