renovate 42.92.7 → 42.92.9

package/dist/config/decrypt.js

@@ -5,7 +5,7 @@ const require_regex = require('../util/regex.js');
 const require_sanitize = require('../util/sanitize.js');
 const require_index = require('../logger/index.js');
 const require_url = require('../util/url.js');
-const require_global = require('./global.js');
+const require_config_global = require('./global.js');
 const require_bcpgp = require('./decrypt/bcpgp.js');
 const require_openpgp = require('./decrypt/openpgp.js');
 const require_schema = require('./schema.js');
@@ -81,7 +81,7 @@ async function decryptConfig(config, repository, existingPath = "$") {
 	for (const [key, val] of Object.entries(config)) if (key === "encrypted" && (0, _sindresorhus_is.isObject)(val)) {
 		const path = `${existingPath}.${key}`;
 		require_index.logger.debug({ config: val }, `Found encrypted config in ${path}`);
-		const encryptedWarning = require_global.GlobalConfig.get("encryptedWarning");
+		const encryptedWarning = require_config_global.GlobalConfig.get("encryptedWarning");
 		if ((0, _sindresorhus_is.isString)(encryptedWarning)) require_index.logger.once.warn(encryptedWarning);
 		if (privateKey) for (const [eKey, eVal] of Object.entries(val)) {
 			require_index.logger.debug(`Trying to decrypt ${eKey} in ${path}`);
@@ -133,8 +133,8 @@ Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migr
 	return decryptedConfig;
 }
 function getAzureCollection() {
-	if (require_global.GlobalConfig.get("platform") !== "azure") return;
-	const endpoint = require_global.GlobalConfig.get("endpoint");
+	if (require_config_global.GlobalConfig.get("platform") !== "azure") return;
+	const endpoint = require_config_global.GlobalConfig.get("endpoint");
 	const endpointUrl = require_url.parseUrl(endpoint);
 	if (endpointUrl === null) {
 		require_index.logger.warn({ endpoint }, "Unable to parse endpoint for token decryption");

package/dist/config/decrypt.js.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt.js","names":["getEnv","tryDecryptOpenPgp","tryDecryptBcPgp","DecryptedObject","ensureTrailingSlash","GlobalConfig","regEx","CONFIG_VALIDATION","parseUrl","trimSlashes"],"sources":["../../lib/config/decrypt.ts"],"sourcesContent":["import {\n  isArray,\n  isNonEmptyString,\n  isObject,\n  isString,\n} from '@sindresorhus/is';\nimport { CONFIG_VALIDATION } from '../constants/error-messages';\nimport { logger } from '../logger';\nimport { getEnv } from '../util/env';\nimport { regEx } from '../util/regex';\nimport { addSecretForSanitizing } from '../util/sanitize';\nimport { ensureTrailingSlash, parseUrl, trimSlashes } from '../util/url';\nimport { tryDecryptBcPgp } from './decrypt/bcpgp';\nimport { tryDecryptOpenPgp } from './decrypt/openpgp';\nimport { GlobalConfig } from './global';\nimport { DecryptedObject } from './schema';\nimport type { AllConfig, RenovateConfig } from './types';\n\nlet privateKey: string | undefined;\nlet privateKeyOld: string | undefined;\n\nexport function setPrivateKeys(\n  pKey: string | undefined,\n  pKeyOld: string | undefined,\n): void {\n  privateKey = pKey;\n  privateKeyOld = pKeyOld;\n}\n\nexport async function tryDecrypt(\n  key: string,\n  encryptedStr: string,\n  repository: string,\n): Promise<string | null> {\n  let decryptedStr: string | null = null;\n  const decryptedObjStr =\n    getEnv().RENOVATE_X_USE_OPENPGP === 'true'\n      ? await tryDecryptOpenPgp(key, encryptedStr)\n      : await tryDecryptBcPgp(key, encryptedStr);\n  if (decryptedObjStr) {\n    decryptedStr = validateDecryptedValue(decryptedObjStr, repository);\n  }\n  return decryptedStr;\n}\n\nexport function validateDecryptedValue(\n  decryptedObjStr: string,\n  repository: string,\n): string | null {\n  try {\n    const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);\n    if (!decryptedObj.success) {\n      const error = new Error('config-validation');\n      error.validationError = `Could not parse decrypted config.`;\n      throw error;\n    }\n\n    const { o: org, r: repo, v: value } = decryptedObj.data;\n\n    if (!isNonEmptyString(value)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a value.`;\n      throw error;\n    }\n\n    if (!isNonEmptyString(org)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a scope.`;\n      throw error;\n    }\n\n    const repositories = [repository.toUpperCase()];\n\n    const azureCollection = getAzureCollection();\n    if (isNonEmptyString(azureCollection)) {\n      // used for full 'org/project/repo' matching\n      repositories.push(`${azureCollection}/${repository}`.toUpperCase());\n      // used for org prefix matching without repo\n      repositories.push(`${azureCollection}/*/`.toUpperCase());\n    }\n\n    const orgPrefixes = org\n      .split(',')\n      .map((o) => o.trim())\n      .map((o) => o.toUpperCase())\n      .map((o) => ensureTrailingSlash(o));\n\n    if (isNonEmptyString(repo)) {\n      const scopedRepos = orgPrefixes.map((orgPrefix) =>\n        `${orgPrefix}${repo}`.toUpperCase(),\n      );\n      for (const rp of repositories) {\n        if (scopedRepos.some((r) => r === rp)) {\n          return value;\n        }\n      }\n\n      logger.debug(\n        { scopedRepos },\n        'Secret is scoped to a different repository',\n      );\n      const error = new Error('config-validation');\n      const scopeString = scopedRepos.join(',');\n      error.validationError = `Encrypted secret is scoped to a different repository: \"${scopeString}\".`;\n      throw error;\n    }\n\n    // no scoped repos, only org\n    const azcol =\n      azureCollection === undefined\n        ? undefined\n        : ensureTrailingSlash(azureCollection).toUpperCase();\n    for (const rp of repositories) {\n      if (\n        orgPrefixes.some(\n          (orgPrefix) => rp.startsWith(orgPrefix) && orgPrefix !== azcol,\n        )\n      ) {\n        return value;\n      }\n    }\n    logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');\n    const error = new Error('config-validation');\n    const scopeString = orgPrefixes.join(',');\n    error.validationError = `Encrypted secret is scoped to a different org: \"${scopeString}\".`;\n    throw error;\n  } catch (err) {\n    logger.warn({ err }, 'Could not parse decrypted string');\n  }\n  return null;\n}\n\nexport async function decryptConfig<T extends RenovateConfig = AllConfig>(\n  config: T,\n  repository: string,\n  existingPath = '$',\n): Promise<T> {\n  logger.trace({ config }, 'decryptConfig()');\n  const decryptedConfig = { ...config };\n  for (const [key, val] of Object.entries(config)) {\n    if (key === 'encrypted' && isObject(val)) {\n      const path = `${existingPath}.${key}`;\n      logger.debug({ config: val }, `Found encrypted config in ${path}`);\n\n      const encryptedWarning = GlobalConfig.get('encryptedWarning');\n      if (isString(encryptedWarning)) {\n        logger.once.warn(encryptedWarning);\n      }\n\n      if (privateKey) {\n        for (const [eKey, eVal] of Object.entries(val)) {\n          logger.debug(`Trying to decrypt ${eKey} in ${path}`);\n          let decryptedStr = await tryDecrypt(privateKey, eVal, repository);\n          if (privateKeyOld && !isNonEmptyString(decryptedStr)) {\n            logger.debug(`Trying to decrypt with old private key`);\n            decryptedStr = await tryDecrypt(privateKeyOld, eVal, repository);\n          }\n          if (!isNonEmptyString(decryptedStr)) {\n            const error = new Error('config-validation');\n            error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;\n            throw error;\n          }\n          logger.debug(`Decrypted ${eKey} in ${path}`);\n          // v8 ignore if -- TODO: add test #40625\n          if (eKey === 'npmToken') {\n            const token = decryptedStr.replace(regEx(/\\n$/), '');\n            decryptedConfig[eKey] = token;\n            addSecretForSanitizing(token);\n          } else {\n            // @ts-expect-error -- type can't be narrowed\n            decryptedConfig[eKey] = decryptedStr;\n            addSecretForSanitizing(decryptedStr);\n          }\n        }\n      } else {\n        const env = getEnv();\n        if (env.RENOVATE_X_ENCRYPTED_STRICT === 'true') {\n          const error = new Error(CONFIG_VALIDATION);\n          error.validationSource = 'config';\n          error.validationError = 'Encrypted config unsupported';\n          error.validationMessage = `This config contains an encrypted object at location \\`$.${key}\\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \\`privateKey\\` in Global Configuration.`;\n          if (env.MEND_HOSTED === 'true') {\n            error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).\nPlease migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/\n\nRefer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;\n          }\n          throw error;\n        } else {\n          logger.error('Found encrypted data but no privateKey');\n        }\n      }\n      delete decryptedConfig.encrypted;\n    } else if (isArray(val)) {\n      // @ts-expect-error -- type can't be narrowed\n      decryptedConfig[key] = [];\n      for (const [index, item] of val.entries()) {\n        if (isObject(item) && !isArray(item)) {\n          const path = `${existingPath}.${key}[${index}]`;\n          // @ts-expect-error -- type can't be narrowed\n          (decryptedConfig[key] as RenovateConfig[]).push(\n            await decryptConfig(item as RenovateConfig, repository, path),\n          );\n        } else {\n          // @ts-expect-error -- type can't be narrowed\n          (decryptedConfig[key] as unknown[]).push(item);\n        }\n      }\n    } else if (isObject(val) && key !== 'content') {\n      const path = `${existingPath}.${key}`;\n      // @ts-expect-error -- type can't be narrowed\n      decryptedConfig[key] = await decryptConfig(\n        val as RenovateConfig,\n        repository,\n        path,\n      );\n    }\n  }\n  delete decryptedConfig.encrypted;\n  logger.trace({ config: decryptedConfig }, 'decryptedConfig');\n  return decryptedConfig;\n}\n\nexport function getAzureCollection(): string | undefined {\n  const platform = GlobalConfig.get('platform');\n  if (platform !== 'azure') {\n    return undefined;\n  }\n\n  const endpoint = GlobalConfig.get('endpoint');\n  const endpointUrl = parseUrl(endpoint);\n  if (endpointUrl === null) {\n    // should not happen\n    logger.warn({ endpoint }, 'Unable to parse endpoint for token decryption');\n    return undefined;\n  }\n\n  const azureCollection = trimSlashes(endpointUrl.pathname);\n  if (!isNonEmptyString(azureCollection)) {\n    logger.debug({ endpoint }, 'Unable to find azure collection name from URL');\n    return undefined;\n  }\n\n  if (azureCollection.startsWith('tfs/')) {\n    // Azure DevOps Server\n    return azureCollection.substring(4);\n  }\n  return azureCollection;\n}\n"],"mappings":";;;;;;;;;;;;;;4CAMgE;2BAC7B;sBACE;0BACC;gCACoB;sBACe;AAOzE,IAAI;AACJ,IAAI;AAEJ,SAAgB,eACd,MACA,SACM;AACN,cAAa;AACb,iBAAgB;;AAGlB,eAAsB,WACpB,KACA,cACA,YACwB;CACxB,IAAI,eAA8B;CAClC,MAAM,kBACJA,oBAAQ,CAAC,2BAA2B,SAChC,MAAMC,kCAAkB,KAAK,aAAa,GAC1C,MAAMC,8BAAgB,KAAK,aAAa;AAC9C,KAAI,gBACF,gBAAe,uBAAuB,iBAAiB,WAAW;AAEpE,QAAO;;AAGT,SAAgB,uBACd,iBACA,YACe;AACf,KAAI;EACF,MAAM,eAAeC,+BAAgB,UAAU,gBAAgB;AAC/D,MAAI,CAAC,aAAa,SAAS;GACzB,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,SAAM,kBAAkB;AACxB,SAAM;;EAGR,MAAM,EAAE,GAAG,KAAK,GAAG,MAAM,GAAG,UAAU,aAAa;AAEnD,MAAI,wCAAkB,MAAM,EAAE;GAC5B,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,SAAM,kBAAkB;AACxB,SAAM;;AAGR,MAAI,wCAAkB,IAAI,EAAE;GAC1B,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,SAAM,kBAAkB;AACxB,SAAM;;EAGR,MAAM,eAAe,CAAC,WAAW,aAAa,CAAC;EAE/C,MAAM,kBAAkB,oBAAoB;AAC5C,6CAAqB,gBAAgB,EAAE;AAErC,gBAAa,KAAK,GAAG,gBAAgB,GAAG,aAAa,aAAa,CAAC;AAEnE,gBAAa,KAAK,GAAG,gBAAgB,KAAK,aAAa,CAAC;;EAG1D,MAAM,cAAc,IACjB,MAAM,IAAI,CACV,KAAK,MAAM,EAAE,MAAM,CAAC,CACpB,KAAK,MAAM,EAAE,aAAa,CAAC,CAC3B,KAAK,MAAMC,gCAAoB,EAAE,CAAC;AAErC,6CAAqB,KAAK,EAAE;GAC1B,MAAM,cAAc,YAAY,KAAK,cACnC,GAAG,YAAY,OAAO,aAAa,CACpC;AACD,QAAK,MAAM,MAAM,aACf,KAAI,YAAY,MAAM,MAAM,MAAM,GAAG,CACnC,QAAO;AAIX,wBAAO,MACL,EAAE,aAAa,EACf,6CACD;GACD,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAE5C,SAAM,kBAAkB,0DADJ,YAAY,KAAK,IAAI,CACqD;AAC9F,SAAM;;EAIR,MAAM,QACJ,oBAAoB,SAChB,SACAA,gCAAoB,gBAAgB,CAAC,aAAa;AACxD,OAAK,MAAM,MAAM,aACf,KACE,YAAY,MACT,cAAc,GAAG,WAAW,UAAU,IAAI,cAAc,MAC1D,CAED,QAAO;AAGX,uBAAO,MAAM,EAAE,aAAa,EAAE,sCAAsC;EACpE,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAE5C,QAAM,kBAAkB,mDADJ,YAAY,KAAK,IAAI,CAC8C;AACvF,QAAM;UACC,KAAK;AACZ,uBAAO,KAAK,EAAE,KAAK,EAAE,mCAAmC;;AAE1D,QAAO;;AAGT,eAAsB,cACpB,QACA,YACA,eAAe,KACH;AACZ,sBAAO,MAAM,EAAE,QAAQ,EAAE,kBAAkB;CAC3C,MAAM,kBAAkB,EAAE,GAAG,QAAQ;AACrC,MAAK,MAAM,CAAC,KAAK,QAAQ,OAAO,QAAQ,OAAO,CAC7C,KAAI,QAAQ,8CAAwB,IAAI,EAAE;EACxC,MAAM,OAAO,GAAG,aAAa,GAAG;AAChC,uBAAO,MAAM,EAAE,QAAQ,KAAK,EAAE,6BAA6B,OAAO;EAElE,MAAM,mBAAmBC,4BAAa,IAAI,mBAAmB;AAC7D,qCAAa,iBAAiB,CAC5B,sBAAO,KAAK,KAAK,iBAAiB;AAGpC,MAAI,WACF,MAAK,MAAM,CAAC,MAAM,SAAS,OAAO,QAAQ,IAAI,EAAE;AAC9C,wBAAO,MAAM,qBAAqB,KAAK,MAAM,OAAO;GACpD,IAAI,eAAe,MAAM,WAAW,YAAY,MAAM,WAAW;AACjE,OAAI,iBAAiB,wCAAkB,aAAa,EAAE;AACpD,yBAAO,MAAM,yCAAyC;AACtD,mBAAe,MAAM,WAAW,eAAe,MAAM,WAAW;;AAElE,OAAI,wCAAkB,aAAa,EAAE;IACnC,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,UAAM,kBAAkB,2BAA2B,KAAK;AACxD,UAAM;;AAER,wBAAO,MAAM,aAAa,KAAK,MAAM,OAAO;;AAE5C,OAAI,SAAS,YAAY;IACvB,MAAM,QAAQ,aAAa,QAAQC,oBAAM,MAAM,EAAE,GAAG;AACpD,oBAAgB,QAAQ;AACxB,4CAAuB,MAAM;UACxB;AAEL,oBAAgB,QAAQ;AACxB,4CAAuB,aAAa;;;OAGnC;GACL,MAAM,MAAMN,oBAAQ;AACpB,OAAI,IAAI,gCAAgC,QAAQ;IAC9C,MAAM,QAAQ,IAAI,MAAMO,yCAAkB;AAC1C,UAAM,mBAAmB;AACzB,UAAM,kBAAkB;AACxB,UAAM,oBAAoB,4DAA4D,IAAI;AAC1F,QAAI,IAAI,gBAAgB,OACtB,OAAM,oBAAoB;;;;AAK5B,UAAM;SAEN,sBAAO,MAAM,yCAAyC;;AAG1D,SAAO,gBAAgB;0CACN,IAAI,EAAE;AAEvB,kBAAgB,OAAO,EAAE;AACzB,OAAK,MAAM,CAAC,OAAO,SAAS,IAAI,SAAS,CACvC,oCAAa,KAAK,IAAI,+BAAS,KAAK,EAAE;GACpC,MAAM,OAAO,GAAG,aAAa,GAAG,IAAI,GAAG,MAAM;AAE7C,GAAC,gBAAgB,KAA0B,KACzC,MAAM,cAAc,MAAwB,YAAY,KAAK,CAC9D;QAGD,CAAC,gBAAgB,KAAmB,KAAK,KAAK;2CAGhC,IAAI,IAAI,QAAQ,UAGlC,iBAAgB,OAAO,MAAM,cAC3B,KACA,YAJW,GAAG,aAAa,GAAG,MAM/B;AAGL,QAAO,gBAAgB;AACvB,sBAAO,MAAM,EAAE,QAAQ,iBAAiB,EAAE,kBAAkB;AAC5D,QAAO;;AAGT,SAAgB,qBAAyC;AAEvD,KADiBF,4BAAa,IAAI,WAAW,KAC5B,QACf;CAGF,MAAM,WAAWA,4BAAa,IAAI,WAAW;CAC7C,MAAM,cAAcG,qBAAS,SAAS;AACtC,KAAI,gBAAgB,MAAM;AAExB,uBAAO,KAAK,EAAE,UAAU,EAAE,gDAAgD;AAC1E;;CAGF,MAAM,kBAAkBC,wBAAY,YAAY,SAAS;AACzD,KAAI,wCAAkB,gBAAgB,EAAE;AACtC,uBAAO,MAAM,EAAE,UAAU,EAAE,gDAAgD;AAC3E;;AAGF,KAAI,gBAAgB,WAAW,OAAO,CAEpC,QAAO,gBAAgB,UAAU,EAAE;AAErC,QAAO"}
+{"version":3,"file":"decrypt.js","names":["getEnv","tryDecryptOpenPgp","tryDecryptBcPgp","DecryptedObject","ensureTrailingSlash","GlobalConfig","regEx","CONFIG_VALIDATION","parseUrl","trimSlashes"],"sources":["../../lib/config/decrypt.ts"],"sourcesContent":["import {\n  isArray,\n  isNonEmptyString,\n  isObject,\n  isString,\n} from '@sindresorhus/is';\nimport { CONFIG_VALIDATION } from '../constants/error-messages';\nimport { logger } from '../logger';\nimport { getEnv } from '../util/env';\nimport { regEx } from '../util/regex';\nimport { addSecretForSanitizing } from '../util/sanitize';\nimport { ensureTrailingSlash, parseUrl, trimSlashes } from '../util/url';\nimport { tryDecryptBcPgp } from './decrypt/bcpgp';\nimport { tryDecryptOpenPgp } from './decrypt/openpgp';\nimport { GlobalConfig } from './global';\nimport { DecryptedObject } from './schema';\nimport type { AllConfig, RenovateConfig } from './types';\n\nlet privateKey: string | undefined;\nlet privateKeyOld: string | undefined;\n\nexport function setPrivateKeys(\n  pKey: string | undefined,\n  pKeyOld: string | undefined,\n): void {\n  privateKey = pKey;\n  privateKeyOld = pKeyOld;\n}\n\nexport async function tryDecrypt(\n  key: string,\n  encryptedStr: string,\n  repository: string,\n): Promise<string | null> {\n  let decryptedStr: string | null = null;\n  const decryptedObjStr =\n    getEnv().RENOVATE_X_USE_OPENPGP === 'true'\n      ? await tryDecryptOpenPgp(key, encryptedStr)\n      : await tryDecryptBcPgp(key, encryptedStr);\n  if (decryptedObjStr) {\n    decryptedStr = validateDecryptedValue(decryptedObjStr, repository);\n  }\n  return decryptedStr;\n}\n\nexport function validateDecryptedValue(\n  decryptedObjStr: string,\n  repository: string,\n): string | null {\n  try {\n    const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);\n    if (!decryptedObj.success) {\n      const error = new Error('config-validation');\n      error.validationError = `Could not parse decrypted config.`;\n      throw error;\n    }\n\n    const { o: org, r: repo, v: value } = decryptedObj.data;\n\n    if (!isNonEmptyString(value)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a value.`;\n      throw error;\n    }\n\n    if (!isNonEmptyString(org)) {\n      const error = new Error('config-validation');\n      error.validationError = `Encrypted value in config is missing a scope.`;\n      throw error;\n    }\n\n    const repositories = [repository.toUpperCase()];\n\n    const azureCollection = getAzureCollection();\n    if (isNonEmptyString(azureCollection)) {\n      // used for full 'org/project/repo' matching\n      repositories.push(`${azureCollection}/${repository}`.toUpperCase());\n      // used for org prefix matching without repo\n      repositories.push(`${azureCollection}/*/`.toUpperCase());\n    }\n\n    const orgPrefixes = org\n      .split(',')\n      .map((o) => o.trim())\n      .map((o) => o.toUpperCase())\n      .map((o) => ensureTrailingSlash(o));\n\n    if (isNonEmptyString(repo)) {\n      const scopedRepos = orgPrefixes.map((orgPrefix) =>\n        `${orgPrefix}${repo}`.toUpperCase(),\n      );\n      for (const rp of repositories) {\n        if (scopedRepos.some((r) => r === rp)) {\n          return value;\n        }\n      }\n\n      logger.debug(\n        { scopedRepos },\n        'Secret is scoped to a different repository',\n      );\n      const error = new Error('config-validation');\n      const scopeString = scopedRepos.join(',');\n      error.validationError = `Encrypted secret is scoped to a different repository: \"${scopeString}\".`;\n      throw error;\n    }\n\n    // no scoped repos, only org\n    const azcol =\n      azureCollection === undefined\n        ? undefined\n        : ensureTrailingSlash(azureCollection).toUpperCase();\n    for (const rp of repositories) {\n      if (\n        orgPrefixes.some(\n          (orgPrefix) => rp.startsWith(orgPrefix) && orgPrefix !== azcol,\n        )\n      ) {\n        return value;\n      }\n    }\n    logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');\n    const error = new Error('config-validation');\n    const scopeString = orgPrefixes.join(',');\n    error.validationError = `Encrypted secret is scoped to a different org: \"${scopeString}\".`;\n    throw error;\n  } catch (err) {\n    logger.warn({ err }, 'Could not parse decrypted string');\n  }\n  return null;\n}\n\nexport async function decryptConfig<T extends RenovateConfig = AllConfig>(\n  config: T,\n  repository: string,\n  existingPath = '$',\n): Promise<T> {\n  logger.trace({ config }, 'decryptConfig()');\n  const decryptedConfig = { ...config };\n  for (const [key, val] of Object.entries(config)) {\n    if (key === 'encrypted' && isObject(val)) {\n      const path = `${existingPath}.${key}`;\n      logger.debug({ config: val }, `Found encrypted config in ${path}`);\n\n      const encryptedWarning = GlobalConfig.get('encryptedWarning');\n      if (isString(encryptedWarning)) {\n        logger.once.warn(encryptedWarning);\n      }\n\n      if (privateKey) {\n        for (const [eKey, eVal] of Object.entries(val)) {\n          logger.debug(`Trying to decrypt ${eKey} in ${path}`);\n          let decryptedStr = await tryDecrypt(privateKey, eVal, repository);\n          if (privateKeyOld && !isNonEmptyString(decryptedStr)) {\n            logger.debug(`Trying to decrypt with old private key`);\n            decryptedStr = await tryDecrypt(privateKeyOld, eVal, repository);\n          }\n          if (!isNonEmptyString(decryptedStr)) {\n            const error = new Error('config-validation');\n            error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;\n            throw error;\n          }\n          logger.debug(`Decrypted ${eKey} in ${path}`);\n          // v8 ignore if -- TODO: add test #40625\n          if (eKey === 'npmToken') {\n            const token = decryptedStr.replace(regEx(/\\n$/), '');\n            decryptedConfig[eKey] = token;\n            addSecretForSanitizing(token);\n          } else {\n            // @ts-expect-error -- type can't be narrowed\n            decryptedConfig[eKey] = decryptedStr;\n            addSecretForSanitizing(decryptedStr);\n          }\n        }\n      } else {\n        const env = getEnv();\n        if (env.RENOVATE_X_ENCRYPTED_STRICT === 'true') {\n          const error = new Error(CONFIG_VALIDATION);\n          error.validationSource = 'config';\n          error.validationError = 'Encrypted config unsupported';\n          error.validationMessage = `This config contains an encrypted object at location \\`$.${key}\\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \\`privateKey\\` in Global Configuration.`;\n          if (env.MEND_HOSTED === 'true') {\n            error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).\nPlease migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/\n\nRefer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;\n          }\n          throw error;\n        } else {\n          logger.error('Found encrypted data but no privateKey');\n        }\n      }\n      delete decryptedConfig.encrypted;\n    } else if (isArray(val)) {\n      // @ts-expect-error -- type can't be narrowed\n      decryptedConfig[key] = [];\n      for (const [index, item] of val.entries()) {\n        if (isObject(item) && !isArray(item)) {\n          const path = `${existingPath}.${key}[${index}]`;\n          // @ts-expect-error -- type can't be narrowed\n          (decryptedConfig[key] as RenovateConfig[]).push(\n            await decryptConfig(item as RenovateConfig, repository, path),\n          );\n        } else {\n          // @ts-expect-error -- type can't be narrowed\n          (decryptedConfig[key] as unknown[]).push(item);\n        }\n      }\n    } else if (isObject(val) && key !== 'content') {\n      const path = `${existingPath}.${key}`;\n      // @ts-expect-error -- type can't be narrowed\n      decryptedConfig[key] = await decryptConfig(\n        val as RenovateConfig,\n        repository,\n        path,\n      );\n    }\n  }\n  delete decryptedConfig.encrypted;\n  logger.trace({ config: decryptedConfig }, 'decryptedConfig');\n  return decryptedConfig;\n}\n\nexport function getAzureCollection(): string | undefined {\n  const platform = GlobalConfig.get('platform');\n  if (platform !== 'azure') {\n    return undefined;\n  }\n\n  const endpoint = GlobalConfig.get('endpoint');\n  const endpointUrl = parseUrl(endpoint);\n  if (endpointUrl === null) {\n    // should not happen\n    logger.warn({ endpoint }, 'Unable to parse endpoint for token decryption');\n    return undefined;\n  }\n\n  const azureCollection = trimSlashes(endpointUrl.pathname);\n  if (!isNonEmptyString(azureCollection)) {\n    logger.debug({ endpoint }, 'Unable to find azure collection name from URL');\n    return undefined;\n  }\n\n  if (azureCollection.startsWith('tfs/')) {\n    // Azure DevOps Server\n    return azureCollection.substring(4);\n  }\n  return azureCollection;\n}\n"],"mappings":";;;;;;;;;;;;;;4CAMgE;2BAC7B;sBACE;0BACC;gCACoB;sBACe;AAOzE,IAAI;AACJ,IAAI;AAEJ,SAAgB,eACd,MACA,SACM;AACN,cAAa;AACb,iBAAgB;;AAGlB,eAAsB,WACpB,KACA,cACA,YACwB;CACxB,IAAI,eAA8B;CAClC,MAAM,kBACJA,oBAAQ,CAAC,2BAA2B,SAChC,MAAMC,kCAAkB,KAAK,aAAa,GAC1C,MAAMC,8BAAgB,KAAK,aAAa;AAC9C,KAAI,gBACF,gBAAe,uBAAuB,iBAAiB,WAAW;AAEpE,QAAO;;AAGT,SAAgB,uBACd,iBACA,YACe;AACf,KAAI;EACF,MAAM,eAAeC,+BAAgB,UAAU,gBAAgB;AAC/D,MAAI,CAAC,aAAa,SAAS;GACzB,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,SAAM,kBAAkB;AACxB,SAAM;;EAGR,MAAM,EAAE,GAAG,KAAK,GAAG,MAAM,GAAG,UAAU,aAAa;AAEnD,MAAI,wCAAkB,MAAM,EAAE;GAC5B,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,SAAM,kBAAkB;AACxB,SAAM;;AAGR,MAAI,wCAAkB,IAAI,EAAE;GAC1B,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,SAAM,kBAAkB;AACxB,SAAM;;EAGR,MAAM,eAAe,CAAC,WAAW,aAAa,CAAC;EAE/C,MAAM,kBAAkB,oBAAoB;AAC5C,6CAAqB,gBAAgB,EAAE;AAErC,gBAAa,KAAK,GAAG,gBAAgB,GAAG,aAAa,aAAa,CAAC;AAEnE,gBAAa,KAAK,GAAG,gBAAgB,KAAK,aAAa,CAAC;;EAG1D,MAAM,cAAc,IACjB,MAAM,IAAI,CACV,KAAK,MAAM,EAAE,MAAM,CAAC,CACpB,KAAK,MAAM,EAAE,aAAa,CAAC,CAC3B,KAAK,MAAMC,gCAAoB,EAAE,CAAC;AAErC,6CAAqB,KAAK,EAAE;GAC1B,MAAM,cAAc,YAAY,KAAK,cACnC,GAAG,YAAY,OAAO,aAAa,CACpC;AACD,QAAK,MAAM,MAAM,aACf,KAAI,YAAY,MAAM,MAAM,MAAM,GAAG,CACnC,QAAO;AAIX,wBAAO,MACL,EAAE,aAAa,EACf,6CACD;GACD,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAE5C,SAAM,kBAAkB,0DADJ,YAAY,KAAK,IAAI,CACqD;AAC9F,SAAM;;EAIR,MAAM,QACJ,oBAAoB,SAChB,SACAA,gCAAoB,gBAAgB,CAAC,aAAa;AACxD,OAAK,MAAM,MAAM,aACf,KACE,YAAY,MACT,cAAc,GAAG,WAAW,UAAU,IAAI,cAAc,MAC1D,CAED,QAAO;AAGX,uBAAO,MAAM,EAAE,aAAa,EAAE,sCAAsC;EACpE,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAE5C,QAAM,kBAAkB,mDADJ,YAAY,KAAK,IAAI,CAC8C;AACvF,QAAM;UACC,KAAK;AACZ,uBAAO,KAAK,EAAE,KAAK,EAAE,mCAAmC;;AAE1D,QAAO;;AAGT,eAAsB,cACpB,QACA,YACA,eAAe,KACH;AACZ,sBAAO,MAAM,EAAE,QAAQ,EAAE,kBAAkB;CAC3C,MAAM,kBAAkB,EAAE,GAAG,QAAQ;AACrC,MAAK,MAAM,CAAC,KAAK,QAAQ,OAAO,QAAQ,OAAO,CAC7C,KAAI,QAAQ,8CAAwB,IAAI,EAAE;EACxC,MAAM,OAAO,GAAG,aAAa,GAAG;AAChC,uBAAO,MAAM,EAAE,QAAQ,KAAK,EAAE,6BAA6B,OAAO;EAElE,MAAM,mBAAmBC,mCAAa,IAAI,mBAAmB;AAC7D,qCAAa,iBAAiB,CAC5B,sBAAO,KAAK,KAAK,iBAAiB;AAGpC,MAAI,WACF,MAAK,MAAM,CAAC,MAAM,SAAS,OAAO,QAAQ,IAAI,EAAE;AAC9C,wBAAO,MAAM,qBAAqB,KAAK,MAAM,OAAO;GACpD,IAAI,eAAe,MAAM,WAAW,YAAY,MAAM,WAAW;AACjE,OAAI,iBAAiB,wCAAkB,aAAa,EAAE;AACpD,yBAAO,MAAM,yCAAyC;AACtD,mBAAe,MAAM,WAAW,eAAe,MAAM,WAAW;;AAElE,OAAI,wCAAkB,aAAa,EAAE;IACnC,MAAM,wBAAQ,IAAI,MAAM,oBAAoB;AAC5C,UAAM,kBAAkB,2BAA2B,KAAK;AACxD,UAAM;;AAER,wBAAO,MAAM,aAAa,KAAK,MAAM,OAAO;;AAE5C,OAAI,SAAS,YAAY;IACvB,MAAM,QAAQ,aAAa,QAAQC,oBAAM,MAAM,EAAE,GAAG;AACpD,oBAAgB,QAAQ;AACxB,4CAAuB,MAAM;UACxB;AAEL,oBAAgB,QAAQ;AACxB,4CAAuB,aAAa;;;OAGnC;GACL,MAAM,MAAMN,oBAAQ;AACpB,OAAI,IAAI,gCAAgC,QAAQ;IAC9C,MAAM,QAAQ,IAAI,MAAMO,yCAAkB;AAC1C,UAAM,mBAAmB;AACzB,UAAM,kBAAkB;AACxB,UAAM,oBAAoB,4DAA4D,IAAI;AAC1F,QAAI,IAAI,gBAAgB,OACtB,OAAM,oBAAoB;;;;AAK5B,UAAM;SAEN,sBAAO,MAAM,yCAAyC;;AAG1D,SAAO,gBAAgB;0CACN,IAAI,EAAE;AAEvB,kBAAgB,OAAO,EAAE;AACzB,OAAK,MAAM,CAAC,OAAO,SAAS,IAAI,SAAS,CACvC,oCAAa,KAAK,IAAI,+BAAS,KAAK,EAAE;GACpC,MAAM,OAAO,GAAG,aAAa,GAAG,IAAI,GAAG,MAAM;AAE7C,GAAC,gBAAgB,KAA0B,KACzC,MAAM,cAAc,MAAwB,YAAY,KAAK,CAC9D;QAGD,CAAC,gBAAgB,KAAmB,KAAK,KAAK;2CAGhC,IAAI,IAAI,QAAQ,UAGlC,iBAAgB,OAAO,MAAM,cAC3B,KACA,YAJW,GAAG,aAAa,GAAG,MAM/B;AAGL,QAAO,gBAAgB;AACvB,sBAAO,MAAM,EAAE,QAAQ,iBAAiB,EAAE,kBAAkB;AAC5D,QAAO;;AAGT,SAAgB,qBAAyC;AAEvD,KADiBF,mCAAa,IAAI,WAAW,KAC5B,QACf;CAGF,MAAM,WAAWA,mCAAa,IAAI,WAAW;CAC7C,MAAM,cAAcG,qBAAS,SAAS;AACtC,KAAI,gBAAgB,MAAM;AAExB,uBAAO,KAAK,EAAE,UAAU,EAAE,gDAAgD;AAC1E;;CAGF,MAAM,kBAAkBC,wBAAY,YAAY,SAAS;AACzD,KAAI,wCAAkB,gBAAgB,EAAE;AACtC,uBAAO,MAAM,EAAE,UAAU,EAAE,gDAAgD;AAC3E;;AAGF,KAAI,gBAAgB,WAAW,OAAO,CAEpC,QAAO,gBAAgB,UAAU,EAAE;AAErC,QAAO"}

package/dist/config/global.d.ts

@@ -0,0 +1,15 @@
+import { RenovateConfig, RepoGlobalConfig } from "./types.js";
+
+//#region lib/config/global.d.ts
+declare class GlobalConfig {
+  static OPTIONS: readonly (keyof RepoGlobalConfig)[];
+  private static config;
+  static get(): RepoGlobalConfig;
+  static get<Key extends keyof RepoGlobalConfig>(key: Key): RepoGlobalConfig[Key];
+  static get<Key extends keyof RepoGlobalConfig>(key: Key, defaultValue: Required<RepoGlobalConfig>[Key]): Required<RepoGlobalConfig>[Key];
+  static set(config: RenovateConfig & RepoGlobalConfig): RenovateConfig;
+  static reset(): void;
+}
+//#endregion
+export { GlobalConfig };
+//# sourceMappingURL=global.d.ts.map

package/dist/config/migrations/custom/extends-migration.js

@@ -1,5 +1,5 @@
 const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.js');
-const require_global = require('../../global.js');
+const require_config_global = require('../../global.js');
 const require_abstract_migration = require('../base/abstract-migration.js');
 const require_common = require('../../presets/common.js');
 let _sindresorhus_is = require("@sindresorhus/is");
@@ -18,7 +18,7 @@ var ExtendsMigration = class extends require_abstract_migration.AbstractMigratio
 		return presets.filter(_sindresorhus_is.isString).map((preset) => this.normalizePreset(preset)).filter(_sindresorhus_is.isNonEmptyString);
 	}
 	normalizePreset(preset) {
-		const migratePresets = require_global.GlobalConfig.get("migratePresets");
+		const migratePresets = require_config_global.GlobalConfig.get("migratePresets");
 		if (require_common.removedPresets[preset] !== void 0) return require_common.removedPresets[preset];
 		if (migratePresets?.[preset] !== void 0) return migratePresets?.[preset];
 		return preset;

package/dist/config/migrations/custom/extends-migration.js.map

@@ -1 +1 @@
-{"version":3,"file":"extends-migration.js","names":["AbstractMigration","isString","isNonEmptyString","GlobalConfig","removedPresets"],"sources":["../../../../lib/config/migrations/custom/extends-migration.ts"],"sourcesContent":["import { isNonEmptyString, isString } from '@sindresorhus/is';\nimport { GlobalConfig } from '../../global';\nimport { removedPresets } from '../../presets/common';\nimport { AbstractMigration } from '../base/abstract-migration';\n\nexport class ExtendsMigration extends AbstractMigration {\n  override readonly propertyName = 'extends';\n\n  override run(): void {\n    const value = this.get('extends');\n    let newPresets: string[] = [];\n\n    if (isString(value)) {\n      newPresets = this.normalizePresets([value]);\n    }\n\n    if (Array.isArray(value)) {\n      newPresets = this.normalizePresets(value);\n    }\n\n    this.rewrite(newPresets);\n  }\n\n  private normalizePresets(presets: string[]): string[] {\n    return presets\n      .filter(isString)\n      .map((preset) => this.normalizePreset(preset))\n      .filter(isNonEmptyString);\n  }\n\n  private normalizePreset(preset: string): string | null {\n    const migratePresets = GlobalConfig.get('migratePresets');\n\n    if (removedPresets[preset] !== undefined) {\n      return removedPresets[preset];\n    }\n\n    if (migratePresets?.[preset] !== undefined) {\n      return migratePresets?.[preset];\n    }\n\n    return preset;\n  }\n}\n"],"mappings":";;;;;;;AAKA,IAAa,mBAAb,cAAsCA,6CAAkB;CACtD,AAAkB,eAAe;CAEjC,AAAS,MAAY;EACnB,MAAM,QAAQ,KAAK,IAAI,UAAU;EACjC,IAAI,aAAuB,EAAE;AAE7B,qCAAa,MAAM,CACjB,cAAa,KAAK,iBAAiB,CAAC,MAAM,CAAC;AAG7C,MAAI,MAAM,QAAQ,MAAM,CACtB,cAAa,KAAK,iBAAiB,MAAM;AAG3C,OAAK,QAAQ,WAAW;;CAG1B,AAAQ,iBAAiB,SAA6B;AACpD,SAAO,QACJ,OAAOC,0BAAS,CAChB,KAAK,WAAW,KAAK,gBAAgB,OAAO,CAAC,CAC7C,OAAOC,kCAAiB;;CAG7B,AAAQ,gBAAgB,QAA+B;EACrD,MAAM,iBAAiBC,4BAAa,IAAI,iBAAiB;AAEzD,MAAIC,8BAAe,YAAY,OAC7B,QAAOA,8BAAe;AAGxB,MAAI,iBAAiB,YAAY,OAC/B,QAAO,iBAAiB;AAG1B,SAAO"}
+{"version":3,"file":"extends-migration.js","names":["AbstractMigration","isString","isNonEmptyString","GlobalConfig","removedPresets"],"sources":["../../../../lib/config/migrations/custom/extends-migration.ts"],"sourcesContent":["import { isNonEmptyString, isString } from '@sindresorhus/is';\nimport { GlobalConfig } from '../../global';\nimport { removedPresets } from '../../presets/common';\nimport { AbstractMigration } from '../base/abstract-migration';\n\nexport class ExtendsMigration extends AbstractMigration {\n  override readonly propertyName = 'extends';\n\n  override run(): void {\n    const value = this.get('extends');\n    let newPresets: string[] = [];\n\n    if (isString(value)) {\n      newPresets = this.normalizePresets([value]);\n    }\n\n    if (Array.isArray(value)) {\n      newPresets = this.normalizePresets(value);\n    }\n\n    this.rewrite(newPresets);\n  }\n\n  private normalizePresets(presets: string[]): string[] {\n    return presets\n      .filter(isString)\n      .map((preset) => this.normalizePreset(preset))\n      .filter(isNonEmptyString);\n  }\n\n  private normalizePreset(preset: string): string | null {\n    const migratePresets = GlobalConfig.get('migratePresets');\n\n    if (removedPresets[preset] !== undefined) {\n      return removedPresets[preset];\n    }\n\n    if (migratePresets?.[preset] !== undefined) {\n      return migratePresets?.[preset];\n    }\n\n    return preset;\n  }\n}\n"],"mappings":";;;;;;;AAKA,IAAa,mBAAb,cAAsCA,6CAAkB;CACtD,AAAkB,eAAe;CAEjC,AAAS,MAAY;EACnB,MAAM,QAAQ,KAAK,IAAI,UAAU;EACjC,IAAI,aAAuB,EAAE;AAE7B,qCAAa,MAAM,CACjB,cAAa,KAAK,iBAAiB,CAAC,MAAM,CAAC;AAG7C,MAAI,MAAM,QAAQ,MAAM,CACtB,cAAa,KAAK,iBAAiB,MAAM;AAG3C,OAAK,QAAQ,WAAW;;CAG1B,AAAQ,iBAAiB,SAA6B;AACpD,SAAO,QACJ,OAAOC,0BAAS,CAChB,KAAK,WAAW,KAAK,gBAAgB,OAAO,CAAC,CAC7C,OAAOC,kCAAiB;;CAG7B,AAAQ,gBAAgB,QAA+B;EACrD,MAAM,iBAAiBC,mCAAa,IAAI,iBAAiB;AAEzD,MAAIC,8BAAe,YAAY,OAC7B,QAAOA,8BAAe;AAGxB,MAAI,iBAAiB,YAAY,OAC/B,QAAO,iBAAiB;AAG1B,SAAO"}

package/dist/config/options/index.js

@@ -1,9 +1,9 @@
 const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
-const require_index = require('../../modules/versioning/index.js');
-const require_index$1 = require('../../modules/manager/custom/index.js');
-const require_index$2 = require('../../modules/manager/index.js');
+const require_modules_versioning_index = require('../../modules/versioning/index.js');
+const require_index = require('../../modules/manager/custom/index.js');
+const require_index$1 = require('../../modules/manager/index.js');
 const require_manager_list_generated = require('../../manager-list.generated.js');
-const require_index$3 = require('../../modules/platform/index.js');
+const require_modules_platform_index = require('../../modules/platform/index.js');
 const require_merge_confidence = require('../presets/internal/merge-confidence.js');
 const require_types = require('../types.js');
 let _sindresorhus_is = require("@sindresorhus/is");
@@ -973,7 +973,7 @@ const options = [
 		name: "platform",
 		description: "Platform type of repository.",
 		type: "string",
-		allowedValues: require_index$3.getPlatformList(),
+		allowedValues: require_modules_platform_index.getPlatformList(),
 		default: "github",
 		globalOnly: true
 	},
@@ -1289,7 +1289,7 @@ const options = [
 		name: "versioning",
 		description: "Versioning to use for filtering and comparisons.",
 		type: "string",
-		allowedValues: require_index.getVersioningList(),
+		allowedValues: require_modules_versioning_index.getVersioningList(),
 		cli: false,
 		env: false
 	},
@@ -3221,7 +3221,7 @@ function getOptions() {
 	return options;
 }
 function loadManagerOptions() {
-	const allManagers = new Map([...require_index$2.getManagers(), ...require_index$1.getCustomManagers()]);
+	const allManagers = new Map([...require_index$1.getManagers(), ...require_index.getCustomManagers()]);
 	for (const [name, config] of allManagers.entries())
  // v8 ignore else -- TODO: add test #40625
 	if (config.defaultConfig) {