diff --git a/demo.test.mjs b/demo.test.mjs
index d9e11b42..ac6cf672 100644
--- a/demo.test.mjs
+++ b/demo.test.mjs
@@ -4,14 +4,16 @@ import { test } from 'node:test'
 test('edge function config', async () => {
   const { config } = await import('./demo/.netlify/edge-functions/angular-ssr/angular-ssr.mjs')
 
-  assert.deepEqual(config.excludedPath, [
+  const excludedPathsWithMaskedHashes = config.excludedPath.map((path) => path.replace(/-[A-Z\d]{8}\./, '-HASHHASH.'))
+
+  assert.deepEqual(excludedPathsWithMaskedHashes, [
     '/.netlify/*',
     '/favicon.ico',
     '/heroes/index.html',
     '/index.csr.html',
-    '/main-KVCR6MBP.js',
-    '/polyfills-FFHMD2TL.js',
-    '/styles-5INURTSO.css',
+    '/main-HASHHASH.js',
+    '/polyfills-HASHHASH.js',
+    '/styles-HASHHASH.css',
     '/heroes',
   ])
 })
diff --git a/package-lock.json b/package-lock.json
index cfa11f08..3b8fcf60 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -19,7 +19,7 @@
         "@types/node": "^18.19.0",
         "eslint-plugin-unicorn": "^49.0.0",
         "husky": "^4.3.0",
-        "netlify-cli": "^18.0.4",
+        "netlify-cli": "^18.1.0",
         "npm-run-all2": "^6.0.0",
         "prettier": "^2.1.2"
       },
@@ -10436,9 +10436,9 @@
       }
     },
     "node_modules/netlify-cli": {
-      "version": "18.0.4",
-      "resolved": "https://registry.npmjs.org/netlify-cli/-/netlify-cli-18.0.4.tgz",
-      "integrity": "sha512-4NGnJy2wUTquJm7YH4cbPgXqPqfO0KEWlbkX8XEaKI2fGe9gQCQRG628E5wYqfXsG+jJZfNF7O/r8OmgqxiHUw==",
+      "version": "18.1.0",
+      "resolved": "https://registry.npmjs.org/netlify-cli/-/netlify-cli-18.1.0.tgz",
+      "integrity": "sha512-W0r5IqYAZJz8VjRes1D7358GyZxYmI5ODUlEcHr8tI58pks4Ybyw2D3VDITZp6/yjXtDhGTWdAQ6x7mg+68eKQ==",
       "dev": true,
       "hasInstallScript": true,
       "hasShrinkwrap": true,
@@ -10446,7 +10446,7 @@
       "dependencies": {
         "@bugsnag/js": "8.2.0",
         "@fastify/static": "7.0.4",
-        "@netlify/blobs": "8.1.0",
+        "@netlify/blobs": "8.1.1",
         "@netlify/build": "29.58.9",
         "@netlify/build-info": "8.0.0",
         "@netlify/config": "20.21.7",
@@ -11534,9 +11534,9 @@
       "dev": true
     },
     "node_modules/netlify-cli/node_modules/@netlify/blobs": {
-      "version": "8.1.0",
-      "resolved": "https://registry.npmjs.org/@netlify/blobs/-/blobs-8.1.0.tgz",
-      "integrity": "sha512-9hIbusvAZjSGBJ42OyFC2AxsEph1LuKQahMWFcPGEIsOqIYHhMRkYA7wSUMhH7naydjNmllpcp3pJLOK4RhFaQ==",
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@netlify/blobs/-/blobs-8.1.1.tgz",
+      "integrity": "sha512-7Dg3PzArvQ0Owq4wpkLECC9iaDBOxuWUN2uwbQtUF6tZssyez2QN+eO0CjuIhhZUivbw+X9bwsyiEjWkdJnv/A==",
       "dev": true,
       "engines": {
         "node": "^14.16.0 || >=16.0.0"
diff --git a/package.json b/package.json
index 5f18fa5d..4cc9fe95 100644
--- a/package.json
+++ b/package.json
@@ -83,7 +83,7 @@
     "@types/node": "^18.19.0",
     "eslint-plugin-unicorn": "^49.0.0",
     "husky": "^4.3.0",
-    "netlify-cli": "^18.0.4",
+    "netlify-cli": "^18.1.0",
     "@netlify/build": "^29.58.9",
     "npm-run-all2": "^6.0.0",
     "prettier": "^2.1.2"
diff --git a/renovate.json5 b/renovate.json5
index 44207d26..f049882f 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -2,23 +2,24 @@
   $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   extends: ['github>netlify/renovate-config:default'],
   ignorePresets: [':prHourlyLimit2'],
+  prHourlyLimit: 0,
   semanticCommits: true,
   // The config we're extending ignores test dirs, but we want to bump some fixture deps
   ignorePaths: ['**/node_modules/**'],
   packageRules: [
-    // Since we've enabled Renovate (see above) for fixture sites, adjust the config for these.
+    // Since we've enabled Renovate (see above) for demo and fixture sites, adjust the config for these.
     {
-      matchFileNames: ['tests/**/fixtures/**/package.json'],
+      matchFileNames: ['tests/**/fixtures/**/package.json', 'demo/package.json'],
       // If a fixture requires a specific framework version, never bump it.
       updatePinnedDependencies: false,
       // Always use `chore:` (since these are test fixtures), to avoid no-op releases.
       extends: [':semanticCommitTypeAll(chore)'],
     },
     {
-      description: 'Stable & unstable Angular bumps in test fixtures',
-      matchFileNames: ['tests/**/fixtures/**/package.json'],
-      // See https://docs.renovatebot.com/presets-monorepo/#monorepoangular.
-      matchSourceUrls: ['https://github.com/angular/angular'],
+      description: 'Stable & unstable Angular bumps in demo and test fixtures',
+      groupName: 'Angular packages',
+      matchFileNames: ['tests/**/fixtures/**/package.json', 'demo/package.json'],
+      matchPackageNames: ['@angular/**', 'zone.js', '@angular-devkit/**'],
       // Override the schedule to get immediate PRs.
       schedule: null,
       // Apply a unique label so we can trigger additional workflows for these PRs.
@@ -31,5 +32,22 @@
       // difficult (or impossible) to implement so we just disable it entirely.
       automerge: false,
     },
+    // Angular major version updates attempt to upgrade fixtures for Angular 17, 18 etc
+    // we never want to upgrade those, so we disable them
+    {
+      description: 'Disable angular major version upgrades',
+      matchFileNames: ['tests/**/fixtures/**/package.json', 'demo/package.json'],
+      matchPackageNames: ['@angular/**', '@angular-devkit/**'],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    // zone.js is in 0.x.y version range, so we also disable minor updates for those
+    {
+      description: 'Disable zone.js minor version upgrades',
+      matchFileNames: ['tests/**/fixtures/**/package.json', 'demo/package.json'],
+      matchPackageNames: ['zone.js'],
+      matchUpdateTypes: ['minor', 'major'],
+      enabled: false,
+    },
   ],
 }