feat(renovate): update renovate to use shared renovate-config

[Sarah4VT]

Migrate to Shared commercetools Renovate Configuration

Summary

This PR migrates our Renovate configuration from a fully custom setup to the standardized commercetools shared configuration, specifically using the composite/component-library preset designed for UI component libraries.

What Changed

Before

• Fully custom configuration with 54 lines
• Manual management of all grouping rules
• Custom extensions and settings

After

• Extends github>commercetools/renovate-config:composite/component-library
• 37 lines focused only on repository-specific overrides (31% reduction)
• Inherits comprehensive dependency management from shared config

Benefits

1. Automatic Intelligent Grouping

The shared config provides automatic grouping for 15+ dependency ecosystems:

• React (react, react-dom, @types/react, @types/react-dom)
• TypeScript (typescript, @types/*)
• Testing (Jest, Testing Library)
• Build Tools (Babel, Webpack, PostCSS)
• Development (Storybook, ESLint, Prettier)
• Styling (Emotion)
• Internationalization (react-intl, @formatjs/*)
• And more...

2. Better PR Management

• Concurrent PR limit: Max 1 PR at a time (prevents overwhelming the team)
• Branch concurrent limit: Max 2 branches
• PR hourly limit: Max 1 PR per hour

3. Security Best Practices

• security:minimumReleaseAgeNpm: Waits for npm packages to be stable before updating (reduces risk of broken packages)

4. Improved Base Configuration

• Upgraded from config:base to config:best-practices (superset with better defaults)
• Peer dependencies use widen range strategy for better compatibility

5. Additional Labels

• PRs will now have two labels:
  • 🙏 Status: code review needed (new)
  • 🤖 Type: Dependencies (existing)
• Stop updating support with 🖐 Status: on hold / postponed label

6. Future-Proof

• Shared config updates automatically benefit all repositories
• Consistency with other commercetools repositories
• Reduced maintenance burden

Preserved Customizations

All repository-specific requirements have been maintained:

1. Rebase Strategy

"rebaseWhen": "never"

Overrides the shared config's "conflicted" default to preserve team preference.

2. SVGR Package Grouping

{
  "matchSourceUrls": ["https://github.com/gregberge/svgr{/,}**"],
  "groupName": "all svgr packages"
}

Groups all @svgr/* packages together (used for icon generation).

3. Stylelint Package Grouping

{
  "matchPackageNames": ["stylelint", "stylelint-config-standard", "/^stylelint-/"],
  "groupName": "all stylelint packages"
}

The shared libraries/linting preset only covers ESLint/Prettier, so we maintain Stylelint grouping.

4. Version Constraints (6 packages)

All compatibility constraints are preserved:

• html-loader: <2.0.0
• markdown-loader: <8.0.0
• @percy/puppeteer: <=2.0.0
• react-textarea-autosize: <8.4.1
• react-from-dom: <=0.6.2
• node-fetch: <3.0.0

5. Ignored Dependencies

"ignoreDeps": ["slate", "slate-html-serializer", "slate-react"]

Slate packages remain ignored due to known compatibility issues.

Configuration Removed (Now Provided by Shared Config)

The following were removed as they're now inherited from the shared configuration:

• ❌ "config:base" → Upgraded to "config:best-practices"
• ❌ ":preserveSemverRanges" → In default.json
• ❌ "schedule:weekly" → In default.json
• ❌ "separateMajorMinor": true → In default.json
• ❌ "lockFileMaintenance": { "enabled": true } → In default.json
• ❌ "labels": ["🤖 Type: Dependencies"] → In default.json (plus adds code review label)
• ❌ Minor/patch "all dependencies" grouping → In default.json

Expected Behavior Changes

What Will Change

1. Security waiting period: Non-security updates may be delayed slightly to ensure package stability (good for reliability)
2. PR rate limits: Max 1 PR at a time may slow down major update cycles, but reduces noise
3. Additional label: PRs will have the code review label in addition to dependencies label
4. Rebase on conflict: Overridden back to "never" to maintain current workflow

What Won't Change

• Weekly update schedule
• Semver range preservation (^, ~, etc.)
• Major/minor separation
• Lock file maintenance
• Version constraints for 6 packages
• Slate packages ignored
• SVGR grouping
• Stylelint grouping

Testing & Validation

After merging, please verify:

• Renovate successfully loads the shared config (check dashboard for errors)
• All 6 version constraints are respected in generated PRs
• SVGR packages are grouped together
• Stylelint packages are grouped together
• Slate packages remain ignored (no PRs for these)
• Minor/patch updates grouped as "all dependencies"
• React, TypeScript, Jest, Storybook, etc. are grouped appropriately
• Lock file maintenance PR is created
• Both labels appear on PRs (🙏 Status: code review needed and 🤖 Type: Dependencies)
• PR concurrency limit is working (max 1 PR at a time)
• No unexpected breaking changes in proposed updates

Related

• Shared config repository: https://github.com/commercetools/renovate-config
• Component library preset: https://github.com/commercetools/renovate-config/blob/main/composite/component-library.json
• Renovate docs: https://docs.renovatebot.com/

Notes

The composite/component-library preset includes platforms/pnpm, but since ui-kit uses Yarn 3, these settings are harmlessly ignored by Renovate.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d574d86

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
ui-kit	Ready	Preview, Comment	Jan 21, 2026 7:58pm

[tdeekens]

Why do we remove this?

[Sarah4VT]

It's in the shared config now. https://github.com/commercetools/renovate-config/blob/700c5dcf53d675f8cd0779a6e0e15fc22d187758/default.json#L28

Questioning this a little as appKit has slightly different "stop labels" and I'm not sure if there are workflows that trigger off the labels. It would be nice to have label consistency across repos, but not sure if this is a can of worms we don't want to open right now.

[tdeekens]

I'd see the goal as dependency update cadence as the goal. Not expanding it to label consistency. One topic at a time :)

[Sarah4VT]

The shared config has rebaseWhen: "conflicted". I notice AppKit also has rebaseWhen: "never". Not sure if this is common and we should change shared config or if we want this behavior to change. Conflicted doesn't seem like a bad option, but not sure why this was set to never originally.

[tdeekens]

Let's keep this as a repo decision then for now.