feat(npm): node strict constraint filtering

Closes #4826
renovatebot · May 27, 2023 · fcc91b8 · fcc91b8
1 parent d9f6967
commit fcc91b8
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
@@ -596,9 +596,31 @@ Renovate supports two options:
 
 We are working on adding more advanced filtering options.
 
-Note: There must be a `constraints` object in your Renovate config for this to work.
+Note: There must be a `constraints` object in your Renovate config, or constraints detected from package files, for this to work.
 This feature is limited to `packagist`, `npm`, and `pypi` datasources.
 
+<!-- prettier-ignore -->
+!!! warning
+    Enabling this feature may result in many package updates being filtered out silently.
+    See below for a description of how it works.
+
+When `constraintsFiltering=strict`, the following logic applies:
+
+- Are there `constraints` for this repository, either detected from source or from config?
+- Does this package's release declare constraints of its own (e.g. `engines` in Node.js)?
+- If so, filter out this release unless the repository constraint is a _subset_ of the release constraint
+
+Here's some examples of when a release is allowed:
+
+- The `package.json` declares its `engines.node` as `18` which is a subset of the package release `16 || 18`
+- The `package.json` declares its `engines.node` as `^18.10.0` which is a subset of the package release `>=18`
+- The `package.json` declares its `engines.node` as `^16.10.0 || >=18.0.0` which is a subset of the package release `>= 16.0.0`
+
+Here's some examples of when a release is filtered out (disallowed):
+
+- The `package.json` declares its `engines.node` as `>=16` while the package release has a narrower `16 || 18`
+- The `package.json` declares its `engines.node` as `16` while the package release has a narrower `^16.10.0`
+
 ## defaultRegistryUrls
 
 Override a datasource's default registries with this config option.

diff --git a/lib/modules/datasource/npm/get.spec.ts b/lib/modules/datasource/npm/get.spec.ts
@@ -334,6 +334,9 @@ describe('modules/datasource/npm/get', () => {
               type: 'git',
               url: 'https://github.com/vuejs/vue-next.git',
             },
+            engines: {
+              node: '>= 8.9.0',
+            },
           },
         },
         'dist-tags': { latest: '2.0.0' },

diff --git a/lib/modules/datasource/npm/get.ts b/lib/modules/datasource/npm/get.ts
@@ -176,6 +176,10 @@ export async function getDependency(
       if (res.versions?.[version].deprecated) {
         release.isDeprecated = true;
       }
+      const nodeConstraint = res.versions?.[version].engines?.node;
+      if (is.nonEmptyString(nodeConstraint)) {
+        release.constraints = { node: [nodeConstraint] };
+      }
       const source = PackageSource.parse(res.versions?.[version].repository);
       if (source.sourceUrl && source.sourceUrl !== dep.sourceUrl) {
         release.sourceUrl = source.sourceUrl;

diff --git a/lib/modules/datasource/npm/types.ts b/lib/modules/datasource/npm/types.ts
@@ -17,6 +17,7 @@ export interface NpmResponseVersion {
   gitHead?: string;
   dependencies?: Record<string, string>;
   devDependencies?: Record<string, string>;
+  engines?: Record<string, string>;
 }
 
 export interface NpmResponse {