Feature request: Option to bump package version ranges to match the version the lockfile is installing

[dylang]

Assumption

For this discussion, a made up dependency dep that has the latest version 1.5.0.

Example Situation

In the package.json

"dependencies": {
  "dep": "^1.0.0"
}

In the lockfile

dep@^1.0.0, dep@^1.5.0:
  version: 1.5.0

Result and Problem

👍 We are installing [email protected].
👎 Renovate still has in the queue: Upgrade from ^1.0.0 to ^1.5.0.
👎 Management, and some security tools, think we are still using 1.0.0.

Suggestion

With this feature enabled, Renovate would automatically update the package.json to match the version installed:

"dependencies": {
  "dep": "^1.5.0"
}

Reasoning

• Reduce the number of pull requests. In large repos that aren't maintained frequently, I see dozens of these pull requests that are basically redundant.
• Makes it more clear what version is being installed. Not everyone understands that the lockfile is always the source of truth. We see security warnings from tools that don't correctly use the lockfile to identify the actual version installed.
• Safer to switch package managers. Having the packages locked to the version being used means switching to pnpm or bun install is less likely to cause new problems from installing unwanted versions.

[rarkins]

1. Renovate will not update from ^1.0.0 to ^1.5.0 by default. You are opting into that with rangeStrategy=bump, which is a setting I don't recommend. By default it will keep it at ^1.0.0
2. Isn't bumping it to ^1.5.0 what you're asking to do? Your title indicates you want it bumped to 1.5.0, while your thumbs down indicates that updating it to ^1.5.0 is a "problem". Could you re-read what you wrote in case there's a typo, or you can explain it more clearly? D

[dylang]

Ah, yes, I forgot an important detail!

We've been using "postUpdateOptions": ["yarnDedupeFewer"], on every repo as long as it's been available so I forgot it's not default.

This leads to installing fewer dependencies, which reduces install time, and eliminated painful problems, such as those enormous typescript errors caused breaking changes in typescript types across patch versions of packages.

Before yarnDedupeFewer

dep@^1.0.0
  version: 1.0.0

dep@^1.5.0:
  version: 1.5.0

After yarnDedupeFewer

dep@^1.0.0, dep@^1.5.0:
  version: 1.5.0

A renovate PR Upgrade from ^1.0.0 to ^1.5.0 would not really an upgrade, because the lockfile is already saying dep@^1.0.0 should install 1.5.0. It's useful in that it updates the package.json to reflect this fact.

My feature request is to do the package.json change when the lockfile is updated to reflect what the lockfile is going to install.

[rarkins]

Unfortunately I still don't understand. First of all, please make sure to have confirmed your config. I suspect this applies to rangeStrategy=bump specifically, for example.

Next, please describe clearly expected versus current behavior. I'm not sure if you mean that you want the PR changed, or perhaps you want it suppressed. And does it apply to the "first" update Renovate does on a Repo, or does this apply continuously? Typically if you have rangeStrategy=bump then the locked value will be in sync with the package.json value.