Renovate not creating PRs to update Python (pip) security vulnerabilities by Dependabot

[greyli-dell]

What would you like help with?

I think I found a bug

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitHub Enterprise 3.12.4

Please tell us more about your question or problem

Hi team, I am trying to deploy Renovate to perform only-security-updates. Here is my config.js file:

module.exports = {
  endpoint: "https://self-hosted-github.com/api/v3",
  token: "...",
  platform: "github",
  prConcurrentLimit: 4,
  extends: ["config:recommended"],
  onboardingConfig: {
    extends: ["config:recommended"],
  },
  packageRules: [
    {
      enabled: false,
      matchPackagePatterns: ["*"]
    }
  ],
  onboardingBranch: "deps/renovate-configure",
  vulnerabilityAlerts: {
    enabled: true
  },
  osvVulnerabilityAlerts: true,
  branchPrefix: "deps/",
  repositories: [
    "myorg/my-repo"
  ],
  dependencyDashboardOSVVulnerabilitySummary: "all",
  labels: ["dependencies"],
  enabledManagers: ["npm", "gomod", "ocb", "pep621", "pip-compile", "pip_requirements", "pip_setup", "poetry", "setup-cfg"]
};

It can detect the vulnerabilities from GitHub dependabot alerts, but no PRs are created after running renovate. In the dashboard, it displayed the CVE list:

This is the content of the requirements file:

requests==2.24.0
rich==12.6.0
pydantic==2.7.1
PyYAML==6.0

According to the security alerts, the requests should be updated to the newer version, and it's not a transitive dependency.

Here is the relevant log:

DEBUG: GitHub vulnerability details (repository=myorg/my-repo)
       "alerts": {"pip/requests": {">= 2.3.0, < 2.31.0": "2.31.0", "< 2.32.0": "2.32.0"}}
DEBUG: alert package rules (repository=myorg/my-repo)
       "alertPackageRules": [
         {
           "matchDatasources": ["pypi"],
           "matchPackageNames": ["requests"],
           "matchCurrentVersion": "== 2.24.0",
           "matchFileNames": [
             "app/configuration/root/etc/python_requirements.txt"
           ],
           "allowedVersions": "==2.32.0",
           "prBodyNotes": [
             "### GitHub Vulnerability Alerts",
             "#### [CVE-2023-32681](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)\n\n### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://**redacted**@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP → HTTPS: **leak**\n2. HTTPS → HTTP: **no leak**\n3. HTTPS → HTTPS: **leak**\n4. HTTP → HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http:https://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@&#8203;gmail.com)",
             "#### [CVE-2024-35195](https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)\n\nWhen making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.\n\n### Remediation\nAny of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.\n\n* Upgrade to `requests>=2.32.0`.\n* For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session.\n* For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.\n\n### Related Links\n* https://github.com/psf/requests/pull/6655"
           ],
           "isVulnerabilityAlert": true,
           "force": {
             "groupName": null,
             "schedule": [],
             "dependencyDashboardApproval": false,
             "minimumReleaseAge": null,
             "rangeStrategy": "update-lockfile",
             "commitMessageSuffix": "",
             "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
             "prCreation": "immediate",
             "enabled": true,
             "labels": ["security"]
           }
         }
       ]

Please help to confirm if it's a bug. Thanks!

Complete debug logs

Logs

 INFO: Repository started (repository=myorg/my-repo)
       "renovateVersion": "37.381.11"
DEBUG: Using localDir: /tmp/renovate/repos/github/myorg/my-repo (repository=myorg/my-repo)
DEBUG: PackageFiles.clear() - Package files deleted (repository=myorg/my-repo)
DEBUG: initRepo("myorg/my-repo") (repository=myorg/my-repo)
DEBUG: hostRules: authentication already set for self-hosted-github.com (repository=myorg/my-repo)
DEBUG: myorg/my-repo default branch = main (repository=myorg/my-repo)
DEBUG: Using app token for git init (repository=myorg/my-repo)
DEBUG: Resetting npmrc (repository=myorg/my-repo)
DEBUG: Resetting npmrc (repository=myorg/my-repo)
DEBUG: checkOnboarding() (repository=myorg/my-repo)
DEBUG: isOnboarded() (repository=myorg/my-repo)
DEBUG: findPr(pvt/renovate-configure, Configure Renovate, !open) (repository=myorg/my-repo)
DEBUG: http cache: saving https://self-hosted-github.com/api/v3/repos/myorg/my-repo/pulls?per_page=100&state=all&sort=updated&direction=desc&page=1 (etag=W/"00932725131e67d6806a5f67eec8a84551047870d0ceaf7c1a91cb4d692bbd05", lastModified=undefined) (repository=myorg/my-repo)
DEBUG: getPrList success (repository=myorg/my-repo)
       "pullsTotal": 1,
       "requestsTotal": 1,
       "apiQuotaAffected": true
DEBUG: findPr(pvt/renovate-configure, chore: Configure Renovate, !open) (repository=myorg/my-repo)
DEBUG: Found PR #188 (repository=myorg/my-repo)
DEBUG: findFile(renovate.json) (repository=myorg/my-repo)
DEBUG: Initializing git repository into /tmp/renovate/repos/github/myorg/my-repo (repository=myorg/my-repo)
DEBUG: Performing blobless clone (repository=myorg/my-repo)
DEBUG: git clone completed (repository=myorg/my-repo)
       "durationMs": 13926
DEBUG: latest repository commit (repository=myorg/my-repo)
       "latestCommit": {
         "hash": "1bd658d03e6bd4b313fed5088b31b22c9735172b",
         "date": "2024-06-24T17:10:58+08:00",
         "message": "Merge pull request #188 from myorg/pvt/renovate-configure",
         "refs": "HEAD -> main, origin/main, origin/HEAD",
         "body": "chore: Configure Renovate",
         ...
       }
DEBUG: Config file exists, fileName: renovate.json (repository=myorg/my-repo)
DEBUG: Retrieving issueList (repository=myorg/my-repo)
DEBUG: Retrieved 1 issues (repository=myorg/my-repo)
DEBUG: Repo is onboarded (repository=myorg/my-repo)
DEBUG: Found renovate.json config file (repository=myorg/my-repo)
DEBUG: Repository config (repository=myorg/my-repo)
       "fileName": "renovate.json",
       "config": {
         "$schema": "https://docs.renovatebot.com/renovate-schema.json",
         "extends": ["config:recommended"]
       }
DEBUG: migrateAndValidate() (repository=myorg/my-repo)
DEBUG: No config migration necessary (repository=myorg/my-repo)
DEBUG: Setting hostRules from config (repository=myorg/my-repo)
DEBUG: Found repo ignorePaths (repository=myorg/my-repo)
       "ignorePaths": [
         "**/node_modules/**",
         "**/bower_components/**",
         "**/vendor/**",
         "**/examples/**",
         "**/__tests__/**",
         "**/test/**",
         "**/tests/**",
         "**/__fixtures__/**"
       ]
DEBUG: GitHub vulnerability details (repository=myorg/my-repo)
       "alerts": {"pip/requests": {">= 2.3.0, < 2.31.0": "2.31.0", "< 2.32.0": "2.32.0"}}
DEBUG: alert package rules (repository=myorg/my-repo)
       "alertPackageRules": [
         {
           "matchDatasources": ["pypi"],
           "matchPackageNames": ["requests"],
           "matchCurrentVersion": "== 2.24.0",
           "matchFileNames": [
             "app/configuration/root/etc/python_requirements.txt"
           ],
           "allowedVersions": "==2.32.0",
           "prBodyNotes": [
             "### GitHub Vulnerability Alerts",
             "#### [CVE-2023-32681](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)\n\n### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://**redacted**@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP → HTTPS: **leak**\n2. HTTPS → HTTP: **no leak**\n3. HTTPS → HTTPS: **leak**\n4. HTTP → HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http:https://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@&#8203;gmail.com)",
             "#### [CVE-2024-35195](https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)\n\nWhen making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.\n\n### Remediation\nAny of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.\n\n* Upgrade to `requests>=2.32.0`.\n* For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session.\n* For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.\n\n### Related Links\n* https://github.com/psf/requests/pull/6655"
           ],
           "isVulnerabilityAlert": true,
           "force": {
             "groupName": null,
             "schedule": [],
             "dependencyDashboardApproval": false,
             "minimumReleaseAge": null,
             "rangeStrategy": "update-lockfile",
             "commitMessageSuffix": "[SECURITY]",
             "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
             "prCreation": "immediate",
             "enabled": true
           }
         }
       ]
DEBUG: findIssue(Dependency Dashboard) (repository=myorg/my-repo)
DEBUG: Found issue 189 (repository=myorg/my-repo)
DEBUG: http cache: saving https://self-hosted-github.com/api/v3/repos/myorg/my-repo/issues/189 (etag=W/"6db14e08cf41105987d014b5fb3008862cd52c762e2811cb97f7d971a8e0887d", lastModified=Tue, 25 Jun 2024 03:52:42 GMT) (repository=myorg/my-repo)
DEBUG: No baseBranches (repository=myorg/my-repo)
DEBUG: extract() (repository=myorg/my-repo)
DEBUG: Setting current branch to main (repository=myorg/my-repo)
DEBUG: latest commit (repository=myorg/my-repo)
       "branchName": "main",
       "latestCommitDate": "2024-06-24T17:10:58+08:00"
DEBUG: Using file match: (^|/)go\.mod$ for manager gomod (repository=myorg/my-repo)
DEBUG: Using file match: (^|/)package\.json$ for manager npm (repository=myorg/my-repo)
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager pep621 (repository=myorg/my-repo)
DEBUG: Using file match: (^|/)[\w-]*requirements([-.]\w+)?\.(txt|pip)$ for manager pip_requirements (repository=myorg/my-repo)
DEBUG: Using file match: (^|/)setup\.py$ for manager pip_setup (repository=myorg/my-repo)
DEBUG: Using file match: (^|/)pyproject\.toml$ for manager poetry (repository=myorg/my-repo)
DEBUG: Using file match: (^|/)setup\.cfg$ for manager setup-cfg (repository=myorg/my-repo)
DEBUG: Matched 1 file(s) for manager gomod: mcp-nim-service/go.mod (repository=myorg/my-repo)
DEBUG: Matched 2 file(s) for manager pip_requirements: mcp-nim-liveos/requirements.txt, app/configuration/root/etc/python_requirements.txt (repository=myorg/my-repo)
DEBUG: manager extract durations (ms) (repository=myorg/my-repo)
       "managers": {"gomod": 1, "pip_requirements": 2}
DEBUG: Found gomod package files (repository=myorg/my-repo)
DEBUG: Found pip_requirements package files (repository=myorg/my-repo)
DEBUG: Found 3 package file(s) (repository=myorg/my-repo)
DEBUG: Manager explicitly enabled in "enabledManagers" config, but found no results. Possible config error? (repository=myorg/my-repo)
       "manager": "npm"
DEBUG: Manager explicitly enabled in "enabledManagers" config, but found no results. Possible config error? (repository=myorg/my-repo)
       "manager": "ocb"
DEBUG: Manager explicitly enabled in "enabledManagers" config, but found no results. Possible config error? (repository=myorg/my-repo)
       "manager": "pep621"
DEBUG: Manager explicitly enabled in "enabledManagers" config, but found no results. Possible config error? (repository=myorg/my-repo)
       "manager": "pip-compile"
DEBUG: Manager explicitly enabled in "enabledManagers" config, but found no results. Possible config error? (repository=myorg/my-repo)
       "manager": "pip_setup"
DEBUG: Manager explicitly enabled in "enabledManagers" config, but found no results. Possible config error? (repository=myorg/my-repo)
       "manager": "poetry"
DEBUG: Manager explicitly enabled in "enabledManagers" config, but found no results. Possible config error? (repository=myorg/my-repo)
       "manager": "setup-cfg"
 INFO: Dependency extraction complete (repository=myorg/my-repo, baseBranch=main)
       "stats": {
         "managers": {
           "gomod": {"fileCount": 1, "depCount": 18},
           "pip_requirements": {"fileCount": 2, "depCount": 7}
         },
         "total": {"fileCount": 3, "depCount": 25}
       }
DEBUG: fetchVulnerabilities() - osvVulnerabilityAlerts=true (repository=myorg/my-repo)
DEBUG: Vulnerability GHSA-j8r2-6x86-q33q affects requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Vulnerability GHSA-9wx4-h78v-vm56 affects requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Vulnerability PYSEC-2023-74 affects requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Setting allowed version ==2.31.0 to fix vulnerability GHSA-j8r2-6x86-q33q in requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Setting allowed version ==2.32.0 to fix vulnerability GHSA-9wx4-h78v-vm56 in requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Setting allowed version ==2.31.0 to fix vulnerability PYSEC-2023-74 in requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Dependency: go, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/gorilla/mux, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/sirupsen/logrus, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/spf13/viper, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/fsnotify/fsnotify, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: rich, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: pydantic, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: PyYAML, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: rich, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: pydantic, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: PyYAML, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/hashicorp/hcl, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/magiconair/properties, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/mitchellh/mapstructure, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/pelletier/go-toml/v2, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/spf13/afero, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/spf13/cast, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/spf13/jwalterweatherman, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/spf13/pflag, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: github.com/subosito/gotenv, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: golang.org/x/sys, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: golang.org/x/text, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: gopkg.in/ini.v1, is disabled (repository=myorg/my-repo)
DEBUG: Dependency: gopkg.in/yaml.v3, is disabled (repository=myorg/my-repo)
DEBUG: PackageFiles.add() - Package file saved for base branch (repository=myorg/my-repo, baseBranch=main)
DEBUG: Package releases lookups complete (repository=myorg/my-repo, baseBranch=main)
DEBUG: branchifyUpgrades (repository=myorg/my-repo)
DEBUG: detectSemanticCommits() (repository=myorg/my-repo)
DEBUG: getCommitMessages (repository=myorg/my-repo)
DEBUG: semanticCommits: detected "angular" (repository=myorg/my-repo)
DEBUG: semanticCommits: enabled (repository=myorg/my-repo)
DEBUG: 0 flattened updates found:  (repository=myorg/my-repo)
DEBUG: Returning 0 branch(es) (repository=myorg/my-repo)
DEBUG: config.repoIsOnboarded=true (repository=myorg/my-repo)
DEBUG: packageFiles with updates (repository=myorg/my-repo, baseBranch=main)
       "config": {
         "gomod": [
           {
             "deps": [
               {
                 "datasource": "golang-version",
                 "versioning": "go-mod-directive",
                 "depType": "golang",
                 "depName": "go",
                 "currentValue": "1.20",
                 "managerData": {"lineNumber": 2},
                 "updates": [],
                 "packageName": "go",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "require",
                 "depName": "github.com/gorilla/mux",
                 "currentValue": "v1.8.0",
                 "managerData": {"multiLine": true, "lineNumber": 5},
                 "updates": [],
                 "packageName": "github.com/gorilla/mux",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "require",
                 "depName": "github.com/sirupsen/logrus",
                 "currentValue": "v1.9.3",
                 "managerData": {"multiLine": true, "lineNumber": 6},
                 "updates": [],
                 "packageName": "github.com/sirupsen/logrus",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "require",
                 "depName": "github.com/spf13/viper",
                 "currentValue": "v1.16.0",
                 "managerData": {"multiLine": true, "lineNumber": 7},
                 "updates": [],
                 "packageName": "github.com/spf13/viper",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/fsnotify/fsnotify",
                 "currentValue": "v1.6.0",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 11},
                 "updates": [],
                 "packageName": "github.com/fsnotify/fsnotify",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/hashicorp/hcl",
                 "currentValue": "v1.0.0",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 12},
                 "updates": [],
                 "packageName": "github.com/hashicorp/hcl",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/magiconair/properties",
                 "currentValue": "v1.8.7",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 13},
                 "updates": [],
                 "packageName": "github.com/magiconair/properties",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/mitchellh/mapstructure",
                 "currentValue": "v1.5.0",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 14},
                 "updates": [],
                 "packageName": "github.com/mitchellh/mapstructure",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/pelletier/go-toml/v2",
                 "currentValue": "v2.0.8",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 15},
                 "updates": [],
                 "packageName": "github.com/pelletier/go-toml/v2",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/spf13/afero",
                 "currentValue": "v1.9.5",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 16},
                 "updates": [],
                 "packageName": "github.com/spf13/afero",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/spf13/cast",
                 "currentValue": "v1.5.1",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 17},
                 "updates": [],
                 "packageName": "github.com/spf13/cast",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/spf13/jwalterweatherman",
                 "currentValue": "v1.1.0",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 18},
                 "updates": [],
                 "packageName": "github.com/spf13/jwalterweatherman",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/spf13/pflag",
                 "currentValue": "v1.0.5",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 19},
                 "updates": [],
                 "packageName": "github.com/spf13/pflag",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "github.com/subosito/gotenv",
                 "currentValue": "v1.4.2",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 20},
                 "updates": [],
                 "packageName": "github.com/subosito/gotenv",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "golang.org/x/sys",
                 "currentValue": "v0.8.0",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 21},
                 "updates": [],
                 "packageName": "golang.org/x/sys",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "golang.org/x/text",
                 "currentValue": "v0.9.0",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 22},
                 "updates": [],
                 "packageName": "golang.org/x/text",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "gopkg.in/ini.v1",
                 "currentValue": "v1.67.0",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 23},
                 "updates": [],
                 "packageName": "gopkg.in/ini.v1",
                 "skipReason": "disabled"
               },
               {
                 "datasource": "go",
                 "depType": "indirect",
                 "depName": "gopkg.in/yaml.v3",
                 "currentValue": "v3.0.1",
                 "enabled": false,
                 "managerData": {"multiLine": true, "lineNumber": 24},
                 "updates": [],
                 "packageName": "gopkg.in/yaml.v3",
                 "skipReason": "disabled"
               }
             ],
             "packageFile": "mcp-nim-service/go.mod"
           }
         ],
         "pip_requirements": [
           {
             "deps": [
               {
                 "depName": "rich",
                 "currentValue": "==12.6.0",
                 "datasource": "pypi",
                 "currentVersion": "12.6.0",
                 "updates": [],
                 "packageName": "rich",
                 "skipReason": "disabled"
               },
               {
                 "depName": "pydantic",
                 "currentValue": "==2.7.1",
                 "datasource": "pypi",
                 "currentVersion": "2.7.1",
                 "updates": [],
                 "packageName": "pydantic",
                 "skipReason": "disabled"
               },
               {
                 "depName": "PyYAML",
                 "currentValue": "==6.0",
                 "datasource": "pypi",
                 "currentVersion": "6.0",
                 "updates": [],
                 "packageName": "PyYAML",
                 "skipReason": "disabled"
               }
             ],
             "packageFile": "mcp-nim-liveos/requirements.txt"
           },
           {
             "deps": [
               {
                 "depName": "requests",
                 "currentValue": "==2.24.0",
                 "datasource": "pypi",
                 "currentVersion": "2.24.0",
                 "updates": [],
                 "packageName": "requests",
                 "versioning": "pep440",
                 "warnings": [],
                 "sourceUrl": "https://github.com/psf/requests",
                 "registryUrl": "https://pypi.org/pypi",
                 "homepage": "https://requests.readthedocs.io",
                 "changelogUrl": "https://github.com/psf/requests/blob/master/HISTORY.md",
                 "currentVersionTimestamp": "2020-06-17T16:30:08.000Z",
                 "fixedVersion": "2.24.0"
               },
               {
                 "depName": "rich",
                 "currentValue": "==12.6.0",
                 "datasource": "pypi",
                 "currentVersion": "12.6.0",
                 "updates": [],
                 "packageName": "rich",
                 "skipReason": "disabled"
               },
               {
                 "depName": "pydantic",
                 "currentValue": "==2.7.1",
                 "datasource": "pypi",
                 "currentVersion": "2.7.1",
                 "updates": [],
                 "packageName": "pydantic",
                 "skipReason": "disabled"
               },
               {
                 "depName": "PyYAML",
                 "currentValue": "==6.0",
                 "datasource": "pypi",
                 "currentVersion": "6.0",
                 "updates": [],
                 "packageName": "PyYAML",
                 "skipReason": "disabled"
               }
             ],
             "packageFile": "app/configuration/root/etc/python_requirements.txt"
           }
         ]
       }
DEBUG: detectSemanticCommits() (repository=myorg/my-repo)
DEBUG: semanticCommits: returning "enabled" from cache (repository=myorg/my-repo)
DEBUG: processRepo() (repository=myorg/my-repo)
DEBUG: Processing 0 branches:  (repository=myorg/my-repo)
DEBUG: Calculating hourly PRs remaining (repository=myorg/my-repo)
DEBUG: currentHourStart=2024-06-25T12:00:00.000+08:00 (repository=myorg/my-repo)
DEBUG: PR hourly limit remaining: 2 (repository=myorg/my-repo)
DEBUG: Calculating prConcurrentLimit (4) (repository=myorg/my-repo)
DEBUG: 0 PRs are currently open (repository=myorg/my-repo)
DEBUG: PR concurrent limit remaining: 4 (repository=myorg/my-repo)
DEBUG: Calculated maximum PRs remaining this run: 2 (repository=myorg/my-repo)
DEBUG: PullRequests limit = 2 (repository=myorg/my-repo)
DEBUG: Calculating hourly PRs remaining (repository=myorg/my-repo)
DEBUG: currentHourStart=2024-06-25T12:00:00.000+08:00 (repository=myorg/my-repo)
DEBUG: PR hourly limit remaining: 2 (repository=myorg/my-repo)
DEBUG: Calculating branchConcurrentLimit (4) (repository=myorg/my-repo)
DEBUG: 0 already existing branches found:  (repository=myorg/my-repo)
DEBUG: Branch concurrent limit remaining: 4 (repository=myorg/my-repo)
DEBUG: Calculated maximum branches remaining this run: 2 (repository=myorg/my-repo)
DEBUG: Branches limit = 2 (repository=myorg/my-repo)
DEBUG: ensureDependencyDashboard() (repository=myorg/my-repo)
DEBUG: Ensuring Dependency Dashboard (repository=myorg/my-repo)
DEBUG: Vulnerability GHSA-j8r2-6x86-q33q affects requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Vulnerability GHSA-9wx4-h78v-vm56 affects requests 2.24.0 (repository=myorg/my-repo)
DEBUG: Vulnerability PYSEC-2023-74 affects requests 2.24.0 (repository=myorg/my-repo)
DEBUG: http cache: saving https://self-hosted-github.com/api/v3/repos/myorg/my-repo/issues/189 (etag=W/"6db14e08cf41105987d014b5fb3008862cd52c762e2811cb97f7d971a8e0887d", lastModified=Tue, 25 Jun 2024 03:52:42 GMT) (repository=myorg/my-repo)
DEBUG: http cache: saving https://self-hosted-github.com/api/v3/repos/myorg/my-repo/issues/189 (etag=W/"6db14e08cf41105987d014b5fb3008862cd52c762e2811cb97f7d971a8e0887d", lastModified=Tue, 25 Jun 2024 03:52:42 GMT) (repository=myorg/my-repo)
DEBUG: ensureIssue(Dependency Dashboard) (repository=myorg/my-repo)
DEBUG: http cache: saving https://self-hosted-github.com/api/v3/repos/myorg/my-repo/issues/189 (etag=W/"6db14e08cf41105987d014b5fb3008862cd52c762e2811cb97f7d971a8e0887d", lastModified=Tue, 25 Jun 2024 03:52:42 GMT) (repository=myorg/my-repo)
DEBUG: Patching issue (repository=myorg/my-repo)
DEBUG: Issue updated (repository=myorg/my-repo)
DEBUG: validateReconfigureBranch() (repository=myorg/my-repo)
DEBUG: No reconfigure branch found (repository=myorg/my-repo)
DEBUG: Removing any stale branches (repository=myorg/my-repo)
DEBUG: config.repoIsOnboarded=true (repository=myorg/my-repo)
DEBUG: No renovate branches found (repository=myorg/my-repo)
DEBUG: PackageFiles.clear() - Package files deleted (repository=myorg/my-repo)
DEBUG: Branch summary (repository=myorg/my-repo)
       "cacheModified": undefined,
       "baseBranches": [{"branchName": "main", "sha": "1bd658d03e6bd4b313fed5088b31b22c9735172b"}],
       "branches": [],
       "defaultBranch": "main",
       "inactiveBranches": []
DEBUG: Renovate repository PR statistics (repository=myorg/my-repo)
       "stats": {"total": 1, "open": 0, "closed": 0, "merged": 1}
DEBUG: Repository result: done, status: onboarded, enabled: true, onboarded: true (repository=myorg/my-repo)
DEBUG: Repository timing splits (milliseconds) (repository=myorg/my-repo)
       "splits": {"init": 29039, "extract": 1379, "lookup": 4172, "onboarding": 0, "update": 2},
       "total": 41522
DEBUG: Package cache statistics (repository=myorg/my-repo)
       "get": {"count": 1, "avgMs": 47, "medianMs": 47, "maxMs": 47, "totalMs": 47},
       "set": {"count": 0, "avgMs": 0, "medianMs": 0, "maxMs": 0, "totalMs": 0}
DEBUG: HTTP statistics (repository=myorg/my-repo)
       "urls": {
         "https://self-hosted-github.com/api/graphql": {"POST": {"200": 3}},
         "https://self-hosted-github.com/api/v3/repos/myorg/my-repo/issues/189": {
           "GET": {"200": 1},
           "PATCH": {"200": 1}
         },
         "https://self-hosted-github.com/api/v3/repos/myorg/my-repo/pulls": {
           "GET": {"200": 1}
         },
         "https://self-hosted-github.com/api/v3/repositories/78604/pulls": {
           "GET": {"200": 1}
         }
       },
       "hosts": {
         "self-hosted-github.com": {
           "count": 7,
           "reqAvgMs": 2218,
           "reqMedianMs": 1242,
           "reqMaxMs": 5400,
           "queueAvgMs": 0,
           "queueMedianMs": 0,
           "queueMaxMs": 1
         }
       },
       "requests": 7
DEBUG: HTTP cache statistics (repository=myorg/my-repo)
       "https://self-hosted-github.com": {
         "/api/v3/repos/myorg/my-repo/issues/189": {"hit": 0, "miss": 4},
         "/api/v3/repos/myorg/my-repo/pulls": {"hit": 0, "miss": 1}
       }
DEBUG: Lookup statistics (repository=myorg/my-repo)
       "pypi": {"count": 1, "avgMs": 67, "medianMs": 67, "maxMs": 67, "totalMs": 67}
DEBUG: dns cache (repository=myorg/my-repo)
       "hosts": []
 INFO: Repository finished (repository=myorg/my-repo)
       "cloned": true,
       "durationMs": 41522
DEBUG: Checking file package cache for expired items
DEBUG: Verifying and cleaning cache: /tmp/renovate/cache/renovate/renovate-cache-v1
DEBUG: Deleted 0 of 110 file cached entries in 850ms

[Churro]

Which renovate version are you using? There have been changes lately, so please update first.

[greyli-dell]

I'm using 37.381.11, updating to the latest version (37.415.0) fixes the issue. Thanks!