docs: release notes for v38

docs/usage/release-notes-for-major-versions.md

@@ -7,6 +7,91 @@ The most recent versions are always at the top of the page.
 This is because recent versions may revert changes made in an older version.
 You also don't have to scroll to the bottom of the page to find the latest release notes.
 
+## Version 38
+
+### Breaking changes for 38
+
+General:
+
+- Require Node.js 20 ([#30291](https://github.com/renovatebot/renovate/pull/30291))
+- The Renovate Docker images no longer have `-slim` tags. You must stop using the `-slim` prefix. Renovate now defaults to the `-slim` tag type behavior.
+
+Specific:
+
+- **bitbucket-server:** autodetect `gitAuthor`, if possible ([#29525](https://github.com/renovatebot/renovate/pull/29525))
+- **config:** change from `boolean` to `enum` for `onboardingNoDeps`. Renovate now onboards repositories with no dependencies, with one exception: if you run Renovate in `autodiscover` mode then you must manually onboard Renovate for repos with no dependencies
+- **config:** sanitize special characters from branch names for vulnerability type PRs. This may cause Renovate to autoclose/replace existing PRs
+- **config:** change the order of `globalExtends` resolution, it is applied _first_ and remaining global config takes precedence
+- **datasource/docker:** Docker Hub lookups prefers `hub.docker.com` over `index.docker.io`. To revert to the old behavior: set `RENOVATE_X_DOCKER_HUB_TAGS_DISABLE=true` in your env
+- **git:** check _all_ commits on the branch to decide if the branch was modified ([#28225](https://github.com/renovatebot/renovate/pull/28225))
+- **gitea:** use "bearer auth" instead of "token auth" to authenticate to the Gitea platform
+- **github:** if you run Renovate as a GitHub app then `platformCommit` is automatically enabled
+- **http:** remove `dnsCache`
+- **logging:** you must set file logging via env, not in `config.js`
+- **manager/pep621:** change `depName` for `pep621` dependencies. This causes the branch name for `pep621` updates to change, which in turn means Renovate may autoclose and re-open some `pep621` PRs. Also, Renovate may start grouping dependencies into a single PR.
+- **npm:** for npm versions lower than 7, drop support for remediating vulnerabilities in _transitive_ dependencies
+- **npm:** remove `RENOVATE_CACHE_NPM_MINUTES` ([#28715](https://github.com/renovatebot/renovate/pull/28715))
+- **packageRules:** `matchPackageNames` (and related functions) no longer fall back to checking `depName`
+- **packageRules:** `matchPackageNames` exact matches are now case-insensitive
+
+### Commentary for 38
+
+#### Our Docker images are slim by default
+
+If you self-host using Renovate's Docker `-slim` images: drop the `-slim` suffix, and switch to the default tags.
+Renovate's default tags like `38.0.0` are "slim" by default.
+There's no change if you're using the `-full` images.
+
+#### Renovate needs Node.js 20
+
+Renovate now needs Node.js `^20.15.1` to run.
+Our Docker images already use the correct version of Node.js.
+
+But if you self-host _without_ using our Docker image, then you must update the version of Node.js.
+You must update manually, if for example: you build your own image, or run the `renovate` npm package.
+
+##### Why we picked Node 20
+
+We dropped Node.js 18, and do not yet support Node.js 22 as it's non-LTS and not recommended for production.
+
+##### Why we picked a non-vulnerable version of Node
+
+We decided to require the current non-vulnerable version of Node.js (`20.15.1` or newer).
+If we ever need to bump the minimum version of Node.js v20, we will release a new _major_ version of Renovate.
+
+If you self-host: we recommend you always run a secure version of Node.js v20.
+This is because security vulnerabilities in Node.js can affect Renovate too.
+
+#### If you use Mend's Renovate GitHub app
+
+We recommend that all users running Renovate as a GitHub App use `platformCommit`.
+Renovate now defaults to `platformCommit` is enabled, when Renovate detects a GitHub App token.
+For PATs, we still recommend regular commits.
+
+#### Log file configuration requires env settings
+
+File-based logging must be configured using environment variables (e.g. `LOG_FILE`).
+Do _not_ set logging in files or CLI (such as `logFile`).
+
+This ensures that logging begins right when Renovate starts a run.
+It also means Renovates logs how it parses the config.
+
+#### Changes to package matching
+
+Finally, we merged the `matchPackage*` and `excludePackage*` options into `matchPackageNames`.
+We also enabled patterns for the `matchPackageNames` config option.
+
+This means you can now use regex or glob patterns:
+
+- `"matchPackageNames": "/^com.renovatebot/"` (regex)
+- `"matchPackageNames": "@renovate/*"` (glob)
+
+And of course, you can still use exact name matching.
+
+### Link to release notes for 38
+
+[Release notes for `v38` on GitHub](https://github.com/renovatebot/renovate/releases/tag/38.0.0).
+
 ## Version 37
 
 ### Breaking changes for 37