chore(deps): update all major dependencies to v4 in config/_default/params.yaml

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change	Pending
coreruleset-v3	major	3.3.9 → 4.26.0	v4.27.0

---

Release Notes

coreruleset/coreruleset (coreruleset-v3)

v4.26.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: Add WhatWAF to the scanner list by @​HackingRepo in #​4566
• feat: Add ghauri to scanner list by @​HackingRepo in #​4570
• feat: Expand Scanner User Agents List (v2) by @​HackingRepo in #​4572
• feat: Expanded os files list by @​HackingRepo in #​4536
• feat(933100): all HTTP headers should be checked by @​touchweb-vincent in #​4603
• fix(lfi-os-files): add .dockerenv, .DS_Store, META-INF/, WEB-INF/ by @​zoutjebot in #​4601
• feat(934200): detect Server-Side Template Injection (SSTI) attacks by @​zoutjebot in #​4600

🧰 Other Changes

• fix(lfi-os-files): require path prefix for .profile by @​zoutjebot in #​4586
• fix(933150): remove is_int from PHP function names list by @​zoutjebot in #​4585
• fix(932370): remove url from Windows LOLBIN command list by @​zoutjebot in #​4587
• fix(920539): prefer a bypass on a named rule rather than n+1 bypass by @​touchweb-vincent in #​4610
• fix(942290): add word boundary to MongoDB operator detection by @​zoutjebot in #​4588
• fix: false positive with parameter name .history by @​EsadCetiner in #​4614
• fix(942410): use common exceptions instead of rule by @​fzipi in #​4617
• fix(942200): reduce false positives on payloads with comments by @​EsadCetiner in #​4608
• fix(unix): exclude pg command from pl-1 by @​EsadCetiner in #​4613
• fix(930130): comment out false positive prone entries by @​EsadCetiner in #​4607
• fix(920100): drop HTTP/0.9 GET support from request line validation by @​fzipi in #​4621
• fix: Update restricted files to include Perl subdirectories by @​HackingRepo in #​4620

New Contributors

• @​zoutjebot made their first contribution in #​4586

Full Changelog: coreruleset/coreruleset@v4.25.0...v4.26.0

v4.25.0: (LTS)

Compare Source

What's Changed

Important ⭐

These below fix CVE-2026-33691:

• fix(933111): prevent whitespace padding bypass in PHP double-extension upload by @​fzipi in #​4547
• fix(933110): prevent whitespace padding bypass in PHP upload detection by @​fzipi in #​4546
• fix(944140): prevent whitespace padding bypass in JSP file upload detection by @​fzipi in #​4548

🆕 New features and detections 🎉

• feat(930130,930140): expand AI-based paths by @​Elnadrion in #​4540
• feat: add aws security agent in scanners-user-agents.data by @​S0obi in #​4562
• feat(932390): add shell fork bomb detection rule at PL2 by @​fzipi in #​4563

🧰 Other Changes

• refactor: create 941250 .ra file by @​fzipi in #​4520
• refactor: create 942220 .ra file by @​fzipi in #​4511
• refactor: create rule 931100 and 931110 .ra files by @​Xhoenix in #​4489
• feat: Adding critical ai dirs that previously not exist by @​HackingRepo in #​4535
• refactor: create 933140 and 933180 .ra files by @​Xhoenix in #​4488
• fix(944110,944120,944130,944150,944151,944200,944210,..): don't inspect cookies twice by @​touchweb-vincent in #​4526
• refactor: create 943120 .ra file by @​fzipi in #​4506
• fix: false negative 932236 by @​franbuehler in #​4544
• feat: update list of unix commands by @​EsadCetiner in #​4446
• fix(932180): prevent whitespace padding bypass in restricted file upload detection by @​fzipi in #​4549
• fix: harden GitHub Actions workflows by @​fzipi in #​4553
• refactor: create 941310 .ra files by @​fzipi in #​4522
• docs: update README by @​fzipi in #​4556
• refactor: create 941120 .ra file by @​fzipi in #​4498
• fix(920540): allow rule exclusions for specific targets by @​EsadCetiner in #​4405
• fix(931130): ensure correct target is logged by @​EsadCetiner in #​4577

Full Changelog: coreruleset/coreruleset@v4.24.1...v4.25.0

v4.24.1

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat(930140): add AI coding assistant artifact protection by @​etiennemunnich in #​4519
• feat: Expand Scanner Agents by @​HackingRepo in #​4532

Fixes

• fix(942200): prevent matches against user agent strings by @​theseion in #​4537
• fix(942480): don't inspect cookies twice by @​touchweb-vincent in #​4524

🧰 Other Changes

• refactor: create 934130 .ra file by @​Xhoenix in #​4487
• refactor: create 941330 .ra file by @​fzipi in #​4492
• refactor: create 944300 .ra file by @​fzipi in #​4490
• refactor: create 941320 .ra file by @​fzipi in #​4491
• refactor: create 921160 .ra file by @​fzipi in #​4497
• refactor: create 921120 .ra file by @​fzipi in #​4496
• refactor: create 921110 .ra file by @​fzipi in #​4495
• feat: move 930110 to regex-assembly by @​fzipi in #​4494
• refactor: create 941190 .ra file by @​fzipi in #​4499
• refactor: create 941400 .ra file by @​fzipi in #​4517
• refactor: create 942250 .ra file by @​fzipi in #​4512
• refactor: create 941370 .ra file by @​fzipi in #​4518
• refactor: create 944260 .ra file by @​fzipi in #​4510
• feat: move 943100 to regex-assembly by @​fzipi in #​4504
• refactor: create 944120 .ra file by @​fzipi in #​4508
• refactor: create 942450 .ra file by @​fzipi in #​4513
• refactor: create 942510 and 942511 .ra files with shared include by @​fzipi in #​4516
• refactor: create 944240 .ra file by @​fzipi in #​4509
• docs: comment on threshold should be more alarming by @​touchweb-vincent in #​4330
• chore: add missing regex-assembly comment blocks to rules by @​fzipi in #​4523
• fix(913100): adding OWASP Nettacker to known scanners list by @​securestep9 in #​4529
• refactor: create 941300 .ra file by @​fzipi in #​4521

New Contributors

• @​etiennemunnich made their first contribution in #​4519
• @​securestep9 made their first contribution in #​4529
• @​HackingRepo made their first contribution in #​4532

Full Changelog: coreruleset/coreruleset@v4.24.0...v4.24.1

v4.24.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat(933100): add detection of smarty template php tag by @​touchweb-vincent in #​4447

🧰 Other Changes

• fix(932130): use lazy regex by @​fzipi in #​3730
• chore(943110): move to regex-assembly by @​fzipi in #​4431
• fix(930130): reduce false positive by @​touchweb-vincent in #​4451
• fix(920650): don't block on method override if it's not actually being overwritten by @​EsadCetiner in #​4455
• fix(932340): Add more UNIX FP commands by @​ssigwart in #​4454
• refactor(951210): convert maxDB leakage rule to regex-assembly by @​fzipi in #​4468
• refactor(951190): convert Ingres leakage rule to regex-assembly by @​fzipi in #​4466
• refactor(951140): convert EMC leakage rule to regex-assembly by @​fzipi in #​4464
• refactor(951110): convert Access leakage rule to regex-assembly by @​fzipi in #​4463
• fix: handle multi-byte UTF-8 chars in SQL special char detection by @​fzipi in #​4458
• refactor(951200): convert Interbase leakage rule to regex-assembly by @​fzipi in #​4467
• refactor(951180): convert Informix leakage rule to regex-assembly by @​fzipi in #​4465
• refactor(951220): convert MSSQL leakage rule to regex-assembly by @​fzipi in #​4459
• refactor(951250): convert SQLite leakage rule to regex-assembly by @​fzipi in #​4460
• refactor(951260): convert Sybase leakage rule to regex-assembly by @​fzipi in #​4461
• refactor(951130): convert DB2 leakage rule to regex-assembly by @​fzipi in #​4462
• fix: don't block json variable names called profile on libmodsecurity3/coraza by @​EsadCetiner in #​4477
• fix(933100): reduce false positive on Extensible Metadata Platform and xsl-stylesheets by @​touchweb-vincent in #​4445
• feat: move 932190 to regex-assembly by @​theseion in #​4475
• fix(942200): FP against comma and single quote in French addresses by @​theseion in #​4476
• fix: add more exclusions for Google Funding Choices cookie by @​azurit in #​4484

Full Changelog: coreruleset/coreruleset@v4.23.0...v4.24.0

v4.23.0

Compare Source

What's Changed

⭐ Important changes

• feat(920640): add rule to enforce content-type if there is body by @​fzipi in #​4406

🆕 New features and detections 🎉

• feat(lfi): Add detection for Vite.js path traversal (CVE-2025-30208) by @​disisto in #​4407
• feat: block fake mozilla/5.g user-agent by @​EsadCetiner in #​4383
• feat: resolve common false positives with ad and tracker cookies by @​EsadCetiner in #​4378
• fix(ssrf): catch malformed urls by @​fzipi in #​4410
• feat: block 'trap' command by @​azurit in #​4422
• feat: prevent php session files to be uploaded by @​fzipi in #​4412
• feat(930130): improvement of the detection of common debug or error files across CMS platforms by @​touchweb-vincent in #​4426
• feat(942450): add another hex + binary declaration pattern by @​touchweb-vincent in #​4374
• feat: update restricted files and file extensions by @​EsadCetiner in #​4299
• feat(920650): add detection for framework method overrides by @​fzipi in #​4416
• fix: remove Request-Range Header from rules by @​Xhoenix in #​4435
• feat: block when Request-Range header is used by @​fzipi in #​4436

🧰 Other Changes

• fix: remove bypass-vulnerable content types from default allow lists by @​RedXanadu in #​4365
• feat(931131): removing off domain check by @​touchweb-vincent in #​4379
• chore(933120): cleaning obsolete variable by @​touchweb-vincent in #​4417
• chore(941360,941370,941380): cleaning useless capture keyword by @​touchweb-vincent in #​4419
• chore(933151,933152,933153): cleaning useless variables by @​touchweb-vincent in #​4420
• feat(942350): added replace keyword + c-type comment evasion by @​touchweb-vincent in #​4373
• fix(933111): regex should be the same as 933110 by @​touchweb-vincent in #​4395
• fix: FPs related to maxDB information leakage by @​azurit in #​4382
• fix: remove non-unix commands from unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932237 PL-3) by @​EsadCetiner in #​4247
• fix(941120): new regex is eligible for Paranoia Level 1 by @​touchweb-vincent in #​4291
• fix(933150): reduce substring false positive matches by @​EsadCetiner in #​4340
• fix(942410): cleaning of duplicates with 942151 by @​touchweb-vincent in #​4336
• fix: add separate rule to match unix commands with no arguments by @​EsadCetiner in #​4273
• fix(934140): update perl interpolation regex by @​fzipi in #​4250
• feat(921200): move regexp to regex-assembly by @​fzipi in #​4409
• fix(934190): add new rule to check localhost variants without scheme by @​fzipi in #​4429
• feat(941110): all HTTP headers should be checked by @​touchweb-vincent in #​4326
• feat(941120): all HTTP headers should be checked by @​touchweb-vincent in #​4327

New Contributors

• @​disisto made their first contribution in #​4407

Full Changelog: coreruleset/coreruleset@v4.22.0...v4.23.0

v4.22.0

Compare Source

What's Changed

CRITICAL

• fix for 9AJ-260102

🧰 Other Changes

• feat(934100): added sequence for CVE-2025-55182 POCs by @​touchweb-vincent in #​4372
• feat(942440): reduce false positive by @​touchweb-vincent in #​4346
• fix(942431): reduce false positive with arrays in ARGS_NAMES by @​touchweb-vincent in #​4305
• fix: make regexen Rust's regex compatible by @​fgsch in #​4385
• refactor: drop older spelling variants by @​fgsch in #​4386

Special thanks to @​daytriftnewgen for responsible reporting 9AJ-260102

Full Changelog: coreruleset/coreruleset@v4.21.0...v4.22.0

v4.21.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat(931100): add IPv6 support / XML scan and SSH scheme. by @​touchweb-vincent in #​4321
• feat(920440): add new restricted file extensions by @​touchweb-vincent in #​4322

🧰 Other Changes

• fix(942160): adding unit test for double comment by @​touchweb-vincent in #​4315
• fix(920280, 920300, 920310, 920311, 920320, 920330): should be block by @​touchweb-vincent in #​4319
• fix(942151,942152): wrong functions names by @​touchweb-vincent in #​4333
• feat(942460): adding help for non-English folks by @​touchweb-vincent in #​4334
• fix(932180): reduce substring false positives by @​EsadCetiner in #​4338
• fix(942151,942152): wrong functions names by @​touchweb-vincent in #​4337
• fix(920180): wrong unit test - content-type evasion bypass by @​touchweb-vincent in #​4339
• fix(956110): move rule to pl-2 by @​EsadCetiner in #​4344
• docs: comment on disabling Expect header in .Net by @​theseion in #​4348
• fix: add missing capture action to affected rules by @​airween in #​4361

Full Changelog: coreruleset/coreruleset@v4.20.0...v4.21.0

v4.20.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: update restricted file extensions by @​EsadCetiner in #​4287
• feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8+ & Magento 2 by @​touchweb-vincent in #​4303
• feat: add expect header to list of restricted headers by @​franbuehler in #​4298

🧰 Other Changes

• fix(942560): missing capture keyword by @​touchweb-vincent in #​4285
• fix(932281): reduce false positive matches with json payload by @​EsadCetiner in #​4288
• fix(932240): reduce false positive matches with json payloads by @​EsadCetiner in #​4290
• fix(921180, 921210, 921220): should be block not pass by @​touchweb-vincent in #​4294
• fix(942550): partial revert - too high risk of false positive by @​touchweb-vincent in #​4284
• fix(942160): updating regex to deal with new payloads by @​touchweb-vincent in #​4292

Full Changelog: coreruleset/coreruleset@v4.19.0...v4.20.0

v4.19.0

Compare Source

What's Changed

⭐ Important changes

• refactor: 920340 - delete 920341 by @​touchweb-vincent in #​4268

🆕 New features and detections 🎉

• fix: update lfi-os-files.data by @​Xhoenix in #​4240

🧰 Other Changes

• fix: dont block .url file extension by @​EsadCetiner in #​4259
• fix(933135): wrong score variable by @​touchweb-vincent in #​4262
• fix(933153): missing inbound_anomaly_score by @​touchweb-vincent in #​4260
• fix(953100): remove generic SQLSTATE error codes causing false positives by @​Elnadrion in #​4257
• feat: add stricter sibling 954101 to 954100 by @​franbuehler in #​4258
• fix(942550): cleanup regex by @​fzipi in #​3767
• fix: reduce false positives with php response rules by @​EsadCetiner in #​4272
• fix: don't block on all question marks (942550 PL-1) by @​EsadCetiner in #​4264
• feat: whitelist application/csp-report content-type header by @​Elnadrion in #​4274

New Contributors

• @​touchweb-vincent made their first contribution in #​4262
• @​Elnadrion made their first contribution in #​4257

Full Changelog: coreruleset/coreruleset@v4.18.0...v4.19.0

v4.18.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: add application/reports+json content-type header by @​Xhoenix in #​4230
• feat: update unix commands list by @​EsadCetiner in #​4215
• feat: added ssh commands by @​Xhoenix in #​4249
• feat: detect rmt and rmt-tar by @​theseion in #​4242

🧰 Other Changes

• feat: Add product name tags by @​TimDiam0nd in #​3960
• fix: remove dot star by @​Xhoenix in #​4235
• fix(942370): remove dot star by @​Xhoenix in #​4234
• fix: avoid matching non-ruby errors and source code by @​EsadCetiner in #​4224
• fix: don't replace cmdline suffixes for 932220 and 932250 by @​theseion in #​4231

Full Changelog: coreruleset/coreruleset@v4.17.1...v4.18.0

v4.17.1

Compare Source

What's Changed

⭐ Important changes

• chore: removed detection for LaTeX injection by @​Xhoenix in #​4221

🧰 Other Changes

• fix(942340): remove dot star by @​Xhoenix in #​4220

Full Changelog: coreruleset/coreruleset@v4.17.0...v4.17.1

v4.17.0

Compare Source

[!IMPORTANT]
This release contains a new rule to detect LaTeX injections which was not supposed to be released as it is too prone to false positives in it's current state. Please use v4.17.1 instead.

What's Changed

⭐ Important changes

• feat: remove PCI DSS tags (#​4194) by @​pha6d in #​4203

🆕 New features and detections 🎉

• feat: added detection for ASP.NET errors by @​Xhoenix in #​4092
• feat: added detection for RCE via Referer header by @​Xhoenix in #​3993
• feat: added detection for LaTeX injection by @​Xhoenix in #​4206
• feat: added detection for ruby errors and code leakage by @​Xhoenix in #​4089

🧰 Other Changes

• fix(951xxx): remove dot star by @​Xhoenix in #​4171
• fix: use word bondary on 952110 to avoid matching non-java errors by @​EsadCetiner in #​4177
• feat: Update java-classes.data by @​KIC-8462852 in #​4173
• fix(931130): update file uri with single slash by @​fzipi in #​4193
• fix(932281): avoid matching on json payloads by @​EsadCetiner in #​4187
• fix: 932280/932281 bypass by @​Xhoenix in #​4207

New Contributors

• @​KIC-8462852 made their first contribution in #​4173
• @​pre-commit-ci[bot] made their first contribution in #​4185
• @​pha6d made their first contribution in #​4203

Full Changelog: coreruleset/coreruleset@v4.16.0...v4.17.0

v4.16.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: remediation for Python SSTI by @​TheRubick in #​4145
• fix: update rule 942560 by @​Xhoenix in #​4161
• feat: detect generic config filenames by @​EsadCetiner in #​4102
• feat: update java-errors.data by @​Xhoenix in #​4113
• feat: added rule to detect Bash Brace Expansion by @​Xhoenix in #​3780
• feat: added MongoDB operators by @​Xhoenix in #​4162
• feat: added zmodload and sudo-rs by @​Xhoenix in #​4143

🧰 Other Changes

• fix(941160): remove dot star by @​fzipi in #​4155
• fix(934140): remove dot star by @​fzipi in #​4165
• fix(932370): remove dot star by @​fzipi in #​4166
• fix(955xxx): remove dot star by @​Xhoenix in #​4169
• fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) by @​EsadCetiner in #​3840
• fix: create a stricter sibling to 932370 and move at to PL-2 (932370 PL-1, 932371 PL-2) by @​EsadCetiner in #​4015
• fix(942340): remove dot star by @​fzipi in #​4164
• refactor(942340): move to regex assembly by @​fzipi in #​4014
• fix(933160): remove dot star by @​fzipi in #​4167

New Contributors

• @​TheRubick made their first contribution in #​4145

Full Changelog: coreruleset/coreruleset@v4.15.0...v4.16.0

v4.15.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: add User-Agent and Referer into targets (942280 PL1) by @​azurit in #​4115
• feat: update java-classes.data by @​Xhoenix in #​4080
• feat: block database yaml files by @​EsadCetiner in #​4130

🧰 Other Changes

• fix: false positive with title_strip_tags by moving strip_tags to 933160 by @​EsadCetiner in #​4105
• fix: remove self command by @​EsadCetiner in #​4111
• fix: remove rc shell to reduce FPs by @​theseion in #​4125
• feat: remove unnecessary character class from 933151 by @​TimDiam0nd in #​4135
• fix: false positives with session tokens/cookies 933150 by @​EsadCetiner in #​4142
• fix: add word ending to unix command sendmail (932235 PL1, 932236 PL2, 932239 PL2, 932260 PL1) by @​franbuehler in #​4141
• feat: 933151 change from capture and double pmf to regex by @​TimDiam0nd in #​4139
• feat: 933120 change from capture and double pmf to regex by @​TimDiam0nd in #​4138
• feat: remove exclusion of deprecated __utm cookies by @​theseion in #​4151

Full Changelog: coreruleset/coreruleset@v4.14.0...v4.15.0

v4.14.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: detect ASP web shells by @​Xhoenix in #​4063
• feat: detect compressed database dumps by @​EsadCetiner in #​4082
• feat: detect javascript methods import fetch console.log console.dir by @​EsadCetiner in #​4076

🧰 Other Changes

• fix: fixing FPs related to rule 951220 by @​azurit in #​4079
• fix: don't block ttf font files by @​EsadCetiner in #​4081
• fix: 932270 FP by @​Xhoenix in #​3917
• fix(954100): detect forward slash in path by @​Xhoenix in #​4094
• fix: remove .application from restricted extensions by @​EsadCetiner in #​4103
• fix: 44J-250329 by @​EsadCetiner in #​4107

Full Changelog: coreruleset/coreruleset@v4.13.0...v4.14.0

v4.13.0

Compare Source

What's Changed

⭐ Important changes

• fix(security): fixing double URL decode of REQUEST_URI by @​azurit in #​4047

🆕 New features and detections 🎉

• feat: block header related to CVE-2025-29927 (Next.js) by @​azurit in #​4053
• feat: added new XSS payloads by @​Xhoenix in #​4055
• feat: add potential malicious file extensions into tx.restricted_extensions by @​Xhoenix in #​4068
• feat: add additional files commonly accessed by bots by @​EsadCetiner in #​4069
• feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @​azurit in #​4057
• feat: add more default session cookie names by @​Xhoenix in #​4062

🪦 Rule removals

• feat: remove rule 952100 for detecting Java Source Code Leakage by @​S0obi in #​4052

🧰 Other Changes

• fix(934130): extend prototype pollution payload by @​Xhoenix in #​4036
• fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @​azurit in #​4050
• fix: use boundary to fix false positive with email firstname.dockery@host.tld by @​EsadCetiner in #​4045
• feat: refresh restricted-upload.data by @​S0obi in #​4046
• fix: tag inconsistency per file by @​Xhoenix in #​4031
• fix: added pre-check of unset TX variable by @​airween in #​4066
• fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @​EsadCetiner in #​4019

New Contributors

• @​daum3ns made their first contribution in #​4043
• @​S0obi made their first contribution in #​4046

Full Changelog: coreruleset/coreruleset@v4.12.0...v4.13.0

v4.12.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: prevent V1 cookie format use by @​fzipi in #​4006
• feat: added new restricted files for openstack and docker compose by @​azurit in #​4021

🧰 Other Changes

• fix: multipart header tag consistency by @​Xhoenix in #​3992
• fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) by @​EsadCetiner in #​3735
• docs: add warnin

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x releases. But if you manually upgrade to 4.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.