Is it possible to have vulnerabilityAlerts only create MRs for minor and patch versions?

[Wayneoween]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitLab

Please tell us more about your question or problem

I'm trying to find out if it is possible to limit vulnerabilityAlerts to minor and patch and exclude major versions.

E.g. currently renovate creates MRs like this, which wants to upgrade vue to a major version but this is already on our radar mid-term.

We have set up dependencyDashboardApproval for major versions, but vulnerabilityAlerts seems to ignore this (fair enough, but that's why I'm here). Is it even possible to configure this for vulnerabilityAlerts or is it opinionated in that way, that this can't be done?

If it possible what would a minimal example look like? I couldn't figure out something by looking at the documentation or this discussion.

I imagined something like this:

{
  "packageRules": [
    {
      "matchUpdateTypes": [
        "minor",
        "patch"
      ],
      "vulnerabilityAlerts": {
        "enabled": true,
        "labels": [
          "type:renovate"
        ]
      }
    },
  ],
  "osvVulnerabilityAlerts": true
}

Or the other way around, but I didn't manage to get it to work so I'm trying to find help here because it might not even be possible.

Logs (if relevant)

No response

[RahulGautamSingh]

We don't want that to happen as users could miss the VAs that way. But, maybe some config is possible to get that result as well, you'll have to hit & try.

One way is to disable major updates for all deps, that would affect the VAs too..using the preset :disableMajorUpdates