vlsi opened a new pull request, #6710: URL: https://github.com/apache/jmeter/pull/6710
## Why Renovate opens a separate PR per groupId, and security updates are never grouped — Renovate resets their `groupName` to `null`. The recent Log4j advisory produced two separate security PRs, #6691 (`log4j-core`) and #6690 (`log4j-1.2-api`), even though both bump to the same `2.25.4`. ## What - Add a catch-all `packageRule` (first, `matchDatasources: ["maven"]`) that sets `groupName` to the dependency's groupId through the `replace` template, so every Maven update groups by groupId by default. - Add a `vulnerabilityAlerts` block with the same template, so security updates group by groupId too. - Leave the existing specific rules in place. They run after the catch-all and still override it for cross-groupId families (`errorprone`, classic `commons`, `xalan`/`xerces`), version pins (`slf4j`, `xml-apis`), and disabled entries (`guava`, internal `src:protocol`). The change is additive: every existing rule keeps its behaviour, and the catch-all only adds a default for dependencies that no specific rule covers. ## How to verify - `renovate-config-validator renovate.json` passes. - `renovate --platform=local --dry-run=full` on this branch groups all four Log4j artifacts (`log4j-core`, `log4j-api`, `log4j-1.2-api`, `log4j-slf4j2-impl`) into one branch `renovate/org.apache.logging.log4j`; `org.bouncycastle` and `org.apache.commons` each form their own group. ## Note Grouping is by exact groupId, so a project split across several groupIds (for example Jackson's `core` and `dataformat`) forms one group per groupId. Where several groupIds should move together, keep an explicit rule after the catch-all, as `com.google.errorprone` already does. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
