Respect disabled hostRules (enabled: false) globally in datasources and lockfile updates #44346
loganprice
started this conversation in
Suggest an Idea
Replies: 1 comment
-
|
Both originally proposed solutions have been implemented find the branches below: Solution 1: https://github.com/loganprice/renovate/tree/disable_public_repos |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Tell us more.
In airgapped or strictly controlled internal network environments, Renovate has no access to public internet registries (such as
api.nuget.org,registry.npmjs.org, orpypi.org).Currently, users can configure
hostRuleswithenabled: falseto block traffic to these public registries. While this blocks outbound requests at the HTTP layer, it still leads to lookup warnings, noisy error logs, and package manager restore failures because:nuget.config,.npmrc, or keyring environment variables) that hardcode or reference these disabled hosts, causing the lockfile generation tools (dotnet restore, npm install, pipenv lock, etc.) to attempt to connect to them.Proposed Solutions
Solution 1: Respect enabled: false in hostRules across datasources and managers
Users can already configure hostRules with enabled: false to block traffic to specific hosts. This solution extends that behavior to act as a proper registry filter:
Configuration Example
{ "hostRules": [ { "matchHost": "api.nuget.org", "enabled": false } ] }Solution 2: Introduce disableDefaultRegistries configuration option
Instead of managing a blocklist of public hosts, introduce a new boolean configuration option
disableDefaultRegistries(defaultfalse).disableDefaultRegistriesis set totrue, Renovate's datasources will not fall back to default public registries if no registries are explicitly configured in the repository.package.json,NuGet.config) or specified in Renovate configuration (such as in packageRulesregistryUrls), Renovate will return an empty list of registries, preventing any network requests from leaking to public internet registries.Configuration Example
{ "disableDefaultRegistries": true, "packageRules": [ { "matchDatasources": ["npm"], "registryUrls": ["https://my-internal-npm-mirror.company.com/registry"] }, { "matchDatasources": ["nuget"], "registryUrls": ["https://my-internal-nuget-mirror.company.com/registry"] } ] }Beta Was this translation helpful? Give feedback.
All reactions