JacobPEvans-personal · JacobPEvans-personal · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/renovate-presets.json b/renovate-presets.json
@@ -65,6 +65,11 @@
       ],
       "enabled": false
     },
+    {
+      "description": "30-day grace period for any major-version update, org-wide. Gives upstream ecosystems time to surface breaking-change regressions before we adopt them. CVE-driven bumps still bypass via the top-level vulnerabilityAlerts block (0 days). Trusted-org rules later in the file override per-attribute settings like automerge, but their minimumReleaseAge values yield to this rule for major updates — Renovate merges packageRule attributes by last-match wins per key, so this 30-day floor applies whenever a later rule does not set minimumReleaseAge itself.",
+      "matchUpdateTypes": ["major"],
+      "minimumReleaseAge": "30 days"
+    },
     {
       "description": "Never auto-merge major updates - require human review (overridden by trusted package rules below)",
       "matchUpdateTypes": ["major"],
@@ -230,8 +235,9 @@
       "schedule": ["after 7am on Monday", "after 7am on Thursday"]
     },
     {
-      "description": "Bump Python `>=` lower bounds so they track the latest released version. Without this, Renovate's default `auto` strategy (= `replace` for pep621/pip_requirements) leaves `pyarrow>=17.0.0` untouched forever even when 24.x is current — the existing range already satisfies the new version, so `replace` no-ops. Setting `bump` forces the lower bound to move with each release, keeping security floors current. Mirrors the `rangeStrategy: bump` already used inside `vulnerabilityAlerts` so routine and CVE-driven bumps behave identically.",
+      "description": "Bump Python `>=` lower bounds ONLY on major releases, and only to `>=N.0.0` form. The floor expresses the oldest acceptable major; minor/patch positions are reserved exclusively for CVE-mitigation pins. Minor/patch releases never trigger a floor bump — Renovate's default `replace` strategy already no-ops when the existing range satisfies the new version. Renovate's pep440 `bump` produces `>=N.M.P` natively; the companion normalizer workflow (follow-up issue in this repo) rewrites it to `>=N.0.0` after the PR opens. CVE EXCEPTION: when a known CVE is fixed only in a specific minor/patch release, pin the floor to the OLDEST secure version (e.g. `pyarrow 17.0.0 → PYSEC-2026-113 fixed in 23.0.1` → `pyarrow>=23.0.1`), NEVER the latest release. An inline comment block citing every CVE identifier the floor mitigates is REQUIRED above any floor that exceeds `>=N.0.0` form — see `mlx-benchmarks/space/requirements.txt` for the canonical pattern. The normalizer must preserve floors preceded by such a comment block. CVE-driven Renovate bumps themselves still use `bump` at all update types via the top-level `vulnerabilityAlerts` block, so security floor bumps remain immediate.",
       "matchManagers": ["pep621", "pip_requirements", "pip_setup", "poetry", "pipenv"],
+      "matchUpdateTypes": ["major"],
       "rangeStrategy": "bump"
     }
   ]