chore: configure renovate

[renovate]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

---

Detected Package Files

• demo/backend/compose.yaml (docker-compose)
• .github/workflows/ci-gha-workflows.yaml (github-actions)
• .github/workflows/ci-nodejs.yml (github-actions)
• .github/workflows/dependency-review.yml (github-actions)
• .github/workflows/publish-demo.yaml (github-actions)
• .github/workflows/release-drafter.yaml (github-actions)
• .github/workflows/release.yaml (github-actions)
• cli/package.json (npm)
• demo/frontend-cdn/package.json (npm)
• demo/frontend-sdk/package.json (npm)
• demo/frontend/package.json (npm)
• package.json (npm)
• .nvmrc (nvm)

Configuration Summary

Based on the default config's presets, Renovate will:

• Start dependency updates only once this onboarding PR is merged
• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Run Renovate on following schedule: before 3am on Monday

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

---

What to Expect

With your current configuration, Renovate will create 11 Pull Requests:

chore(deps): pin dependency react to 19.2.0

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/pin-dependencies
• Merge into: main
• Pin react to 19.2.0

chore(deps): update build-tools

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/build-tools
• Merge into: main
• Upgrade @biomejs/biome to 2.3.5
• Upgrade esbuild to 0.27.0
• Upgrade tsdown to 0.16.4
• Upgrade vite to 7.2.2

chore(deps): update dependency @​mdn/browser-compat-data to v7.1.21

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/mdn-browser-compat-data-7.x
• Merge into: main
• Upgrade @mdn/browser-compat-data to 7.1.21

chore(deps): update dependency chai to v6.2.1

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/test-tools
• Merge into: main
• Upgrade chai to 6.2.1

chore(deps): update dependency es-check to v9.4.5

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/es-check-9.x
• Merge into: main
• Upgrade es-check to 9.4.5

chore(deps): update dependency lefthook to v2.0.4

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/lefthook-2.x
• Merge into: main
• Upgrade lefthook to 2.0.4

chore(deps): update react monorepo

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/react-monorepo
• Merge into: main
• Upgrade @types/react to 19.2.4
• Upgrade @types/react-dom to 19.2.3

fix(deps): update dependency react-router-domv6plus to v7.9.6

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/production-deps
• Merge into: main
• Upgrade react-router-domv6plus to 7.9.6

fix(deps): update opentelemetry

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/opentelemetry
• Merge into: main
• Upgrade @opentelemetry/api-logs to 0.208.0
• Upgrade @opentelemetry/instrumentation to 0.208.0
• Upgrade @opentelemetry/instrumentation-fetch to 0.208.0
• Upgrade @opentelemetry/instrumentation-xml-http-request to 0.208.0
• Upgrade @opentelemetry/otlp-exporter-base to 0.208.0
• Upgrade @opentelemetry/otlp-transformer to 0.208.0
• Upgrade @opentelemetry/sdk-logs to 0.208.0
• Upgrade @opentelemetry/semantic-conventions to 1.38.0
• Upgrade @opentelemetry/web-common to 0.208.0

chore(deps): update dependency @​types/sinon to v20

• Schedule: ["before 3am on Monday"]
• Branch name: renovate/sinon-20.x
• Merge into: main
• Upgrade @types/sinon to 20.0.0

chore(deps): lock file maintenance

• Schedule: ["before 3am on the first day of the month"]
• Branch name: renovate/lock-file-maintenance
• Merge into: main
• Regenerate lock files to use latest dependency versions

🚸 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prhourlylimit for details.

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

demo/frontend/package.json

Package	Version	License	Issue Type
react-router-domv4v5	npm:react-router-dom@5.3.4	Null	Unknown License
react-router-domv6plus	npm:react-router-dom@7.9.5	Null	Unknown License

package-lock.json

Package	Version	License	Issue Type
react-router-domv6plus	7.9.5	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@types/react-router-domv4v5	npm:@types/react-router-dom@5.3.3	Unknown	Unknown
npm/react-router-domv4v5	npm:react-router-dom@5.3.4	Unknown	Unknown
npm/react-router-domv6plus	npm:react-router-dom@7.9.5	Unknown	Unknown
npm/react-router	7.9.5	🟢 4.6	Details Check Score Reason Code-Review ⚠️ 1 Found 3/27 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 46 existing vulnerabilities detected
npm/react-router	7.9.6	🟢 4.6	Details Check Score Reason Code-Review ⚠️ 1 Found 3/27 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 46 existing vulnerabilities detected
npm/react-router-domv6plus	7.9.5	Unknown	Unknown
npm/react-router-domv6plus	7.9.6	Unknown	Unknown
npm/@mdn/browser-compat-data	7.1.20	🟢 6.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
npm/lefthook	2.0.3	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 1 Found 5/26 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST 🟢 10 SAST tool is run on all commits
npm/react	19.2.0	🟢 5.8	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 2 badge detected: InProgress Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 229 existing vulnerabilities detected
npm/react-dom	19.2.0	🟢 5.8	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 2 badge detected: InProgress Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 229 existing vulnerabilities detected

Scanned Files

• demo/frontend/package.json
• package-lock.json
• package.json

[github-actions]

Performance results

CDP Performance Tests

	Number of Requests	Size of Requests	Script Duration	Task Duration	Heap Used Size
Requests	+3 requests	+29.67 KB
Page Loaded			+16.28 ms	+9.70 ms	+0.91 MB
Generate 100 fetch requests			+14.93 ms	+68.55 ms	+1.70 MB
Generate 100 XHR requests			+40.77 ms	+112.71 ms	+2.28 MB
Click 100 buttons and generate 100 logs			+23.05 ms	+28.71 ms	+2.83 MB
Throw a 100 exceptions			+2.66 ms	+17.72 ms	+2.09 MB
End Session			+7.59 ms	+15.34 ms	+2.95 MB
Total	+3 requests	+29.67 KB	+105.27 ms	+252.74 ms	+12.76 MB

Lighthouse Startup Performance Tests

	Difference	Description
Total Blocking Time	0 ms	Difference in Total Blocking Time: Sum of all time periods between FCP and Time to Interactive, when task length exceeded 50ms, expressed in milliseconds. Learn more about the Total Blocking Time metric.
Main Thread Time	+58.14 ms	Difference in Main Thread Time: Consider reducing the time spent parsing, compiling and executing JS. You may find delivering smaller JS payloads helps with this. Learn how to minimize main-thread work
Script Evaluation Time	+43.60 ms	Difference in Script Evaluation Time: Consider reducing the time spent parsing, compiling, and executing JS. You may find delivering smaller JS payloads helps with this. Learn how to reduce Javascript execution time.

[github-actions]

build results

vite-7 Platform Tests

	Total Uncompressed Size	Total Gzip Size
vite-7 - esnext	+165.26 KB	+47.83 KB
vite-7 - es2015	+172.13 KB	+49.49 KB

vite-otel-latest Platform Tests

	Total Uncompressed Size	Total Gzip Size
vite-otel-latest - esnext	+164.33 KB	+49.52 KB
vite-otel-latest - es2015	+171.12 KB	+51.14 KB

webpack-5 Platform Tests

	Total Uncompressed Size	Total Gzip Size
webpack-5 - esnext	+122.81 KB	+43.23 KB
webpack-5 - es2015	+123.49 KB	+44.69 KB

[renovate]

Branch Conflicted

⚠️ This PR has a merge conflict which Renovate is unable to automatically resolve, so updates to this PR description are now paused. Please resolve the merge conflict manually.