Missconceptions about indirect / transitive dependencies update

[Obyka]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitLab 17.6.2 / Renovate 39.94.2

Please tell us more about your question or problem

Hi everyone,

After reviewing the Beginner/Intermediate section of the Renovate documentation, I’m still unclear on how indirect dependencies are updated. I’d appreciate any guidance or clarification.

As an InfoSec engineer, I’m setting up Renovate to manage our PHP codebase dependencies, with a focus on addressing vulnerabilities. (We plan to expand to broader updates after testing the tool.)

Our repository includes:

• composer.json (direct dependencies, mostly with range semver)
• composer.lock (indirect dependencies)

When I run composer audit, I see several vulnerabilities in indirect dependencies. However, these don’t appear to be updated with the following Renovate configuration:

module.exports = {
  extends: ["security:only-security-updates"],
  platform: "gitlab",
};

I understand this might be the expected behavior, but I find it surprising that indirect dependencies aren’t updated by default, especially when they contain known vulnerabilities. Keeping these up to date seems critical for maintaining a secure codebase.

My Questions:

1. How can I configure Renovate to update indirect dependencies?
2. Why doesn’t Renovate update indirect dependencies by default?
3. Am I missing something about Renovate’s design philosophy or best practices for managing indirect dependencies?

Any advice or insights would be greatly appreciated. Thanks!

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[rarkins]

1. We recommend you run "lock file maintenance". It will run weekly be default, updating all transitive dependencies to the highest possible. You can also trigger it on demand using the dependency dashboard.
2. It's too noisy and inefficient to update all transitive dependencies individually by default (code bases can have thousands of transitive, and hundreds may be outdated). Also, transitive remediation is quite challenging (you essentially need to reverse engineer each package manager's dependency tree) and we haven't chosen to do it.