code · pull · May 28, 2026 · May 27, 2026 · May 27, 2026 · May 27, 2026
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -2,13 +2,12 @@
     "extends": [
         "github>tryghost/renovate-config"
     ],
-    // Cap total open Renovate PRs at 10. The shared preset extends
-    // :disableRateLimiting (prConcurrentLimit: 0, prHourlyLimit: 0), so
-    // branchConcurrentLimit alone leaks — it exempts grouped, automerge-
-    // eligible, and vulnerability PRs, and is enforced per-run rather than
-    // as a true total. Setting prConcurrentLimit overrides the preset and
-    // gives us a hard ceiling regardless of update type. branchConcurrentLimit
-    // stays as a secondary guardrail.
+    // Keep Renovate's own concurrency guardrails in place. The shared preset
+    // extends :disableRateLimiting (prConcurrentLimit: 0, prHourlyLimit: 0),
+    // so these override that unlimited default. The true "no more than 10
+    // open Renovate PRs" cap is enforced in .github/workflows/renovate.yml
+    // because Renovate's vulnerability-alert path can bypass these limits and
+    // because we need the cap to be based on the live GitHub PR count.
     "prConcurrentLimit": 10,
     "branchConcurrentLimit": 10,
     // Keep manually-closed immortal/grouped PRs closed unless explicitly
@@ -35,7 +34,8 @@
     // Soak every dependency update for 72 hours before opening a PR. This guards
     // against compromised publishes (malicious version yanked within a few hours)
     // and against unstable releases that get hotfixed shortly after publish.
-    // Applies to vulnerability alerts too — see the comment on vulnerabilityAlerts.
+    // Vulnerability-alert PRs require dashboard approval below so they do not
+    // bypass the live open-PR cap enforced by the workflow.
     "minimumReleaseAge": "3 days",
     "timezone": "Etc/UTC",
     // Restrict Renovate runs to the automerge windows so branch updates
@@ -51,8 +51,8 @@
     // self-hosted workflow that means a CI-storm of force-pushes across all
     // open Renovate PRs during the workday. Setting `updateNotScheduled:
     // false` keeps existing branch maintenance inside the same windows.
-    // `vulnerabilityAlerts.schedule: "at any time"` overrides this for
-    // CVE-driven PRs so security work still flows intraday.
+    // Existing branches can still be maintained outside the normal creation
+    // schedule when the workflow switches Renovate into cap-reached mode.
     "updateNotScheduled": false,
     "schedule": [
         // Run all weekend
@@ -74,12 +74,9 @@
         "* 22-23 * * 1-5",
         "* 0-4 * * 2-6"
     ],
-    // CVE-driven updates skip the weekend schedule and the dashboard-
-    // approval gate, and stay rebased against main so conflicts don't
-    // strand them. The 72h release-age soak from the top-level
-    // minimumReleaseAge still applies here so a malicious "fix" publish
-    // can't fast-track into main. Automerge is configured per update-type
-    // in packageRules below so security majors still wait for human review.
+    // Vulnerability alerts normally bypass Renovate's PR concurrency, hourly
+    // PR, and schedule limits. Let them keep doing that so security fixes can
+    // still create PRs even when normal dependency updates are capped.
     "vulnerabilityAlerts": {
         "schedule": ["at any time"],
         "rebaseWhen": "behind-base-branch",