- Update GitLab submodules
- Patch Rubygems requirement equality
- PHP: Handle > requirements correctly when bumping versions
- PHP: Add widen_ranges update strategy to PHP
- PHP: Allow update strategy to be passed as an option
- Add ext-sqlite3 support for PHP by adding in Dockerfile
- Rust: Handle projects that are part of a workspace (but hard to detect)
- Rust: Handle binary specifications when using 2018 edition
- Bump rubygems and Python versions
- Java: Make <=> public
- Opt in to Rubygems 4 behaviour through monkey patch
- Ruby: Ensure gemspec paths are always pathnames
- JS: Handle non-string entries for resolution
- .NET: Filter out non-URL repos
- Python: Correctly sanitize path dependency paths in pip-compile compiled files
- Add python3-enchant dependency
- Python: Treat no matching distribution found as suggesting bad Python version
- Git: Raise a helpful error if a submodule path doesn't actually point to asubmodule
- Actually cache nuget listing results
- Python: Raise issue for Python URLs that contain an environment variable
- Python: Extract LatestVersionFinder tests into separate file
- Ruby: Fetch gemspec to look for source if API is not available
- Allow .NET repos with a src directory through
- .NET: Check src directory for sln files by default
- Npm: Fix issue where the wrong lockfile was updated when using both Lerna and npm lockfiles
- Rust: Ignore aliased dependencies
- Bump cython from 0.29.1 to 0.29.2 in /python/helpers
- Ruby: More careful replacement of equality matcher requirements
- Switch Ruby RequirementsUpdater logic to use an update strategy, which can be
provided as either
bump_versions
orbump_versions_if_necessary
- JS: Group PRs for tightly couple monorepo deps (currently just Vue)
- Move Maven into separate gem
- Add php72-memcached to Dockerfile
- Move Gradle into separate gem
- Add safeguard for not filtering releases by nil
- Rust: Handle unfetchable git refs better
- Retry GitHub errors when labeling a PR
- JS: Handle relative resolved paths in shrinkwrap.json
- Go: Better file parsing (prefer revision to version for git dependencies)
- Elm: Rename elm-package to elm everywhere
- Elm: Register package manager as just elm, as well as elm-package
- Python: Bump hashin from 0.14.0 to 0.14.1 in /python/helpers
- JS: Bump npm from 6.4.1 to 6.5.0
- Rust: recursively fetch workspace and path dependency files
- Fix elm reorg by adding elm.rb
- Reorg Elm
- Python: Make helpers build file executable
- Handle spaces in GitHub file paths
- Python: Test that python version error is for updating this dependency
- Python: Ignore upgrades that break Python compatibility quietly
- Rust: Register cargo metadata finder
- Extract Rust logic into a separate gem
- Add another missing require
- Add missing require
- Extract .NET logic into a separate gem
- Python: Update remaining relative paths following reorg
- Python: Update requirement path in PipfileVersionResolver
- Exclude merge commits when looking for latest dependabot commit message
- Python: Catch ValueError and treat as a FileNotEvaluatable error
- Python: Add system dependencies into Dockerfile
- Extract python logic into a separate gem
- Yarn: Fix lockfile for invalid resolutions
- Extract git_submodules logic into a separate gem
- Add top level docker file that requires docker classes
- Simplify dependabot-docker gemspec
- Add /pkg to gitignore
- Move Docker support to a separate gem
- Python: Ignore dependencies that we had to insert a version for
- JS(npm): Raise helpful errer for forbidden missing deps
- Gradle: Don't consider dependencies that concatenate properties to build a version
- Maven: Check distribution type when looking up declaration to update
- Cache commit tag lookup in changelog finder
- Sanitize relative links in release notes
- Python: Handle bare version requirements in the RequirementUpdater
- JS: Build relative paths for path dependencies of unfetchable path dependencies
- JS: Get correct version for path dependencies
- No code changes - testing automated releases
- No code changes - testing automated releases
- Add omnibus gem
- No code changes - testing automated releases
- Start releasing to RubyGems
- Fix gemspec warnings
- Better detection of dependabot commit when updating a PR
- JS: Don't check for yanked packages if using a private registry
- Rust: Ensure parsed version matches requirement source
- PHP: Bump composer/composer from 1.7.3 to 1.8.0
- Terraform: (BREAKING) Split Terraform support out into a separate gem, still within the same repo. See #825 for more info.
- Maven: Handle credentials that don't include auth details
- Convert relative links in changelogs and release notes
- .NET: Pass URL string (not hash) when raising PrivateSourceTimedOut
- JS: Raise a resolvability error for invalid requirements
- JS: Raise an authentication error for private, unscoped packages
- JS: Handle
_npmUser
entries without a name
- Go: Use correct file path when raising DependencyFileNotParseable
- JS: Recursively fetch path dependencies
- Java: Handle null values in version strings
- JS: Handle missing
_npmUser
details
- Add details of new maintainers to PRs (if they are the one that released this JS package)
- Detect capitalisation of first word in commit message
- Maven: Handle empty version tags
- Python: Don't error on pip-compile cascading resolution issues
- Better commit prefix detection
- .NET: Fetch the largest sln file, not the first
- Handle missing version/name in package.json
- Retry timeouts fetching git repos from known sources
- JS: Handle blank versions in FileParser
- JS: Fix check if install resolved before update
- JS: Handle versions without peer dependencies in latest_version_of_dep_with_satisfied_peer_reqs
- Detect ESLint commit messages that include scopes
- Docker: Handle persistent 404s from Dockerhub
- PHP: Handle updates to a manifest file where only one requirement needs to change
- Fix require problem that only affected requiring FileUpdaters first
- JS: Raise a resolvability error when a scoped package can't be found
- JS: Fetch path dependencies that are specified as links
- JS: Implement full unlock for resolving JS peer dependencies
- Use Bundler 1.17.1 in Dockerfile
- JS: Support updating multiple dependencies at once
- JS: More glob path improvements
- JS: Handle Yarn ignored package globs
- Don't match versions that are superstrings in changelog pruner
- Add Azure TODOs to metadata finders
- Handle symlinked files in FileFetcher
- Handle git dependencies for libraries
- Python: More tweaks to Pipenv environment handling
- Python: Parse pip_compile results more accurately
- Python: Use shared helper to switch python version
- Python: Better handling of bad python requirements (fix spec)
- Python: Switch to released Pipenv
- JS: Fetch npmrc and yarnrc files from parent directories if required
- Python: Raise a resolvability error if max retries are exceeded
- Python: Better environment setup during Pipenv UpdateChecker
- Correct upgrade type labeling for git dependencies
- Elixir: Don't join support file names with directory
- Elixir: Use supporting files when parsing, checking and updating
- Elixir: Fetch files that are evaled by mixfile
- Python: Bump pipenv commit
- Handle non-master bitbucket branches in ChangelogFinder
- Fall back to looking for changelog on specific tag if it can't be found on master
- Python: Bump Pipenv to latest commit
- Docker: Retry rogue 404s from dockerhub
- Python: Lock git dependencies during Pipenv updates
- Python: Handle Pipfiles without a source block
- Better GitHub repo regex (taken directly from Octokit)
- Python: Try setting a longer pip default timeout
- Python: Raise a resolvability error for unsupported dependencies
- Go (dep): Fix fsnotify-related bug in the update checker
- Python: Handle path dependencies in Pipenv everywhere
- Bump poetry from 0.12.9 to 0.12.10
- Use latest Pipenv commit and remove workaround
- npm: ignore platform and engine checks on install
- Python: Fetch path dependencies listed in Pipfile
- Python: Mark fetched path dependencies as support files
- Python: Workaround Pipenv bug (caused issue for new Python version installs)
- Python: Use latest pipenv commit (prep for imminent release)
- Dep: Silence a relatively hard-to-reproduce dep panic
- PHP: Fetch auth.json (in preparation for using it)
- Handle a nil that previously wasn't being handled
- Don't assume a
~/.gitconfig
exists
- Go (dep): handle fsnotify bug
- Fix some issues relating to git credentials configuration
- Python: Interpret additional pip-compile error as tell that Python 2.7 should be used
- Ruby: Handle calls to Find.find in gemspecs
- Ruby: Smarter gemspec sanitization (wrap require lines in error handling, rather than deleting them)
- Ruby: Better readlines replacement
- .NET: Assume unfound properties are up-to-date
- Ruby: Sanitize File.readlines from gemspec
- Python: Better checking of Python version when using Pipenv
- Python: Handle python requirements with an || in pyproject.toml
- JS: Fix dependency updates with os requirements (npm)
- Trim spec.files in gemspec, speeding up docker development
- Fix typo in Poetry updater
- Python: Another attempt to fix poetry
- JS: Handle outdated git source in lockfile
- Python: Try updating pip for installing requirements
- Python: Install all requirements for different python versions
- Go (dep): ignore some tricky git dependencies
- Maven: Allow version updates that come via a parent_pom
- Python: Sanitize pyproject.toml files before running Poetry
- Rust: Handle git sub-dependencies
- .NET: Handle unfound property versions in VersionFinder
- Python: Bump poetry from 0.12.8 to 0.12.9
- Elixir: Handle unevaluatable Mixfiles
- Docker: Handle Dockerhub 404s when looking up latest version digest
- JS: Handle unreachable git dependencies in Yarn lockfile updater
- PHP: Raise dependency file not resolvable if tarball can't be downloaded
- Switch back to using --global for git configuration
- JS: Handle no lockfile when completing npmrc
- JS: Raise git not reachable for ssh://git
- JS: Handle environment variables in npmrc in unexpected places
- Go (modules): catch go.mod major version issues in the parser
- Ruby: Better gemspec sanitization (handle tapped blocks)
- .NET: Handle ruby-stype requirement strings
- Python: Better Python version error handling for pip-compile
- JS: Remove comments before parsing package.json (they shouldn't be there anyway...)
- Python: Handle sub-dependency updates where the sub-dep is no longer required
- .NET: Don't raise for uninterpolated versions
- Raise Dependabot::OutOfMemory if Composer runs out of memory
- .NET: Handle requirement strings in .NET format
- Ruby: Handle Bundler 2 lockfiles
- JS: Make tarball protocol consistent when updating from http to https
- Python: Boost Pipenv timeout to 10 minutes
- Python: Update unsafe requirements if specified in pip-compile manifest
- Python: Protect against fetching the same file multiple times
- Python: Order pip-compile file resolution correctly when .txt outputs are imported
- Ruby: Use Bundler 2.0.0.pre.1
- Try to prevent Sentry from grouping all HelperSubprocessFailed errors
- Elm: Don't perform updates that require indirect dependency changes
- Handle changelogs which use a bullet point for each new version
- Ruby: Prefer fetching gems.rb to Gemfile
- Python: decrease timeout from 500 to 360 seconds
- JS: Mute sub-dependency version resolve errors
- Python: Set higher timeout for Pipenv
- Python: Clean up Pipenv error handling
- Python: Raise original error correctly depending on Python version in use
- Maven: Fix DeclarationFinder when looking up declaration in a pom with missing properties
- Maven: Handle property searches that use a range for the parent pom
- Python: Disable pipenv spinner in logs
- .NET: Longer timeout when hitting registries
- Rust: Retry timeouts from crates.io
- PHP: Respect COMPOSER_MEMORY_LIMIT environment variable
- JS: Handle tricky possible version comparisons
- Python: Switch to released version of pipenv
- Elm: Select elm resolver based on requirements
- Go modules: strip whitespace from parser errors
- Go: Better parser error handling for Go modules
- JS: Handle diverged npm/yarn lockfiles
- JS: Fix bug when using both npm5 and yarn lockfiles and updating a sub-dep
- Python: Pin to latest pipenv commit
- JS: Handle bad peer dependency requirements
- Python: Bump poetry from 0.12.7 to 0.12.8
- Python: Bump hashin from 0.13.4 to 0.14.0
- JS: Support updating npm sub-dependencies
- Python: Handle transition from a single hash to multiple in requirements file updater
- JS: Handle unmet peer dependency warnings in yarn
- JS: Add npm-shrinkwrap to list of files updated by file updater
- Python: More careful requirement file updating (handle no-binary flags)
- JS: Handle npm switches to insecure URLs
- Ruby: Simpler error message from FileFetcher
- Python: Handle quote characters when fetching path dependencies
- Python: Bump poetry from 0.12.6 to 0.12.7
- Python: Don't confuse git reference with path references when fetching files
- Use ESLint style commit messages if they're currently in use
- JS: Retry transitory errors in SubdependencyVersionResolver
- JS: Retry another transitory error in YarnLockfileUpdater
- Python: Better handling of cases when attempting a pip-compile update would cause errors
- Elixir: Better error checking (raise based on original reqs)
- Elixir: Handle resolution failure for git dependencies
- Elixir: Raise DependencyFileNotResolvable error for unresolvable mixfiles
- JS: Better whitespace escaping
- PHP: Handle packages that require themselves
- JS: Fix sanitization when a slash character is being escaped
- JS: Better parsing of private registry URLs
- JS: Bump yarn from 1.12.1 to 1.12.3
- .NET: Parse and update nested packages.config files
- .NET: Fetch packages.config files from any directories specified in .sln files
- JS: Fix yarn lockfile for githost shorthand installs
- JS: Don't consider previously failing peer dependencies when finding latest resolvable version
- Rejig semantic prefix detection
- JS: Don't try to version resolve git dependencies
- JS: Better caching in UpdateChecker
- JS: Handle complicated requirements
- Python: Fetch path dependencies with paths that don't start with a '.'
- Fix merge conflict issue in FileFetchers::Base
- Python: Bump poetry from 0.12.5 to 0.12.6
- JS: Handle version resolution for sub-dependencies when not updating manifest
- Add a common interface for provider client (thanks @codisart)
- Python: Handle or conditions in Poetry python requirements
- JS: Stop downloading node_modules when checking yarn peer deps
- Docker: Handle ignored versions
- Ruby: Better error handling if Gemfile isn't present
- Ruby: Fix typo in FileParser
- Ruby: Handle assignment to an integer in GemspecSanitizer
- JS: Fix bug in peer dependency checks for yarn
- Ruby: Handle gems.rb and gems.locked
- JS: Log all peer dependency warnings from yarn and npm
- .NET: Don't assume lowest version is the current one in file parser
- Python: Handle sub-dependencies that appear in a requirements.txt
- JS: Better peer dependency regex for npm
- JS: Better git dependency handling in peer dependency checker
- go: only download packages with go get, don't build them
- Maven: Check whether property being updated has the same source
- Maven: Store property source in metadata, as well as name
- Go: Fix go.sum updating
- Docker: Include registry details if auth failure happens on Docker Hub
- Maven: Handle range requirements for parent when finding custom repositories
- Rust: Raise an error when trying to operate on a non-root part of a rust workspace
- JS: Add workaround for git dependency library updates
- Gradle: Handle dependency set updating when the dependency set has been updated already
- Python: Don't write .python-version when updating Pipfile or pip-compile files
- PHP: Bump composer/composer from 1.7.2 to 1.7.3
- JS: Hot fixes for VersionResolver
- JS: First attempt at handling JS peer dependencies
- Handle case with no previous dependabot PRs
- Use
chore
as semantic commit message if it is being used
- Yarn: Fix resolved url in lockfile for dependencies installed from GitHub using the shorthand syntax (without host)
- Python: Handle upper bound changes when new version has fewer digits than old one
- Python: Handle custom python versions when using Poetry
- JS: Bump yarn from 1.10.1 to 1.12.1
- Python: Don't use python-version declared in .python-version file
- JS: Save some requests when fetching path dependencies
- Python: Bump poetry from 0.11.5 to 0.12.5
- Add Azure as a known source
- Rust: Handle yanked versions in UpdateChecker when not using a lockfile
- Python: Handle 403s more intelligently in UpdateChecker
- Rust: Handle resolvability errors that exist in the initial requirements
- .NET: Look up property values that include further indirection
- .NET: Store the root property name when parsing dependencies (not the top-level one)
- Elixir: Ignore nonexistent apps_path
- JS: Consider global registry in RegistryFinder
- JS: Handle timeout errors from private registries in FileUpdater
- JS: Fall back to global registry, rather than registry.npmjs.org, in RegistryFinder
- Maven: Raise a PrivateSourceAuthenticationFailure if auth stopped us finding any versions of a dependency
- Maven: Don't hit password protected registries without password
- Maven: More careful caching of dependency metadata in VersionFinder
- Python: Make requirement updating logic depend on whether a lockfile is present
- Python: Only update poetry dev dependency requirements if the update is required
- Python: Raise a DependencyFileNotResolvable error for yanked dependencies
- Rust: Handle invalid names in manifest files (assuming no lockfile)
- Ignore merge commits when determining whether conventional commits are in use
- Go: Add method to look up Go paths without using Go (for environments where we don't have the binaries)
- dep: rewrite vcs remote lookup in go using native library
- Paginate through long lists of labels
- JS: Don't update the attribute for git dependencies in npm6 lockfiles
- Rust: Guard against trying to update dependencies with multiple source types
- Go (modules): Update the go.sum if present
- JS: Use lockfile to determine global registry if a .yarnrc exists but doesn't specify it
- Python: Use pip-tools' --allow-unsafe option when required
- Python: Fix typo
- Python: Handle Pipenv updates that need Python two
- Go: Add go_modules into the metadata finders map
- Go: Less broken support for Go modules, now in a separate package manager
- Python: More Python version management
- Python: Don't use a user's .python-version when running our own python helpers
- Elixir: Better timeout logic
- JS: Add test that having a frozen Yarn lockfile doesn't affect file updating
- Python: Better Python version detection, and management
- Java: Normalise date versions before comparing
- Python: Fetch .python-version files
- Elixir: Don't overwrite @latest_resolvable_version in UpdateChecker
- Python: Add an additional Pipenv retry
- Elixir: Handle (ignore) timeouts
- JS: Switch all ssh URLs to ssl when updating a package-lock.json
- Ruby: Handle ignore requirements which prevent the current version
- Reject changelog candidates that have an invalid encoding
- .NET: Ensure Directory.Build.props is fetched
- Python: More robust pip config file updating
- Python: Check resolvability of all requirement files in PipCompileVersionResolver
- Python: Recursively determine order to compile pip-compile files
- Python: Catch another equality matcher case
- Python: Handle cascading pip-compile requirements when updating files
- Python: Better handling of pip-compile errors during version resolution
- Python: More robust child requirement file path building
- Gradle: Handle dependency sets nicely in PR creator
- Gradle: Add support for dependencySet dependencies
- Python: Handle Poetry file updates without a lockfile
- Handle directory paths that instead point to a file
- Ruby: Handle equality matcher when determining required comment change
- Java: Trim v-prefixes from version strings when comparing
- JS: Handle 401s in same way as 403s when updating npm lockfiles
- JS: Raise a PrivateSourceAuthenticationFailure error when we can't find deps from private sources
- Ruby: More careful sanitization of gemspecs
- Python: Raise original error if retrying on Python 2.7
- Python: Add Cython as a dependency
- Python: Stricter index finding regex
- Python: Ensure local version is unset after each check
- Python: Support poetry.lock
- Python: Less strict suffix removal
- Python: Switch to Pipenv 2018.10.13
- Python: Handle unfixable requirements gracefully
- JS: Ensure lockfile updates for Yarn workspace have the correct requirements
- Rust: Don't unlock version is support files during update check
- JS: Handle dist tags when updating the lockfile only
- Handle unexpected 409s from GitHub when fetching files
- JS: Better expansion of workspace paths (fix paths starting './')
- JS: Handle git dependencies without a resolution in the lockfile
- JS: Handle git dependencies where the resolved source uses a slash, not a #
- .NET: Handle dependency_urls tags that start with a number
- Python: Handle single equality sign matcher (Poetry)
- Ruby: Sanitize gemspec version property when assigned to
File.read(..)
- Python: Use git commit for pipenv
- Bump Python and Go versions, and add LANG environment variable (Dockerfile)
- JS: Add first version of Yarn subdependency updating
- Update Pipenv to 2018.10.9
- Prefer lower versions when parsing dependencies into DependencySet
- JS: More multiple-source handling
- Python: Handle replacement for strings separated with a period
- PHP: Mark Composer path dependencies as support files
- Make GitCommitChecker more lenient about multiple git sources
- Python: Bump pip from 18.0 to 18.1
- Python: Bump pip-tools from 3.0.0 to 3.1.0
- Rust: Handle dependencies with multiple sources in file fetcher
- Bump Bundler and Rust versions in Dockerfile
- Go: More robust git source lookup
- JS: Handle npm bug (by serving a resolvability error)
- Python: Ensure Pipenv uses Pip 18.0
- Ruby: Don't update to pre-release versions during full_unlock
- JS: Stricter source finding
- Elixir: Handle
nil
requirements in file preparer
- JS: Handle outdated git requirement in parser
- JS: Handle yarn workspaces that use nohoist
- JS: Use yarnrc file to build basis of npmrc file if present
- Python: Fetch Pipenv, Poetry and pip-tools files first
- If multiple changelogs are present, pick one that includes the version
- Docker: Don't try to handle SHA versions even if there is a 'latest' tag
- Docker: Exclude versions that are just a SHA
- PHP: Detect OR separator in use and replicate it
- Docker: Add filter for SHA-like suffices to Docker version checking
- Python: Better file updater requirement comparison
- JS: Ignore dependencies with multiple sources
- Docker: Don't assume that private registries use 'libraries' prefix
- Docker: Speed up UpdateChecker
- Introduce new
support_file
attribute on DependencyFile instances
- Python: Ignore dependencies with a < or <= python version marker
- Better PR number sanitization
- Docker: Handle 403s during tag and digest fetching
- More robust Bitbucket commit lookup
- JS: Handle npm lockfiles that specify a numeric version for a git dependency
- Docker: Handle 403 responses when authenticating
- Docker: Handle AWS ECR hosted images
- Elixir: Always use 3dp when using >= matcher
- Elixir: Improve check_update logic
- Ruby: Sanitize require_paths, rather than require_path
- Ruby: Sanitize
require_path
in gemspec
- Take even more care when processing upload packs
- Python: More precise lookup of requirement to update in requirements.txt
- PHP: Raise PrivateSourceTimedOut error if private sources time out
- Add BitBucket support in FileFetcher
- JS: Consider shrinkwraps when trying to determine a version
- More robust lookup of branch/ref git SHA
- JS: Handle workspace path that is just an asterisk
- Ruby: Only fetch path gemspecs once
- JS: Add version and private keys to helper package.json files
- JS: Bump @dependabot/yarn-lib from 1.10.0 to 1.10.1
- JS: Better check for Yarn version
- JS: Bump @dependabot/yarn-lib from 1.9.4 to 1.10.0 in /helpers/yarn
- JS: Retry 500s from registry using different auth strategy
- JS: Handle multiple private registries with the same host
- JS: Remove npm bug workaround
- Handle multiple GitHub credentials
- Ruby: Don't sanitize gemspec descriptions (may be used alongside summary)
- Go: Handle +incompatible suffices
- Python: Bump pip-tools from 2.0.2 to 3.0.0 in /helpers/python
- Ruby: Handle HEREDOC strings when sanitizaing gemspec
- Ruby: Fix tests and gemspec sanitization
- JS: Handle private registries that end with a trailing slash
- Better error path sanitization
- Ruby: More aggressive gemspec sanitization
- .NET: Exclude dependency declarations that use interpolation
- Python: Handle names that need to be sanitized when looking up in Pipfile.lock
- .NET: Handle mutli-dependency property updates
- .NET: Handle inherited properties in FileUpdater
- .NET: Handle inherited properties in PropertyValueFinder
- Go: Better determination of whether a dependency is using Dep
- .NET: Fetch Directory.Build.props files
- Docker: Remove unneeded "type" key in source details
- Rust: Recognise branch not found errors and raise then
- Ruby: Sanitize gemspec by removing all File.read calls
- Always sanitize file paths in errors
- Gradle: Stricter regex for groupId and artifactId parts
- Python: Fix bug in Poetry file preparation
- Go: Add workaround for Dep bug with gopkg.in/fsnotify.v1
- Gradle: Stricter regex for groupId and artifactId parts
- Python: Pip Poetry git dependencies correctly
- Maven: Use Maven default groupID when parsing plugins that don't specify one
- Maven: Handle plugins which don't specify a groupId in FileUpdater
- BREAKING: Update the base branch of a PR when updating it, if necessary.
If you weren't passing a
Source
with a branch when updating PRs which had a custom base branch you will now need to
- Maven: Allow multi-dependency property updates where some deps can't be found
- Maven: Update setting parser regexp to quote project name
- Gradle: Better property value parsing (fixes FileUpdater regex problem)
- Rust: Ensure FileUpdater only updates version of the dependency being considered
- Gradle: Ignore commented out declarations in settings.gradle
- Gradle: Ignore missing projects
- Gradle: Handle custom path declarations in settings.gradle
- Python: Raise same error for all dependencies if handling resolution issue
- JS: Handle badly specified requirements more gracefully
- Go: Handle switches from git source to version source when using a go.mod
- Fix Dependabot::Source regex
- Go: Specify a branch when parsing git dependencies (even if nil)
- Gradle: Update properties that are inherited
- Go: Assume go.mod dependencies are being pinned to a ref if using git version
- JS: More specific package.json section updating
- JS: Update peer dependencies if updating a dev dependency
- Go: Parse git dependencies in go.mod as git dependencies
- JS: Don't attempt to update symlinked dependencies
- JS: Remove JFrog workaround
- JS: Add workaround for JFrog bug
- Rust: Consider
replace
section when determining path dependencies to pull down
- Go: Fix modules parser import (and add test)
- Bump Rust version in Dockerfile, and remove Java, Gradle and Groovy
- Go: Handle Gopkg.toml files without any constraints
- JS: Update npm-shrinkwrap files
- Gradle: Ignore dependencies that use properties we can't find
- .NET: Parse property versions
- .NET: Handle property value updates in FileUpdater
- .NET: Only attempt to update properties that affect a single dependency
- Go: Add PathConverter util and use it in UpdateChecker and MetadataFinder
- Go: Strip v from parsed go modules versions
- Go: Add "v" prefix to go.mod versions in FileUpdater
- Go: Add initial support for modules
- Gradle: Don't allow '@' characters in dependency names
- Maven: Evaluate properties in Maven repos whenever possible
- Gradle: Handle wildcard requirements in Utils::Java::Requirement
- Gradle: Update dynamic version requirements correctly
- Maven: Fix requirement updating for versions with multiple dashes
- Gradle: handle properties prefixed with
properties
, too - Gradle: Update lines that include a property in their name
- Gradle: Better property lookup logic
- Gradle: Look up repository URLs based on the current project and its root
- Gradle: Don't parse Gradle Witness lines
- Gradle: Don't update SHA versions
- Gradle: Strip out comments before parsing files
- Gradle: Ignore bad URLs
- Rust: Handle creating versions from existing versions
- Gradle: Switch dependency and repository parsing to be regex-based
- Rust: Don't error on versions with build metadata
- .NET: Handle .nuproj file dependency declarations
- Gradle: Use regex to parse settings.gradle
- .NET: Handle bespoke project extensions
- Better monorepo handling in ReleaseFinder
- .NET: Handle custom feeds without authentication details
- Ruby: Update subdependencies to a specific version
- .NET: Actually cache latest_version_details
- .NET: Ensure requirements don't change if req stays the same
- JS: Handle 403s in NpmLockfileUpdater
- JS: Handle npm inconsistencies better when updating Yarn lockfiles
- JS: Better sanitization of escaped whitespace
- .NET: Process repos even if all dependency files can't be fetched
- BREAKING: Rename
nuget_repository
credential tonuget_feed
- Python: Minor parsing improvement
- PHP: Handle packages provided by another package
- Python: Implement PEP-0503 properly (replace runs of characters with a single dash)
- Python: Add workaround for Pipfile.lock not normalising quoted names fully
- Python: Stop swallowing errors when parsing setup.py
- Python: Add alternative approach to parsing setup.py files
- Python: Fall back to new parsing approach in setup.py sanitization
- Elm: Treat indirect dependencies as sub-dependencies
- Elm: Raise DependencyFileNotParseable errors for invalid JSON
- Elm: More error handling in update checker
- Elm: Use Elm 0.19 update checker if an elm.json is present
- Elm: Add elm.json to the list of updated files for Elm
- Add support for Elm 0.19
- Updates the container Dependabot Core uses to v0.1.31 (which includes both Elm 0.18 and Elm 0.19)
- .NET: Switch to using search endpoint to find versions for v3 repos. Means that unlisted dependencies will be excluded
- .NET: Exclude unlisted dependencies fetched using v2 API
- Ruby: Handle rubygems responses without a source_code_uri key (happens for private repos)
- Python: Handle invalid requirements in requirements.txt files
- Python: Normalise name before checking if dep already exists
- Go: Clean up not found regex
- Ruby: Handle source_code_uri directories correctly
- Go: Better regex for dep repo access issues
- Rust: Don't prune out toolchain unnecessarily
- Rust: Raise error if nightly version required and no rust-toolchain provided
- Python: Ignore git dependencies for Poetry (for now)
- Assume no prereleases for git dependencies without a tag
- Python: Raise a resolvability error for bad Python ranges in Pipfile
- Python: Sanitize setup.py before use with pip-tool in UpdateChecker
- Python: Sanitize setup.py before use with pip-tool in FileUpdater
- Ruby: Handle gemfiles that are just a comment in GemfileChecker
- Exclude pre-release tags in GitCommitChecker
- Python: Don't parse dependencies that won't be updated in FileUpdater
- Truncate long commit message subject lines
- Make Python label colour less ugly
- Use source API endpoint in labeler
- Bump poetry from 0.11.4 to 0.11.5
- Docker: Store tag when parsing Dockerfile
- Docker: Update source tag in UpdateChecker
- Docker: Do file updating based on changes to requirement sources
- Elixir: Handle multiline declarations that need to be updated
- Ruby: Handle gemspec updates when Gemfile has now default source
- Ruby: Handle JFrog permissions error
- Terraform: Swap error class
- Terraform: Raise resolvability error for invalid registry sources
- JS: Look for path dependencies that start with "/", too
- JS: Parse file dependencies that start with a '/' as file dependencies
- JS: Fetch / create path dependencies that don't prefix 'file:'
- Ruby: Upgrade list of known rubies, and raise if unsatisfied
- Update DockerRegistry client, and use new digest method
- Docker: Update digest logic
- Docker: Handle digest-only updates in PR creator
- Python: Handle hash versions in FileParser
- Python: Update requirements.txt if it is an output from Pipenv
- Python: Parse Pipfiles without a Pipfile.lock
- Python: Parse dependencies from multiple sources
- Python: Allow Pipfile without Pipfile.lock in FileFetcher and FileParser
- Python: Handle Pipfiles without a Pipfile.lock in FileUpdater
- Python: Firm up logic around resolution manager selection in UpdateChecker
- Python: Firm up logic around resolution manager selection in FileUpdater
- Python: Add test for FileUpdater with only a Pipfile
- Rust: Fetch rust-toolchain file if present
- Rust: Write rust-toolchain before shelling out to cargo
- Python: Don't double-wrap git credentials
- Python: Catch bad reference errors and raise them as such
- Python: Raise a GitDependenciesNotReachable error for unreachable Pipfile deps
- Python: Set git credentials before resolving Pipfiles
- Python: Handle edited Pipfile.lock in file preparer
- Python: Handle Pipfile.lock with string versions
- Add files ending in tfvars to updated_files_regex
- Terraform: Handle Terragrunt files, too
- Java: Handle properties with numeric components more sensitively
- Docker: Consider tags of latest version when determining if release is a pre
- PHP: Ignore errors that happened during lockfile generation, as long as lockfile generated successfully
- Python: Appease pip-tools, and spec that requirements are included
- Python: Remove pbr requirement
- Python: Add pbr as a requirement
- Python: Sanitize setup.cfg, too
- JS: Bump npm from 6.4.0 to 6.4.1
- Python: Fetch setup.cfg if present
- Python: Check whether setup.py is using pbr
- Python: Handle setup.py files that use a name == 'main' structure
- Java: Handle hard requirements
- Java: Extend requirement class to understand range requirements
- PHP: Better handling of git sources
- Java: Handle bad GitHub URLs in POMs
- Handle changelog headers that start with ==
- Rename bump_versions_if_needed to bump_versions_if_necessary
- Pass preview header when creating dependencies label
- Terraform: Add proper requirements updater class. that ensures
~> ...
requirements are updated properly - Terraform: Add version and requirement classes to preserve pre-release formatting
- Python: Sanitize setup.py for use with Pipenv
- Terraform: Handle registry dependencies in update checker
- Terraform: Handle config files with a duplicated git source
- Terraform: Return Gem::Version objects from latest_version, not strings
- Terraform: Parse version out of git reference
- Terraform: Test requirements_unlocked_or_can_be? method (and fix it!)
- Terraform: Initial support
- Python: Handle unmet markers in a pip-compile requirements file
- Ruby: Handle out-of-sync git version for dependency
- Docker: Handle nonexistent directories
- Elm: Update version finder to handle new Elm website (now with JSON API!)
- JS: Add InconsistentRegistryResponse error, and raise it when npm can't yet use latest release
- JS: Handle empty package-lock.json when updating a git dependency
- Docker: Fetch custom named files (as long as they contain "dockerfile")
- Docker: Handle parsing multiple files in FileParser
- Docker: Update multiple files at once in FileUpdater
- Docker: Handle requirement changing in some files but not all
- Docker: Parse multiple identical FROM lines in a Dockerfile as a single dependency
- Ruby: Bump Bundler to 1.16.4. This is considered a BREAKING change as you will need to update the Bundler version in whatever environment you run Dependabot in
- Docker: Raise PrivateSourceAuthenticationFailure error for private registries on dockerhub
- Make dependencies label regex looser
- JS: Nicer JS label colour
- Ruby: Sanitize gemspecs more thoroughly
- .NET: Handle csproj PackageReference lines that specify an Update, not an Include
- Ruby: Less ugly label colour
- Add option to label language when creating PRs
- Java: Better repo lookup (handle monorepos much better)
- Label PRs with major, minor and patch if those labels exist
- JS: Handle path dependencies specified by workspace packages
- Ruby: Ignore timeouts from Rubygems
- Python: Handle empty versions (convert them to 0)
- Escape issue number references prefixed with a backslash
- PHP: Upgrade Composer to 1.7.2
- JS: Retry more timeouts if Yarn resolution fails
- Ignore existing dependency labels that contain a slash when checking for default
- Symbolise requirements_update_strategy before passing to RequirementsUpdater
- JS: Minimal sanitization of package.json content everywhere, with tests
- JS: Minimal sanitization of package.json content
- Python: Detect poetry libraries
- Python: Parse private poetry sources properly
- Python: Always bump the version of Poetry dev dependencies
- Python: Add poetry definition for production deps
- Java: Handle timeouts when looking up metadata
- Python: Handle Poetry requirements better
- .NET: Handle wildcard versions
- Bump groovy-all from 2.5.0 to 2.5.2
- Accept a custom branch name separator
- Python: Handle || requirements (used in Poetry)
- Python: Add poetry files to rebase triggering regexes
- Revert "Fix flaky spec using SharedHelpers.in_a_temporary_directory"
- Python: Handle pyproject.toml requirement updates
- Python: Handle ~ and ^ requirements (for poetry)
- JS: Improve caret version handling
- Python: Handle unparseable pipfile when fetching indexes
- Ruby: Don't raise error if locking Ruby version to one in gemspec causes problems
- Python: Rescue JSON::ParserError, not JSON::ParseError
- Python: Fix missing method
- Python: Add initial support for Poetry
- Go: Make requirement update style configurable
- Rust: Better support for glob workspace declarations
- Ruby: Fix requirement replacer when no previous requirement is passed
- Ruby: Maintain whitespace before comments in Gemfile / gemspec
- Python: Handle subdependencies in PipfileVersionResolver
- Add requirements_update_strategy option to UpdateChecker, and use it to determine how to update JS requirements
- BREAKING: Pass target branch via source, rather than as a separate option, when passing it to PullRequestCreator
- Better directory lookup in Dependabot::Source
- BREAKING: Pass target branch via source, rather than as a separate option, when passing it to FileFetcher
- Python: Raise DependencyFileNotParseable error for unparseable Pipfiles
- Ruby: Don't accidentally unlock other top-level dependencies in FileUpdater
- JS: Don't raise a resolvability error if package.json is currently resolvable
- PHP: Bump composer/composer from 1.7.0 to 1.7.1
- Add milestones to PRs if requested
- Ruby: Handle git sources that multiple dependencies use
- Ruby: Reject dependencies that don't update in ForceUpdater
- Ruby: Use (simple) custom unlocking logic in UpdateChecker
- Ruby: Handle another category of yanked subdependencies
- Ruby: Patch Bundler to avoid mutating conflict trees
- PHP: Always write PHP errors on shutdown
- PHP: Better error text for composer plugin clashes
- PHP: Handle incompatible flex versions
- PHP: Bump Composer to 1.7.0
- .NET: Use v2 API for look up latest version when required
- .NET: Ignore v2 package APIs for now
- Elm: Don't update groups to nil
- Elm: Return an empty array for groups, not nil
- Elm: Fix file fetcher method dependence
- Elm: Initial support (v0.18 only)
- Ruby: Unlock all subdependencies when checking for resolvability
- JS: Prioritise getting version for package.json's requirement
- JS: Handle subdependencies that import a git dependency properly
- Add PHP extensions to dockerfile
- Refactor JS file updaters into separate classes
- Bump npm from 6.2.0 to 6.3.0
- Ruby: Handle custom default sources correctly in LatestVersionFinder
- Ruby: Handle updates blocked by a subdependency in the FileUpdater
- Maven: Use packaging type 'pom' for parent nodes
- JS: Handle git:// dependencies that upgrade across versions
- JS: Raise error if no files change in FileUpdater
- Elixir: Handle projects without a mix.lock
- Rust: Update feature build-dependencies
- Maven: Raise DependencyFileNotFound for missing modules
- JS: Back to Yarn 1.9.2 (now fixed!)
- JS: Revert Yarn upgrade, until yarnpkg/yarn#6174 is fixed or handled
- Python: Fetch all .txt and .in files and check if they're requirement files, as well as all .txt and .in files nested one repo deeper
- Go: Use go-get=1 trick to find git source URLs for unrecognised names
- Go: Ignore constraints for dependencies that don't appear in the lockfile
- JS: Update npm sub-dependencies
- Go: Handle projects that import themselves in their main.go
- Maven: Don't fetch child poms stored in submodules (we can't update them)
- Maven: Handle submodules when fetching files
- Maven: Fix release checking so it actually checks the file type
- JS: Change library behaviour back for repos without a lockfile
- Go: Use GOPATHs in temp dirs when shelling out to dep
- Go: Make updated version format match original format when using tags
- Go: Don't parse version as a requirement for git dependencies
- Go: Protect against nil
latest_resolvable_version
(for previous rubygems version) - Go: Handle dependencies that specify a tag as a version
- JS: Handle substring git reference versions
- Gradle: Silence persistent bug (replace with pending spec)
- Go: Raise Dependabot::GitDependenciesNotReachable error for unreachable git dependencies
- Go: Better library detection (pull down all top-level Go files)
- Go: Update app requirements differently to library requirements
- Elixir: Use Elixir v1.7.0 (which includes hex resolver changes)
- Go: Make use of new information in dep v0.5.0 lockfiles, if available
- Go: Update dep behaviour to work with dep v0.5.0 (i.e., create digests)
- Go: Fix file update generation for branches
- Go: Don't try to lock revision for branch updates
- Go: Don't import internal packages
- Go: Import all packages that were used in lockfile
- Go: Handle git dependencies correctly in metadata finder
- Go: Import packages, not projects
- Go: Initial support (no vendoring, library-style manifest updates)
- Ruby: Handle "." paths in the lockfile
- Rust: Fix path dependency sanitization in FileUpdater
- Fetch more files on GitLab
- Rust: Better handling of workspace errors
- JS: Handle git dependencies with auth details embedded in URL
- Rust: Don't update versions in path dependencies
- Ruby: Don't error for outdated lockfile git dependencies
- Ruby: Preserve non-standard ordering of git dependencies in lockfile
- JS: More sophisticated handling of globs when considering workspaces / Lerna files
- JS: Handle path expansion of multiple asterisks
- JS: Store version as git SHA for git dependencies using Yarn
- JS: Fall back to when an updated version can't be found
- Gradle: Handle dependencies that aren't listed in Google's repository
- Python: Raise a resolvability error if original Pipfile can't be resolved
- JS: Better handling of lerna requirements in FileUpdater
- JS: Add details of the file that was being updated when an error occurred
- Ruby: Special case handling of Bundler in UpdateCheckers::LatestVersionFinder
- JS: Overwrite npm's checkPlatform method
- Ruby: Set git credentials before trying to find latest version of git dependency
- JS: Ignore aliased dependencies (for now)
- .NET: Handle directory deletions in FileFetcher
- .NET: Handle updates for imported property files properly
- Ruby: Don't artificially insert Bundler version in FileParser
- Handle rare case where filtering releases yields an empty array
- Fetch 100 last releases in MetadataFinder, not 30
- JS: Don't try to update workspace packages
- JS: Don't double-fetch path dependencies
- Fix blank line after truncated vulnerability details text
- Ruby: Use Bundler 1.16.3
- JS: Ignore bad npm responses for git dependencies
- Handle commit messages where the entire message is just a linebreak!
- Handle commit messages that start with a linebreak
- PHP: Handle 403s in FileUpdater
- JS: Handle missing package errors better
- JS: Raise DependencyFileNotEvaluatable for workspace errors
- Dockerfile: Switch to gnupg2
- JS: Bump npm
- Python: Allow single component versions with a pre-release
- JS: Treat temporary npm 500 as a 404
- Ruby: Handle rubygems server timeouts in MetadataFinder
- Python: Handle whitespace in pip compile requirements
- Ruby: Automatically retry some Bundler errors
- Dockerfile: Use Ubuntu 18.04
- Ruby: Fix inconsistency between UpdateChecker and FileUpdater that caused rare bug
- JS: Handle 405s from registry when checking git dependencies
- JS: Relax requirement that all workspaces specified in package.json are fetchable
- JS: Better handling of Lerna lockfiles (not all will need to be updated)
- JS: Add support for Lerna. Dependabot will now pull down your lerna.json file, parse it, and pull down all of the relevant packages for your project. Dependabot PRs for repos using Lerna will update all of your packages at once (if you'd prefer to receive a single PR per packages you can manually add each package as a separate directory in Dependabot).
- JS: Exclude prereleases of next version when building ruby req of caret requirement
- JS: Parse Yarn lockfiles to build path dependencies, too
- Ruby: Don't try to rescue using a string
- JS: Build an imitation path dependency package.json when required
- PHP: Handle empty lockfiles
- Don't misinterpret GitHub downtime as repos being more generally unreachable
- Rust: Fetch path dependencies for target-specific deps
- Python: Handle errors installing futures on Python 3
- Rust: Better file updating of feature dependencies (handle repeated case properly)
- Gradle: Correct caching of properties in FileParser
- Python: Handle requirement.txt dependency reqs that are a substring of another requirement
- Python: Handle pip-compile dependency requirements that are a substring of another requirement
- .NET: Handle PackageReference lines without a version requirement
- Rust: Handle updating multiple requirements in a single manifest file
- PHP: Don't error when updating subdependencies that are no longer required
- JS: Handle environment variables in npmrc URLs
- JS: Catch more git authentication / repo not found errors
- Python: Update Pipenv to 2018.7.1
- Python: More Pipenv woe. Revert version further (oops!)
- Python: Revert Pipenv version again :-(
- Rust: Handle yanked Rust versions in FileUpdater
- Elixir: more aggressive timeout handling
- Move git config logic into SharedHelpers
- Update Dockerfile for new PHP extension
- Fix git credential reset logic
- Update semantic-release commit messages to be compliant with @commitlint/config-conventional
- PHP: Handle composer.json files that ask for nonexistent path dependency repos but don't need them
- JS: Handle case where a subdependency introduces a git requirement
- .NET: Fetch ProjectReference files
- Python: Handle another form of Python 2.7 resolvability issue
- JS: Retry registry errors during yarn.lock update
- JS: Retry npm registry errors in VersionResolver
- Update GitLab default API endpoint to remove trailing slash
- Use source api endpoint in gitlab client for using self host gitlab
- JS: Set git credentials when switching from ssh to ssl in FileUpdater
- Python: Bump Pipenv version back to 2018.6.25 (with some special handling)
- Python: Use Python 2.7.15 instead of 2.7.14
- Python: Revert back to Pipenv 2018.5.18
- Label security fix PRs with a security label
- Handle changelogs with comparison links in their headers
- Add custom labels to PR as long as some exist
- Handle private GitLab sources in CommitsFinder
- Python: Use latest pipenv
- Maven: Find nested plugin dependency declarations
- PHP: Set git credentials when doing Composer updates (to handle no-api updates)
- PHP: Don't remove no-api settings from composer.json in FileUpdater
- PHP: Use GitHub API when resolving versions
- Add scope to semantic commit messages
- Better handling of monorepo tags
- JS: Replace all git url config when initially setting
- PHP: Switch ssh git URLs to use ssl instead
- JS: Clean up gitconfig changes even if error occurs
- JS: Handle more git URL types
- Add another PHP extension to dockerfile
- Clean up git config after Rust update checks
- JS: Fix FileUpdater for SSH URLs by setting git config
- Raise internal error if npm updates can't reach an ssh URL
- .NET: Keep track of the files we've fetched better (avoids duplicate requests)
- .NET: Allow repos with just a .sln file at the top level
- Ruby: More specific check for private registries
- Elixir: Pin erlang version in Dockerfile
- .NET: Ignore failed imports (until we handle properties we can't rely on the paths)
- .NET: Fetch project files referenced in .sln files
- Ruby: Retry more errors in FileUpdater
- .NET: Handle capitalisation of packages.config file
- .NET: Handle more dependency file names when considering rebasing
- Python: Fix requirement filtering when using pip-compile with uncompiled files
- .NET: Handle packages.config files in FileUpdater
- .NET: Add parser for packages.config dependencies
- .NET: Use credentials provided to access private repositories
- .NET: Fetch credentials from nuget.config file, too, if present
- .NET: Raise PrivateSourceAuthenticationFailure when auth fails for custom repos
- .NET: Set repo details as source in UpdateChecker (for use later in MetadataFinder)
- .NET: Use dependency source in MetadataFinder if present
- Java: Handle java-specific versions in Utils::Java::Requirement class
- .NET: Handle custom repositories (without auth details)
- Rust: Preserve pre-release formatting in Utils::Rust::Requirement
- Dotnet: First version of support for NuGet
- PHP: Handle OR requirements in new version_from_requirements check
- Improve issue tag sanitization
- Rust: Better detection of lowest version in requirement
- Rust: Handle latest_allowable_versions that are lower than the current version
- All: Add check that new version is greater than permitted by old requirements
- Python: Handle version ranges separated by commas in Python::Requirement
- PHP: Handle unparseable composer.json files
- JS: Avoid downloading huge version arrays when possible
- Rust: Ensure manifest-only setups don't downgrade
- Handle Requests changelog version underline character
- Ruby: Handle invalid Ruby in FileFetcher
- BREAKING: Rename PrivateSourceNotReachable to PrivateSourceAuthenticationFailure (since we now have PrivateSourceTimedOut)
- Docker: Permit non-standard registries without credentials
- Refactor specs
- Rust: Check for latest allowable version in UpdateChecker
- Elixir: Revert "Remove unused subdependencies after update"
- Elixir: Handle git dependencies in umbrella apps correctly
- Elixir: Remove unused subdependencies after update
- Ruby: Ignore bad responses when checking Ruby version compatibility
- First version of GitLab PR creator. This library can now be used to dependabot-script to create PRs on GitLab
- Add logging for strange type error
- Add GitLab support to PullRequestCreator::MessageBuilder
- Split GitHub logic out of PullRequestUpdater (turns out to be all of it!)
- Ruby: Handle timeouts when checking if Ruby version is incompatible
- PHP: Include additional extension in Dockerfile (ext-intl)
- Handle timeouts in Ruby metadata finder
- Add timeout defaults to all Excon calls
- PHP: Respect platform requirements if they are set
- Update groovy to 2.5.0, and add PHP extensions to Dockerfile
- JS: Better ignore of package-lock.json if asked to in .npmrc
- Ignore unprocessable entity errors when adding labels (work around GitHub bug)
- JS: Better sanitization of package.json in FileParser
- JS: Handle npm lockfiles with missing version information
- JS: Better caching in UpdateChecker
- JS: Handle package.json files with escaped whitespace
- Python: Bug fix - don't double-update compiled requirement files
- Python: Handle uncompiled requirement files in PipCompileFileUpdater
- Python: Resolve pip-compile sub-dependencies in the context of their compile files in UpdateChecker
- Python: Include requirements.txt requirement in parsed req if no pip-compile file
- Python: Handle sub-dependency updates within a pip-compile setup
- Python: Pull private sources out of Pipfiles for quicker update checking
- Python: Don't try to handle pip-compile subdependencies
- Python: Use requirements.txt updater in FileUpdater if sub-dep
- Python: Handle updating dependencies for which we can't find a latest version
- Python: Select resolution type based on dependency requirements, not files
- Maven: Handle versions without numbers in RequirementsUpdater
- JS: Better timeout error handling
- JS: Add timeout logic to version resolver
- JS: Raise PrivateSourceNotReachable error when a private source times out
- Rust: Handle blank requirements in FileParser
- Rust: Convert ssh URLs to https in UpdateChecker
- Rust: Handle ssh git dependencies in FileUpdater
- JS: Handle empty package-lock.json files
- JS: Fix replaceDeclaration function, and test that it works for tricky case
- Ignore failure to add team collaborators to PRs
- Maven: Handle versions that start non-numeric
- Maven: Check for a jar on repository before selecting a version
- Handle unlikely case of release without a tag name
- Gradle: Handle ignored versions
- Maven: Consider type suffix when determining version to update to
- Maven: Handle credential URLs with login details in UpdateChecker
- PHP: Fix bug in subdependency updates
- Elixir: Update to specific version in FileUpdater
- JS: Handle another npm error type
- Elixir: Consider ignore requirements when determining latest resolvable version
- Improve FilePreparer to lookup existing version from requirements
- JS: Handle git reference errors in FileUpdater
- Fall back to GitHub git data API for large files
- Elixir: Consider ignore conditions when determining latest version
- PHP: Catch out of memory errors in FileUpdater
- Python: Raise a DependencyFileNotEvaluatable for impossible requirements
- Maven: Continue processing if only some dependencies use inaccessible properties
- Maven: Clearer error message when property can't be found
- Ruby: Consider ignored versions when determining latest resolvable version. This might sound innocuous but it's a significant improvement over previous behaviour: if a user chooses to ignore Rails 5, for example, they'll now continue to receive updates to Rails 4 if/when they're released. Bring Ruby support in-line with Python, PHP, Java and JS, where this is already offered.
- Java: More careful updating for property versions
- Ruby: Update to the version given in FileUpdater (don't just unlock)
- Ruby: Include upper bound in FilePreparer if given a latest_allowable_version
- Python: Preserve custom headers in pip-compile generated files
- Update rubygems and add libmysqlclient-dev to dockerfile
- Better version string sanitization for presentation of vulnerabilities
- PHP: Only catch out of memory errors in shutdown handler
- JS: Consider ignored versions when determining version to update to
- JS: Update FileUpdater to install a specific version
- PHP: Ignore ignored versions when checking latest version
- PHP: Consider ignored versions when determining version to update to
- PHP: Update to the specific version given in dependency.version in FileUpdater
- JS: Raise unhandled error if FileUpdater fails to find the version we're updating to
- PHP: Unlock subdependencies when updating top-level ones
- JS: Tailor authentication type for global registry based on credentials
- Maven: Handle multiple identical declarations
- JS: Use npm 6.1.0
- Gradle: Fix property updater
- Maven: Fix single-dependency property updating, and make RequirementsUpdater clearer
- Maven: Handle updating a dependency that is managed by multiple properties
- Maven: Preserve base directory when updating a property value
- Maven: Make DeclarationFinder more discerning (don't confuse property versions with straight declarations)
- Python: Add full stops to name sanitization regex in UpdateChecker
- Ruby: Retry version resolution if a private source may be to blame for a resolvability error
- Ruby: Remove unnecessary RuntimeError handling
- JS: More robust lookup of global registry
- JS: Add workaround for Yarn workspaces bug
- Ruby: Switch back to just using lockfile path dependencies if a lockfile is present (otherwise conditionals in the lockfile can cause problems)
- Python: Consider ignored versions when determining updates for pip-compile setups
- Better presentation of vulnerability details in PR description
- BREAKING Python: Use Python 2.7 with pip-compile if required
- Ruby: Augment lockfile path dependencies with gemfile ones
- JS: Handle 5xx responses from registry more gracefully in MetadataFinder
- JS: Handle timeouts from the registry more gracefully
- Ruby: Handle cases where only pre-release versions exist
- Identify changelogs headers underlined with ====
- Ruby: Consider ignored versions when determining latest version
- Python: Consider ignore conditions when calculating latest resolvable version for Pipfile
- Python: Consider ignored versions in UpdateChecker
- Maven: Raise a DependencyFileNotParseable error for missing properties
- Handle git URLs that already have credentials in GitCommitChecker
- Python: Unlock dependencies with non-normalised names correctly
- Python: Handle multiple-requirements that get reordered during file parsing
- Don't duplicate headers in release notes (check for them in release body)
- Use emoji in PR title for gitmoji commits
- Java (Maven and Gradle): Use short name for Java PRs
- Python: Handle non-unlocking case properly
- Python: Keep existing options when updating a requirements.txt file generated by pip-compile
- Handle switches from numeric to git sources (happens when lockfile is out-of-date)
- Python: Unlock bounds in pip-config files when necessary to update
- Python: Use normalised dependency names (rather than using the unnormalised name)
- Python: Add support for pip-compile files (i.e.,
requirements.in
and friends). Initial support is very rough.
- JS: Handle "402: Payment required" responses from npmjs
- If token is likely to be Basic auth, use Basic auth
- Remove any "\n" characters from generated Basic auth tokens
- Elixir: Handle regex versions in FileParser
- Test against updated Elixir, Rust and Bundler
- Fix Bundler 1.16.2 change and remove redundant Rust tests
- Add test for JRuby support
- Maven: Exclude ignored versions when looking for version to update to
- Java (Maven & Gradle): Better metadata lookup (check parent for GitHub URLs)
- Maven: Support custom maven_repositories passed as credentials
- PHP: Handle dependencies replaced in composer.json
- Rust: Raise resolvability error if the lockfile can't be parsed
- Rust: Ensure correct versions are installed in FileUpdater by temporarily specifying them in the Cargo.toml
- Use gitmoji commit messages if repo uses them (thanks @mockersf)
- Rust: Update git tags if they look like versions
- Ruby: Rescue from unevaluatable gemspecs
- Ruby: Better gemspec filename lookup
- Rust: Add basic git dependency handling to FileUpdater
- Rust: Add basic git dependency handling to UpdateChecker
- Ruby: Use fetch when getting host from credentials
- Filter credentials on type everywhere
- JS: Handle socket errors when looking for registries
- Rust: Handle git dependencies in version resolver
- Rust: Add support for getting latest version of git dependencies
- Expect git_source credentials to have a username and password (not a token)
- Add tests that all requests to the public GitHub instance can handle not having credentials (since they may not do for Enterprise installs)
- Fix Dependabot::Source error when a string hostname was provided
- BREAKING: Require a type attribute for git source credentials
- BREAKING: Require a hostname when specifying an api_endpoint for a Dependabot::Source
- PHP: Set credentials for all known git sources (means private Bitbucket and Gitlab repos are now supported)
- Rust: Set credentials for all known git sources (means private Bitbucket and Gitlab repos are now supported)
- BREAKING: Expect a Dependabot::Source object as a FileFetcher argument
- BREAKING: Require Dependabot::Source to be passed to FileParsers (not repo string)
- BREAKING: Require Dependabot::Source as an argument to PR creator and updater
- Python: Bump pipenv from 11.10.4 to 2018.5.18
- Allow Dependabot::Source objects to be created with a custom API endpoint
- Make GitCommitChecker agnostic between GitHub, Gitlab and Bitbucket
- Use Bitbucket credentials in metadata lookup if present
- Ruby: Handle version assignment to a variable in gemspec sanitizer
- Prioritize longer credentials when looking for a match
- Handle redirects from http to https more robustly by excluding the default port
- Check if credentials have a host before trying to match on it
- Stop relying on being passed a credential type
- Update GitCommitChecker to auth with non-GitHub sources
- Support adding assignees to PRs
- Python: Handle arbitrary equality matcher
- PHP: Better handling of PHP plugins (don't disable them all)
- PHP: Disable plugins during install
- JS: Correct handling of Yarn workspaces specified with an object
- JS: Handle Yarn workspace specification that uses objects instead of arrays
- Handle reviewers hashes (rather than arrays)
- JS: Bump npm to 6.0.1
- Support a
reviewers
option when creating PRs
- PHP: Add support for path based dependencies
- Gradle: More accurate dependency parser
- Gradle: Ignore InnerClassNodes during parsing
- JS: Switch SSH for SSL in package-lock.json file updater
- Ruby: Don't include temporary path details in issue text
- JS: Switch ssh git URLs for https during resolution
- Rust: Set global credentials helper, with file in temporary directory
- Rust: Back to local config (init git repo first)
- Rust: Set global, not local, credentials helper
- Rust: Set GitHub credentials when doing update runs
- JS: Raise resolvability error for npm lockfiles which can't be resolved
- Python: Allow retries in Pipenv
- Python: Bump Pipenv to 11.10.2
- JS: Fix conversion of
*
requirement
- Handle Gradle projects with sub-projects
- Don't attempt to sanitize mentions with a / in them (they're scopes!)
- Python: Quietly ignore error when updating to a new version that has a bad setup.py
- Python: Bump Pipenv commit
- Gradle: Special case Google version lookup
- Python: Handle spaces before method calls
- JS: Retry calls to registry if they timeout
- Gradle: Handle custom repositories
- Gradle: Handle buildfiles with import statements
- Gradle: Upgrade groovy-all version
- Gradle: Better error messages when parsing fails
- Gradle: Fix helper path
- PHP: Bump Composer version
- BREAKING: Use Groovy to parse Gradle files. Please update the container you run dependabot-core in to have Groovy available (e.g., use the latest dependabot/dependabot-core container).
- Gradle: Handle property version updates
- Python: Improve error message when Pipfile can't be resolved
- Python: Raise error for unresolvable Pipfiles
- Ruby: Restrict force updates to pareto improvements
- Ruby: Fix typo
- Create directory structure in temporary directories if required
- Ruby: Allow Gemfiles and gemspecs to include files with require_relative
- Sanitize branch names that would include dot-directories
- Ruby: Don't exclude updated dependencies from force updater
- Ruby: Raise error for unfetchable gemspec paths
- Elixir: Move requirements array logic into requirements class
- PHP: Better requirement updating (preserve dev branches in or requirements)
- Bump pipenv version
- JS: Handle
~>
requirement matcher (treat as~
, rather than as Ruby~>
)
- Java: Initial Gradle support (very basic)
- Handle very bad changelog encodings
- Python: More robust handling of bad index page responses
- Python: Handle bad URLs in metadata lookup
- JS: Don't jump across pre-release versions
- JS: Ignore deprecated versions when looking for source URL
- JS: Exclude deprecated versions when looking for updates
- Python: Handle version freezing for dependencies with extras more carefully
- Python: Use keep-outdated as well as freezing
- Python: Freeze dependencies manually, rather than with keep-outdated
- Python: Source repo finding improvements
- Clearer links to changelogs / release notes
- Minor improvement to changelog parsing
- Java: Look everywhere in the POM for a GitHub URL
- Python: Looks at package homepage if URL can't be found in PyPI data
- Update PyPI URL for Warehouse
- BREAKING: Use pyenv to manage Python version. This requires an update to the setup you use to run Dependabot Core - see the updated Dockerfile (basically you have to have pyenv installed)
- Python: Write all dependency files when generating a new Pipfile.lock
- Python: Handle logging in setup.py (who would do that?!?)
- PHP: Handle errors caused by new npm-signature downloader type
- Python: Upgrade Pipenv to 11.10.1. Fixes some parser errors.
- Ruby: Update all ssh URLs to use HTTPS
- Python: Scrub updated source details from lockfile
- Python: Raise DependencyFileNotParseable for TOML that Pipenv can't handle
- Java: Find property versions in profile properties
- Java: Handle inaccessible repositories in UpdateChecker
- Java: Ignore repositories that aren't URLs
- Java: More robust file fetching
- Python: Handle private indexes timing out for requirements.txt dependencies
- Python: Raise PrivateSourceNotReachable errors for Pipfile sources that can't be reached
- Ignore changelogs which don't contain any relevant versions
- Reject blank tags / names during release finder lookup
- Python: Handle html index responses in MetadataFinder
- Java: Handle updates where the dependency appears multiple times, and one case is already up-to-date
- JS: Use npm6 when end-user repository is
- Java: Handle repeated dependencies in FileUpdater robustly
- Python: Raise PrivateSourceNotReachable for Pipfiles with environment variables but no config
- Python: Handle private registries in MetadataFinder
- Python: Handle private sources in Pipfile
- Java: Download parent POMs, when present, to allow property evaluation
- Python: Better error for requirement files that use an unrecognised option
- Java: Fix PropertyUpdater bug caused by incorrect declaration requirement selection
- Ruby: Update gemspec to latest resolvable version if using equality matcher
- JavaScript: Return the latest pre-release if it is specified in a latest tag and the user wants prereleases
- Java: Handle extensions in FileUpdater
- Java: Stricter property finding (tighter XPaths)
- Java: Evaluate properties whenever values are taken from POM
- Allow metadata key in dependency requirements
- Java: Store property name when parsing dependencies
- Java: Use stored property name everywhere
- Java: Fix typo in PropertyUpdater
- Java: Better title for multi-dependency PRs
- Java: Cache DeclarationFinder in FileUpdater to avoid repeated calls to repositories
- Java: Use Java DeclarationFinder to get property name consistently everywhere
- Java: Handle cases where parent POMs can't be fetched
- Java: Check custom repositories when lookin for property declarations
- Java: Handle custom repositories in MetadataFinder
- Java: Better MetadataFinder CSS paths
- Java: Support use of custom repositories in UpdateChecker
- Java: Use main registry URL directly, not search API
- Java: Add comments for FileParser, and add extensions to list of updatable dependencies
- Elixir: Clean up requirement class
- Java: Add requirements_unlocked_or_can_be? method to UpdateChecker
- Java: Remove duplicated code between PropertyValueFinder and PropertyValueUpdater
- Java: Encode Maven URLs correctly in UpdateChecker and MetadataFinder
- Java: Handle remote parent poms in FileParser (will need work in UpdateChecker)
- Java: Fix error message when a property can't be found
- Java: Handle multimodule projects in FileFetcher, FileParser, UpdateChecker and FileUpdater
- JS: Don't truncate pre-release versions in RequirementsUpdater
- Ruby: Ignore gemspec versions specified with a constant
- Ruby: Handle projects that import multiple top-level dependencies
- Handle nil tag names in ReleaseFinder
- Move GemspecDependencyNameFinder namespace to FileUpdaters
- Elixir: Ignore irrelevant Elixir warnings
- Ruby: Better sanitization of path gemspecs
- Ruby: Don't fetch contents for repos nested in submodules
- Ruby: Handle submodule path dependencies
- Java: Handle whitespace in pom.xml declarations
- Accommodate difficult tag names in ReleaseFinder
- Java: Implement Java version comparison based on Maven spec
- Rust: Check for latest version differently when updating sub-dependencies
- Elixir: Add support for private repos
- Ruby: Less opinionated update for equality matchers in gemspecs
- Ruby: Require a latest_resolvable_version to update gemspec requirements
- Ruby: More robust ruby requirement parsing
- Java: Filter out date-based release numbers if that's not what's currently being used
- Java: Handle dependencies with multiple declarations in FileParser and UpdateChecker
- Ruby: Handle resolution error caused by Ruby's CompactIndex occasionally being unavailable
- Ruby: Cleaner path dependency fetching
- Handle overflowing tables when truncating pull request details
- Ruby: Handle file updates where the declaration is in an evaled Gemfile
- Move Dependabot::MetadataFinders::Base::Source to Dependabot::Source
- Python: Silence error output in Python file updater
- JS: Refactor UpdateChecker
- JS: Bump Yarn to 1.6.0
- JS: Update Yarn resolutions when updating a dependency that specifies them
- JS: Handle version requirements with a
v
prefix - Python: Bump pip from 10.0.0.0b2 to 10.0.0
- Java: Handle POM updates where the file uses a property with a suffix
- Rust: Fix regex for updating feature dependencies
- JS: Handle package.json declarations with whitespace before the colon
- PHP: Handle composer.json declarations with whitespace before the colon
- Python: Ignore specified Python versions in Pipfile during file updating, too
- Python: Ignore specified Python versions in Pipfile (best we can do for now)
- Ruby: Augment private gemserver info with Rubygems details if appropriate
- Ruby: Handle Bundler::PathError in update checker
- Python: Reject
nil
values from version resolver - Python: Write setup.py when resolving a Pipfile
- Python: Further fix for path dependency handling with Pipfile
- Handle nested Ruby path dependencies
- Python: Bump pip to 10.0.0.0b2
- Python: Add version resolver for Pipenv
- BREAKING: Pass credentials to PullRequestCreator and PullRequestUpdater instead of a client
- Ruby: Test that auth details are passed to gem server in MetadataFinder
- Ruby: Treat private rubygems sources more like default sources in MetadataFinder
- JS: Handle JavaScript::Version being created with a version class (not a string)
- Java: Cache latest version in update checker
- JS: Handle versions prefixed with a v in utils classes
- Ruby: Fetch changelogs for private source dependencies
- JS: Better sanitization of npmrc files
- JS: Filter out nil requirements in update checker (when updating git dependencies)
- Implement Requirement.requirements_array for all languages
- Ruby: Prepare files to ensure only updates are possible
- Python: Handle empty version strings in Utils::Python::Version
- PHP: Handle array entries for "extra" in composer.lock
- Rust: Handle old-format lockfiles
- PHP: Add patches back to lockfile after update (if required)
- Handle badly named releases
- Better release note filtering (will mean release notes are included in PRs even if the latest version doesn't have any)
- Look at release tag_name before looking at release name
- Update Elixir and PHP versions
- PHP: Raise Dependabot::DependencyFileNotResolvable error for invalid version constraints
- Rust: Handle feature dependencies that have a feature removed in the new version
- Elixir: Ignore dependency updates that would cause diverging environment requirements
- Ruby: Even more gemspec sanitization (this time for splatted requirements)
- Ruby: Ignore requirements specified with a ternary operator and an expression
- Include previous release notes in PR if valuable, even if the latest version doesn't have any (but previous versions do)
- PHP: Ensure version requirements don't decrease, and refactor UpdateChecker
- Ruby: Fix gemspec version sanitization from string versions
- Ruby: More aggressive gemspec sanitization
- Rust: Handle dependencies with multiple versions properly in UpdateChecker
- PHP: Handle branch names with a number in them
- Rust: Ignore patched dependencies (for now)
- JS: Handle nonexistent dependencies
- PHP: Add hack for updating composer.json correctly
- Fix GitHub file contents error that was being caused by mutated arguments
- Ruby: Use source of dependency from lockfile and Gemfile combined in UpdateChecker
- PHP: Use vcs repository types, not git ones
- Python: Handle odd Python requirements
- Ruby: Fall back to lockfile if no source information in Gemfile
- Show vulnerability version range depending on kind of range passed
- Handle comma separated requirement strings in Utils::Php::Requirement
- Create Utils::Ruby::Requirement class
- Truncate long vulnerability descriptions
- Include source details for security vulnerabilities
- Add [security] prefix to PR names for PRs that fix vulnerabilities
- Display vulnerability details in PR text if passed them
- BREAKING: Move Version and Requirement classes into Utils namespace
- Add convenience methods for accessing version and requirement classes
- Rust: Target latest version, not latest resolvable version, for libraries
- Rust: Handle repos without a lockfile in UpdateCheckers::VersionResolver
- Ruby: Sanitize gemspec using GemspecSanitizer class everywhere
- Ruby: Sanitize require_relative lines from gemspec
- Rust: Handle feature dependencies
- Rust: Add resolvability check to UpdateChecker
- JS: Handle registry timeouts when looking through private registries
- Rust: Use --aggressive update if conservative one fails
- Rust: Handle projects that use workspaces
- Rust: Handle multi-version dependencies in FileUpdater
- Rust: Add support for workspaces to FileFetcher
- JS: Use package-lockfile-only option
- Add workaround for npm git dependency issues
- More logging for strange GitHub array error
- Rust: More specs, and error if no files are updated in FileUpdater
- Rust: Raise errors when file updating fails
- Rust: Drop use of --precise when updating files
- Rust: Get relevant versions in FileParser when there are multiple available
- Ruby: Always include pre-release details in requirement if updating to one
- Ruby: Handle the prerelease part of versions separately when updating requirements
- JS: Fix scoped registry URL
- JS: Scope private registries to the scoped packages they're intended for
- JS: Avoid yarn bug by always authing when Basic credentials are present
- JS: Handle Basic auth in FileUpdater
- JS: Use Basic auth to get latest version when appropriate
- JS: Include global auth token when building a global registry npmrc
- JS: Fix typo
- JS: Use lockfile to build .npmrc file, if required and not committed
- JS: Rely on RegistryFinder for constructing all dependency URLs
- Rust: Add support for Cargo.toml files with path dependencies
- JS: Fix bug in git dependency handling
- Rust: Only try to update lockfile if we were given one to start with
- First version of Rust support
- Ruby: Handle yanked dependencies
- Handle GitHub contents error in MetadataFinder
- JS: Use npm 5.8.0
- JS: Don't try to downgrade requirement files that have pinned to a post-latest version
- Docker: Move digest fetching to UpdateChecker
- Docker: Handle file updates where a tag and digest have been specified
- Fix encoding error when fetching changelogs
- Ruby: Don't try to replace requirement if using a ternary operator
- Return subdependencies from JS FileParsers (imperfectly)
- Fix typo
- Allow punctuation after GitHub issue / PR numbers when creating links
- JS: Refactor registry lookup into separate class
- JS: Split library detection out of UpdateChecker
- JS: Handle private sources when we don't have a lockfile
- Java: Handle property version suffixes in update checker
- Java: Handle versions that come partially from a property
- Sanitize GitHub links
- Raise BranchNotFound error when getting a branch's head commit fails
- Automatically retry strange GitHub error
- Handle null bodies in release notes
- Ruby: More robust requirements_unlocked_or_can_be? implementation
- JS: Handle git dependencies that have never been released
- JS: Update from git commit refs/branches to released versions
- Add UpdateCheckers#requirements_unlocked_or_can_be? method
- Retry Octokit::BadGateway errors
- Don't pull down changelogs over 1mb
- Add newline after changelog truncation
- Update git dependencies that specify a reference along with a full URL
- Return
false
early in UpdateCheckers#can_update? when checking whether a library can be updated without unlocking its requirements
- PHP: Only fetch composer URLs when looking for registry details
- PHP: Handle unexpected data from private registries
- Python: Use pip 9.0.2
- Ruby: Update commit SHAs should come from tag (because that's what Gemfile stores)
- PHP: Spec private registry behaviour, and add better error messages for it
- PHP: Fix PHP Updater bug (oops!)
- PHP: Pass registry credentials to Composer
- Rescue all commit URL NotFound errors
- JS: Cache updated requirements in UpdateChecker
- Java: Handle non-numeric versions
- Ignore lost races when creating PRs
- Add logging for rare GitHub error
- Handle commit diffs with no common ancestor
- Reverse commits order (most recent first)
- Better changelog importing when changelog is appended at bottom
- Bump pipenv from 11.7.4 to 11.8.0
- Link tags in changelogs correctly
- Include upgrade guide in dependency tabs
- Sanitize template tags in changelogs
- Better changelog intro text
- Better display of SHA version is PRs
- Use 7 digits for SHA branch names, not 6
- Fix broken method name
- Fall back to tag name in ReleaseFinder#releases_text
- Better release note parsing for PRs
- Use Pipenv 11.7.1
- Fix release sorting
- More robust PR message builder
- Truncate long changelogs
- Add fullstop to changelog source line
- Better release sorting
- More robust changelog sorting
- Better changelog line detection
- Fix encoding bug during PR creation
- Better referencing of changelog source
- Pull changelogs into PR descriptions
- Java: Fix Java argument in UpdateChecker
- Java: Ignore versions that can't be matched
- Java: Better POM property substitution in MetadataFinder
- Escape @mentions in PR body
- JS: Only de-dop the dependency we're updating
- Ruby: Update commit SHAs should come from commit, not tag
- Better commits view for pull requests
- Add embedded release notes to PRs
- Never return nil from CommitsFinder#commits
- Add release_text method to ReleaseFinder
- Use details tab for commit details, if they're all we're including in PR
- Elixir: Use commit SHA, not tag SHA, when updating git references
- Fix handling of git commit tags (non-semver)
- Python: only do Pipfile file updates if a lockfile is also present
- Java: Find property-based dependencies in branch namer correctly
- Handle Elixir dependencies without a requirement in UpdateChecker
- Automatically retry GitHub 500s
- Python: Use Pipenv 11.5.2
- Elixir: Don't change lockfile format during update
- Python: Use Pipenv 11.3.3
- Allow hyphens in git tags and refs
- Elixir: Add support for updating pinned git dependencies
- Add specs for Elixir FilePreparer (and fix a bug)
- Downgrade Pipenv to 11.1.11
- Refactor Elixir UpdateChecker (should be no noticeable change to ens-users)
- Elixir: Update to pre-release versions if the user is already on one (or has specified a pre-release in their requirements)
- Elixir: Add support for git-source dependencies
- Java: Handle multiple declarations of same dependency in pom.xml
- Java: Handle source URLs which use a property
- Don't try to create branches with spaces in them
- Python: Parse requirements.txt if a Pipfile with no Pipfile.lock is present
- Submodules: Use default branch, not master, if no branch is specified
- PHP: Handle version requirements with a commit SHA in them
- Python: Fix declaration regex in FileUpdater for dependencies with a hyphen
- Add upgrade guide link to PRs, if present and upgrading by a major version
- JS: Check for path dependencies in lockfile as well as package.json
- JS: Exclude file based dependencies where the file details are in the version (not the requirement)
- BREAKING: Remove "pipfile" package manager entirely. It is now bundler under "pip", which will autodetect whether a Pipfile is being used.
- Python: Combine python strategies. Non-breaking, as long as you weren't accessing the Pipfile classes directly.
- Ruby: Handle ~> ranges with major precision
- Fix dependency file uniqueness checking (fixes a rare bug in Ruby updates)
- Use GithubClientWithRetries everywhere
- Automatically retry GitHub timeouts during file fetching
- JS: Less aggressive yarn.lock deduping
- Retry rare Ruby bug in commit signer
- Don't mistake commit messages that just start with Fix for semantic commit messages
- Add #production? method to Dependabot::Dependency instances
- PHP: Better regex for git clone problems
- PHP: Handle dependency reachability errors in FileUpdater
- Elixir: Handle references specified as a charlist
- Handle inconsistent responses from github whengetting a ref
- Handle superstring branches when creating PRs
- Handle PR creation when a branch exists but a PR doesn't
- Elixir: Support for git dependencies in FileParser and MetadataFinder.
- Elixir: Handle very old lockfiles
- Elixir: Full support for umbrella apps 🎉
- Python: Better pre-release handling
- Elixir: Lots of prep for umbrella apps (but not full support yet)
- Better changelog finding (order by file size if multiple with same name)
- Python: Normalise pre-release versions correctly
- Include signoff line in commit messages
- JS: Handle exact matches for libraries
- Python: Fix typo that prevented dev package updates
- JS: Handle lockfiles with bad version (wrong source)
- PHP: Handle empty array returned from packagist in MetadataFinder
- PHP: Include subdependencies in parser output
- Python: Use Pipenv's new --keep-outdated option instead of freezing Pipfile
- Python: Pipfile file parser now include subdependencies in results
- JS: Use Yarn v1.5.0
- Pipfile: include dependencies specified using a requirements hash
- Add label description if creating a new dependencies label
- Java: Don't propose updates to a prerelease unless desired
- PHP: Retry timeouts in UpdateChecker
- PHP: Handle array errors in ExceptionIO
- JS: Handle yarn lockfiles that are missing a requirement in their declaration lines
- Ignore bash scripts when looking for changelog
- JS: Handle lockfiles without a header in fix-duplicates
- Elixir: Remove hex install in Elixir file parser
- JS: Vendor relevant yarn-tools code (so they can be edited)
- JS: Don't lose Yarn version info during de-duping
- JS: Use yarn-tools to clean up yarn.lock after updates
- Python: Only include Pipfile in updated files if it has changed
- JS: Handle updates that don't change the package.json better
- Add option to sign commits
- JS: Fix encoding bug
- JS: Don't check npm for package.json files with no description
- JS: Better detection of whether a project is an app or a library
- Bump pipenv from 9.0.3 to 9.1.0 in /helpers/python
- Look for changelog in the directory we have for a repo
- Include target branch in branch name if present
- Check for existing PRs before assuming the presence of a branch means there's no need to create one
- Ruby: Add specs for UpdateCheckers#latest_resolvable_version_with_no_unlock and fix implementation
- Elixir: Spec UpdateCheckers#latest_resolvable_version_with_no_unlock
- Java: Shorter branch names when updating multiple dependencies
- Java: Handle versionless declaration nodes in PropertyUpdater
- Java: Handle property updates in a single PR (rather than creating several)
- JS: Fix parser for dependencies with a resolutions entry
- JS: Handle authentication errors from npm5 (not just Yarn)
- Require Ruby 2.5
- Correct semantic commit casing for library updates
- Include directory details in library PRs
- JS: Ignore 404s from the registry for library dependencies
- BREAKING: Pass
requirements_to_unlock
to UpdateCheckers#can_update? and UpdateCheckers#updated_dependencies instead ofunlock_level
- JS: Handle blank requirements
- Python: Ignore Pipfile dependencies missing from the lockfile
- Use Angular style sentence case if using semantic commits
- Exclude bot commits when considering recent commit messages. Should ensure switchover to semantic commit messages happens faster
- PHP: Handle packagist returning empty arrays
- Allow
no_requirements
to be passed to UpdateCheckers#can_update? and UpdateCheckers#updated_dependencies as an unlock level
- BREAKING: Pass
unlock_level
to UpdateCheckers#can_update? and UpdateCheckers#updated_dependencies - Add a latest_resolvable_version_with_no_unlock method to the UpdateChecker for each language
- Add GitLab support to FileFetcher base methods
- Support GitLab in submodules FileFetcher. All FileFetchers therefore now support GitLab
- JS: Handle unreachable git dependencies better (and spec it!)
- JS: Ignore path dependency package.json files when parsing
- Ruby: Update to newer pre-release versions
- JS: Raise GitDependenciesNotReachable error for git dependencies we don't have access to
- Elixir: Handle mix.exs files that load in a version file
- Ruby: Include sub-dependencies in FileParser#parse result
- PHP: Handle aliased requirements in UpdateChecker (update the real version)
- Elixir: Perform hex install in pwd
- PHP: Filter out special packages
- Java: Handle dependencies that use the project version as their requirement
- Ruby: Raise error for merge conflicts in Gemfile.lock
- PHP: Handle repos where the only version is non-numeric
- PHP: Handle alias version constraints
- Java: Handle nested dependency declarations in pom.xml
- Ruby: Use Lockfile to find path dependencies if present
- Java: Ignore plugins without a groupId
- Use
build
prefix if semantic commits are in use
- Elixir: Clean up Ruby code that calls Elixir subprocesses
- Handle timeouts in GitCommitChecker
- Ruby: Handle timeouts when checking whether git dependencies are reachable
- PHP: Retry 404s which appear to be happening randomly
- Silence errors when trying to update a PR that has been merged
- Elixir: Wait for input (should fix Errno::EPIPE errors)
- PHP: Use env-key instead for env_key (for consistency with Python)
- PHP: Raise MissingEnvironmentVariable instead of PrivateSourceNotReachable
- PHP: Allow environment variables to be passed (to support ACF PRO)
- Fix PullRequestCreator behaviour when no dependencies tag exists
- Pass an array of custom labels to PullRequestCreator
- Elixir: Raise a DependencyFileNotResolvable error if mix.exs contains bad requirements
- Java: Fix version parsing (oops!)
- Java: Handle underscores in versions
- PHP: Handle pre-release version with a '-' properly
- JS: Raise evaluatability error when parsing, not resolvability error
- JS: Raise resolvability error if using workspaces but not private
- Elixir: Handle
or
requirements betters (by adding anotheror
at the end)
- Elixir: Handle dependency names which are substrings of other dependencies names
- Elixir: Don't do language version checks
- Java: More robust POM parsing in File Updater
- Elixir: Install hex before FileParser, if required
- Add support for Elixir
- JS: Tighter formula for git dependencies
- JS: Get package declaration string from package-lock.json, not from package.json
- Find changelogs in a
docs
folder
- JS: Handle duplicate requirements that are identical
- PHP: Handle bad git references
- JS: Explicitly ignore flat resolution dependency files
- JS: Handle host shortnames in package.json
- JS: Filter out dependencies with a URL version at parse time
- JS: Handle multiple declarations for the same dependency
- JS: Handle dist tags in requirements updater
- JS: Update git URL dependencies
- JS: Strip prefixes from JS versions before checking for updated requirements in requirement updater
- JS: Pass requirement update version strings, not hashes
- JS: Update git dependencies specified with a GitHub format
- JS: Handle setups where a lockfile is present by the .npmrc says not to update it
- Collapse paths with a ".." in them when creating PRs
- Java: Handle versions with capitals in them
- Docker: Handle private registries without a port
- Ruby: Don't try to update the Ruby version when updating multiple dependencies
- Java: Add support for projects that inherit from parent POM (thanks @evenh!)
- PHP: Check for pre-release versions to update to if using a pre-release version
- JS: Remove imperfect check that yarn.lock was updating
- Java: Maintain original formatting of pom.xml
- Java: Use dependency selector from FileParser in FileUpdater
- Java: Stricter dependency selector in FileParser
- Handle PR creation when a branch called
dependabot
already exists
- Sanitize colons out of git branch names
- Java: Handle dependency declarations without a version requirement
- Java: Add support for Maven
- PHP: Use Composer 1.6.0
- PHP: Handle replaced dependencies
- JS: Handle versions specified with a dist tag
- Include git protocol URIs in metadata finder regex
- PHP: Slightly raise Composer memory limit
- PHP: Use http-basic for GitHub credentials
- Ruby: Treat minimum possible Ruby requirement as the specified Ruby version, when set in gemspec
- Ruby: Ignore Bundler version if specified in Gemfile
- Handle removed directories better (by raising a DependencyFileNotFound error)
- JS: Workaround for Yarn bug that means lockfile doesn't always change
- JS: Fix false-positive result of wanting pre-release when a .x version was requested
- Python: Look for index URLs in credentials
- JS: Handle yarn.lock files with multiple entries for the same dependency
- PHP: Handle wildcard versions better in requirement updater
- Python: Handle simple index entries with spaces in filenames
- JS: Only request registry index once during update check
- PHP: Handle stability flags in requirements updater
- JS: Handle pre-release updates when precision needs increasing
- PHP & JS: Handle pre-releases in a hyphen range
- Docker: Handle suffices with periods
- JS: Ensure updates hit specific version
- Python: Handle setup.py calls to parse_requirements
- JS: Handle Yarn workspaces where the parent package.json is in a directory
- All: Make fewer requests from file fetchers
- Python: Update regexes to make FileUpdater more accurate
- Python: Handle local version modifiers in metadata finder
- Python: Handle local version modifiers
- Python: Use correct URL for PyPI simple index
- Python: Handle filenames with underscores and periods in updater
- Python: Handle capitalised dependency names in simple index response
- Python: Use simple index to find latest version
- PHP: Don't update composer.json if requirements already met
- Ruby: Use tag_sha, not commit_sha, when checking if a git dep needs updating
- JS: Handle pre-release strings properly
- Raise error in FileUpdaters if lockfile is present and doesn't change
- JS: Temporarily back out v0.40.0 changes
- JS: Handle pre-releases in requirement specifiers correctly
- Don't update package.json and composer.json if requirements already met
- Python: Actually handle requirements.txt files that self-reference with extras
- Python: Handle requirements.txt files that self-reference with extras
- Use semantic prefix for Dependabot PR names (when appropriate)
- JS: Better handling of global auth credentials in .npmrc
- Python: Honour existing quote style when updating Pipfile dependencies
- Python: Handle names that need normalising in Pipfile FileUpdater
- Python: Handle dependency names with an underscore in Pipfile
- Python: Handle capitalised dependency names in Pipfile
- JS: Handle global auth declarations
- Ruby: Make Ruby library split explicit in UpdateChecker (just a refactor)
- PHP: Bump composer/composer from 1.5.5 to 1.5.6
- PHP: Show metadata for git dependencies
- JS: Check for dist-tags in npm response
- Docker: Use latest version of docker_registry2
- Ruby: Clone down submodules when evaluating git dependencies
- PHP: Stop ignoring git repos
- PHP: Spec library handling on caret constraints
- PHP: Keep digit length for two-digit caret version
- PHP: More robust file updating
- PHP: Update handling of ~ constraints
- PHP: Handle "v" prefixes in versions
- JS: Handle versions with a hyphen in them
- JS: More sophisticated JavaScript requirement updating
- PHP: Handle hyphen ranges properly
- PHP: Handle range requirements better for app updates
- PHP: Better requirement updating for library requirements
- PHP: More sensitive handling of multi-version library requirements
- PHP: Make UpdateChecker work for dev dependencies
- PHP: Parse development dependencies properly
- PHP: Strip leading
v
from versions in packagist API response
- PHP: Only treat repos as libraries if they declare "library" as their type
- PHP: Support PHP libraries
- PHP: Raise clear error when Composer is out of memory
- PHP: Treat last error correctly (as an array)
- PHP: Try and add some memory that will be freed on error
- PHP: Handle shutdown errors
- PHP: Throw out of memory errors
- Python: Preserve original host environment markers in Pipfile.lock
- Python: Handle * version strings in UpdateChecker
- Python: Make Pipfile an explicit dependency
- Python: Add experimental Pipfile support
- Python: Handle multi-line requirements, and preserve previous whitespace
- Python: Handle custom algorithms for hashes
- Python: update hashes in requirements.txt file if present
- BREAKING: Install Python requirements from a requirements.txt
- Allow
custom_label
to be passed to PullRequestCreator
- Use existing dependencies label if present
- PHP: Handle dependencies with capitals (especially PEAR dependencies)
- PHP: Handle packagist returning packages for a different name
- PHP: Downcase dependency names when constructing packagist URLs
- Python: Only fetch files that end in
.txt
from any requirements folder
- Python: Support alternative names / locations for requirements.txt files
- PHP: Handle resolvability errors (silence them)
- JS: Handle unparseable package-lock.json files
- JS: Handle JSON parser errors in non-standard registries
- PHP: Store details of source URL during file parsing
- PHP: Pull source URL details from dependency in MetadataFinder, if present
- PHP: Refactored and cleaned up PHP code (thanks @nesl247)
- PHP: Only use github token if provided one
- PHP: Actually use auth credentials
- PHP: Fix for SSH URLs
- PHP: Handle SSH URLs in FileUpdater
- Ruby: More conservative full-unlocking. Reduces number of dependencies unlocked and/or number of iterations to discover unlocking is impossible.
- Prepare composer.json files in Ruby to avoid re-writing JSON
- Include semantic commit message prefix only if repo uses them
- Don't submit empty author details to GitHub
- Allow author details to be passed to PullRequestCreator and PullRequestUpdater
- PHP: Handle 404s from packagist
- PHP: Handle repo not reachable errors
- PHP: Pass GitHub access token to PHP helpers
- PHP: Add back platform override now it's properly specced
- PHP: Update composer.json files in Ruby, to avoid changing their formatting
- PHP: Better requirements updater in UpdateCheckers
- JS: Better npm update_checker errors
- JS: prune git dependencies out during file parsing
- PHP: Stop setting prefer-stable explicitly
- PHP: Temporarily disable updates where a PHP version is specified
- PHP: Don't check platform requirements during updates
- PHP: Try setting a much higher memory limit for composer
- JS: Give registries a break before retrying if they return bad JSON
- Stop supporting npm and yarn as package managers (in favour of npm_and_yarn)
- JS: Combine Yarn and npm package managers into NpmAndYarn
- JS: Check for yanked versions in UpdateChecker
- JS: Fix UpdateChecker retrying
- Ruby: handle gemspecs that dup a version constant
- JS: retry transitory JSON parsing failures
- JS: raise DependencyFileNotResolvable when no satisfiable version can be found for an npm dep
- JS: Handle thorny single requirements
- JS: Handle JS requirements in branch names
- JS: Handle library requirements differently to application requirements
- JS: Return pre-release versions in UpdateChecker if one is currently in use
- JS: raise DependencyFileNotResolvable when no satisfiable version can be found for a Yarn dep
- JS: Fix updated_files_regex for Yarn
- JS: handle updates without a lockfile in FileUpdater
- JS: support repos without a lockfile in npm parser, and spec support in UpdateChecker
- JS: support repos without a package-lock.json in npm FileFetcher
- Ruby: Fix bug in gemspec sanitizing
- Implement equality operator for DependencyFile
- Ruby: More robust gemspec sanitizing
- JS: Ignore transitory errors from custom registries
- JS: Perform package.json update in Ruby (and avoid changing package.json format)
- Ruby: Handle repos with a gemspec and a Gemfile that doesn't import it
- JS: Preserve protocol for private registries
- JS: Handle private registries that don't use https
- JS: Better parsing of private registry URLs
- JS: Include private dependencies when parsing npm package-lock.json
- JS: Pull credentials from npmrc file, if present
- JS: Raise a PrivateSourceNotReachable error for missing private details
- JS: Pass credentials for non-npm registries to file updater
- JS: use custom registries (with credentials) in UpdateChecker and MetadataFinder
- JS: Fetch .npmrc files
- JS: Use sanitized .npmrc files in FileUpdater
- JS: Add basic support for private npm packages
- Ruby: Handle Bundler::Fetcher::CertificateFailureError errors
- Ruby: Roll back regression in ForceUpdater
- Ruby: More conservative ForceUpdater (traverse requirement trees from top)
- Ruby: Make ForceUpdater more conservative about what it unlocks
- Ruby: Fix for custom-sourced peer dependencies in ForceUpdater
- Make dependency we're force updating the first in the returned array
- Minor improvement to PR text
- Make new_dependencies_to_unlock_from unique
- Better pull request text for multi-dependency PRs
- Fix for PullRequestCreator metadata links with multiple dependencies
- Fix another bug in PullRequestCreator
- Fix bug in PullRequestCreator which occurs when a source_url can't be found
- BREAKING: PullRequestCreator now takes an array of
dependencies
- BREAKING: FileUpdaters now take an array of
dependencies
, not adependency
- BREAKING: Return an array of dependencies from
UpdateCheckers::Base#updated_dependencies
- BREAKING: Split
UpdateCheckers::Base#needs_update?
method intoup_to_date?
andcan_update?
methods
- Python: More robust setup.py error handling
- Python: Further fix for UpdateChecker prerelease handling
- Python: Better pre-release handling in UpdateChecker
- Ruby: Ignore path gemspecs that are behind falsey conditional
- PHP: Silence out-of-memory errors
- Ruby: Handle GitHub sources when checking for inaccessible dependencies
- Pass a source hash to FileFetchers, rather than a repo name
- Pass a credentials hash to FileFetchers, rather than a GitHub client
- JS: Pass full requirements to Yarn updater.js to circumvent Yarn bug
- JS: Ignore node manifest engine constraints
- Make MetadataFinders provider agnostic (i.e., don't treat GitHub differently)
- Ruby: Respect user's spacing between specifier and version
- Ruby: Handle Gemfiles with path sources but no Gemfile.lock
- Start commit messages with "chore(dependencies): "
- JS: FileUpdaters::JavaScript::Yarn.updated_files_regex now includes package.json files that aren't at the top level
- JS: Fix Yarn workspace handling in FileUpdater
- Python: Extract dependencies from
setup_requires
andextras_require
(thanks @tristan0x)
- JS: Handle wildcards in package.json
- JS: Ignore empty files in FileUpdater
- JS: Handle workspace names more robustly
- JS: Support Yarn workspaces
- JS: Fetch and parse workspace package.json files (awaiting FileUpdater change)
- MetadataFinders: Strip out # characters from source URLs
- JS: Sanitize any variables in a package.json before parsing/updating
- Ruby: handle yet more private gem repo failure cases
- Ruby: handle more private gem repo failure cases
- Python: Ignore errors when parsing setup.py (temporary)
- Handle bad GitHub source data links in GitCommitChecker
- Python: Handle setup.py calls better
- Case insensitive Ruby version replacement
- Add support for passing a target branch to create PRs against
- Python: more setup.py handling
- Fix typo
- Handle Python setup.py files that use codec.open
- Attempt to handle setup.py file that include an "open" line
- Sanitize Python requirement branch names
- Handle Python range requirements
- Handle Python requirements that specify a prefix-match
- Handle setup.py file that include a print statement
- Retry Docker timeouts
- Add support for Python libraries (i.e., repos with a setup.py)
- Make repo a required argument to FileParsers
- Ignore custom names for submodule dependencies
- Handle relative URLs for git submodules
- Handle missing Ruby private dependencies
- Allow Rubygems 2.6.13 for now (since Heroku uses it)
- Add homepage links for Python and JavaScript
- Remove Rubygems monkeypatch in favour of required rubygems version
- Require Bundler 1.16.0
- Link to Ruby dependency homepage if source code can't be found
- Refactor GitHub specific logic out of PullRequestCreator
- Add npm require line to FileUpdaters
- Alpha support for npm
- Treat Ruby dependencies which explicitly specify the default source the same as ones that do so implicitly during file parsing
- Pick up files called
release
when looking for changelogs
- Handle date-like versions in Dockerfile
- Only update Dockerfile version to pre-release if currently using one
- Better handling of Python dependencies that specify a minor version
- Set private repo config properly in Ruby::Bundler::UpdateCheckers
- Add support for Dockerfiles versions with a suffix (e.g., 2.4.2-slim)
- Look up Python URLs from PyPI description if necessary
- Handle absolute paths in Ruby Gemfiles
- Add temporary ignore for private npm organisation hosted dependencies in UpdateChecker. Once we support passing credentials we'll be able to bump these, but for now we just suppress them
- Support private docker registries that use digests
- Link to changelog for Ruby git dependencies where the ref is bumped
- Support updating docker images hosted on a private registry
- Docker registry regex now excludes trailing slash
- Require private Docker registries to specify a port
- BREAKING: Require an array of
credentials
to be passed for FileUpdaters and UpdateCheckers, rather than agithub_access_token
.
- Add support for Dockerfiles that specify a digest
- Spec that docker support works when multiple FROM lines are specified
- Bump yarn-lib from 1.1.0 to 1.2.0
- Use monkeypatch for CVE-2017-0903 rather than requiring specific Rubygems version (since Heroku doesn't get support 2.6.14)
- Filter out private JS dependencies during parsing
- Require Rubygems version 2.6.14 to ensure safety from CVE-2017-0903
- Check new git version is resolvable when updating Ruby git tags
- Handle git:// URLs in GitCommitChecker
- Raise a PrivateSourceNotReachable error for private Docker registries
- Fix bad require line for FileFetchers
- Add support of Dockerfiles
- Refactor GitCommitChecker and use it for update-checking submodules
- Better pull request versions when upgrading a tag
- Handle non-GitHub URLs in GitCommitChecker#local_tag_for_version
- Robust handling of quote characters for Ruby::Bundler::GitPinReplacer
- Use GitCommitChecker for fetching the latest commit on a branch (speedup)
- Support bumping Ruby git dependencies that are tagged to a version-like tag
- Don't sanitize python requirement names during parsing. Was causing errors at the FileUpdater stage (since the name no-longer matched the declaration).
- Add error handling for ChildGemfileFinder path evaluation
- Add support for eval_gemfile to Ruby
- Use Excon automatic retries when making get requests. Should considerably reduce timeout errors from NPM, PyPI, etc.
- More robust handling of Ruby dependencies with a git source (handle errors that occur from attempting to remove the git source)
- Don't update Ruby gemfiles which specify their version using a function
- Change: Transition Ruby git sources to Rubygems releases when a branch is specified and its head is behind the release
- Change: Consider possible changelog names in order
- Fix: Only consider files when looking for a changelog
- Refactor: Split up Ruby FileParser. Should have no effect on public APIs
- Handle relative requirements in cascaded Python requirement files properly
- Fetch cascading Python requirement files that aren't specified with a
leading
./
- Fix: Don't error when calculating MetadataFinder commits_url for Ruby git dependencies with an unknown source
- Change: Clearer PR wording for git references switching to releases
- Fix: Add temporary workaround for ::Bundler::Dsl::VALID_KEYS not being defined
- Fix: Remove unnecessary require from PullRequestCreator
- Feature: Support transitioning Ruby git sources to Rubygems releases
- Change: Use naked version when specifying a Ruby version exactly in Gemfile
- Fix: Fix metadata handler for non-GitHub Ruby git sources
- Fix: Handle function calls as gem versions in the Ruby FilePreparer
- Fix: Handle string interpolation in Ruby FileUpdater
- Refactor: Switch to AST parser for updating Ruby requirements in FileUpdater
- Refactor: Remove Gemnasium dependency (we now use Parser for all Ruby parsing)
- Refactor: Extract Ruby UpdateChecker file preparation into separate class
- Refactor: Switch to AST parser for updating Ruby requirements in UpdateChecker
- Add short-circuit fetch_latest_version code for Ruby git dependencies
- Refactor UpdateCheckers::Ruby::Bundler (should have no impact on logic)
- Suppress Ruby VersionConflict exceptions caused by an update to a git dependency (since the version conflict is only caused by the attempted update, not by anything wrong with the underlying Gemfile/Gemfile.lock)
- Better commit URLs links for Ruby dependencies that specify a git source
- Handle nonexistent git branches for Ruby dependencies
- Add support for upgrading Ruby dependencies that specify a git source
- Yarn 1.0 support
- Improve Python parser so it handles paths with spaces
- Specify required Bundler version is >= 1.16.0.pre
- Set git reference as version for Ruby git dependencies (groundwork for updating Ruby dependencies that specify a git source)
- Better support for Python constraints files, and a general refactor of Python support
- BREAKING: Add source key to dependency requirement attribute, as a required key
- Use requirement source key to ensure default metadata is only fetched when appropriate
- Raise GitDependencyReferenceNotFound errors during Ruby update checking
- Don't create Gemfile requirement for gemspec dependencies
- Don't update Gemfile content during update check if dependency isn't found there
- Handle custom names for submodules, and URLs without a .git suffix
- Fall back to latest_resolvable_version if PHP latest_version shortcut fails
- Better error messaging for unreachable submodules
- Fix typo in submodule checking URL
- Convert git URLs to https in submodule parser
- Use correct git internals URL for authorization checking in Ruby UpdateChecker
- Use git internal transfer protocol when fetching latest version of submodules
- Add shortcut for PHP update_checker version check
- Handle development dependencies for PHP projects
- Add Dependabot::DependencyFileNotParseable error
- Increase memory limit for PHP
- Better titles and branch names for git submodule PRs
- Better commit links for git submodule PRs
- Handle submodule URLs that resolve to a 404
- Add support for git submodules
- Handle non-utf-8 characters in Gemfile resolution error messages
- Handle branch deletion during update flow (return nil, rather than erroring)
- Manually set Bundler root during file update (thanks @gotjosh)
- Use Bundler 1.16.0 (pre-release 2)
- Use Bundler 1.16.0 (pre-release 1)
- Fix HTTP request that checks whether a git dependency is accessible
- Handle Ruby Gemfile requirements with multiple components
- Handle non-numeric Python versions better (ignore them instead of erroring)
- Don't include pre-releases in Python latest_version (unless on one)
- Use rubygems changelog URL when available
- Fetch more tags when finding metadata
- Handle path-based JS dependencies
- Handle optional JS dependencies
- Raise a DependencyFileNotResolvable error if the lockfile is missing a gem
- Handle inaccessible git dependencies that resolve to a redirect
- Simpler, better Gemfile sanitizing in UpdateCheckers::Ruby
- Add dependencies label in separate API call
- Create "dependencies" label during PR creation, if it doesn't already exist
- Add "dependencies" label to pull requests
- Prune out Ruby specs from the wrong platform during parsing
- Compare Ruby development requirements to the latest resolvable version
- More robust check on whether Ruby Gemspec file needs updating
- Handle Ruby case of Gemfile not importing its gemspec
- Exclude platform-specific dependencies from Ruby FileParser
- Handle pre-release version in requirement updates
- Minor PR wording improvement
- Better key symbolizing on Dependency (handle ActionController::Params)
- BREAKING: use arrays of hashes for
Dependency#requirements
andDependency#previous_requirements
, so we can store metadata about each requirement (e.g., which file it came from).
- Allow Ruby updates for repos which only contain a Gemfile (or where the dependency only appears in the Gemfile)
- Link to release notes index when more appropriate than specific release
- Handle gemspecs that bracket their dependencies
- Check all requirements are binding when creating updated requirements
- Better pull request text when updating libraries
- Patch Bundler to use HTTPS instead of SSH for git sources hosted on GitHub
- Use updated gemspec content when calculating new lockfile version (Ruby)
- Handle dev dependencies differently for gemspecs
- Always use latest_version if updating a gemspec dependency
- Handle Ruby file updates where a non-Gemfile dependency has been updated in the lockfile
- Clearer error message for FileFetchers::Ruby::Bundler
- Handle Gemfile and gemspec case where a gem only appears in the later
- Add
.updated_files_regex
to all FileUpdaters - Remove
.required_files
from all FileFetchers - Add
.required_files_in?
andrequired_files_message
to all FileFetchers - Remove all
Ruby::Gemspec
classes entirely. Gem bumping behaviour now handled inRuby::Bundler
- Ensure blank strings aren't provided as arguments to Dependency.new
- Big refactor of
bundler
andgemspec
flows to almost combine them. Hopefully no impact on functionality. Releasing to test in the wild.
- Update bundler FileParser to handle gemspecs
- Update equality matchers to ranges in UpdateCheckers::Ruby::Gemspec
- Parse JavaScript files which only have dev dependencies
- Fix UpdateCheckers::Ruby::Gemspec (oops)
- Fix: convert version to string before splitting in UpdateChecker
- Add
requirement
andprevious_requirement
attributes toDependency
- Better FileUpdaters::Gemspec regex (catch add_runtime_dependency declarations)
- Extend aggressive gemspec sanitization to Bundler
- More aggressive gemspec sanitizing
- Use original quote character when updating Ruby gemspecs
- Clearer text for library pull requests
- More robust gemspec declaration regex
- BREAKING: Return strings from Dependency#version, not Gem::Version objects
- FEATURE: Add support for Ruby libraries (i.e., gems)
- Don't add RUBY VERSION to the Gemfile.lock if it wasn't previously present
- Sanitize path-based gemspecs to remove fine requirements
- Handle Ruby indexes that only implement the old Rubygems index
- Raise helpful message for Ruby private sources without auth details
- Serve a DependencyFileNotResolvable error for bad git branches
- Handle requirement.txt files that have cascading requirements
- Handle requirement.txt files that have path-based dependencies
- Handle 404s from Rubygems in UpdateChecker
- Skip PHP dependencies with non-numeric versions during file parsing
- BREAKING: Return
Gem::Version
objects from Dependency#version, not strings
- Ignore Python packages which can't be found at PyPI
- Handle deleted branches in PullRequestUpdater
- Handle Gemfiles that load in a .ruby-version file
- Move Python parser code into Python helper
- Fetch old commit message when updating a PR. Previously we would try to rebuild the commit message from the PR message, but that often caused us to include extra, irrelevant details.
- Ensure git dependencies aren't updated as a result of https change
- Avoid using SSH to fetch dependencies - always use HTTPS. Ensures the GitHub credentials we pass to Bundler are used.
- Use Bundler settings to handle GitHub credentials
- Robust support for https auth details
- Revert handling git auth details for https specifications
- More robust file URL generation
- Notify about all unreachable git dependencies at once
- Handle git auth details for https specifications
- BREAKING: renamed GitCommandError and PathBasedDependencies errors
- Set path in Ruby File Updater, to fix path based dependencies (v2)
- Set path in Ruby File Updater, to fix path based dependencies
- Raise PathBasedDependencies error at file fetcher time for bad paths
- Only hit Rubygems once for each latest_version lookup
- Handle path-based Ruby dependencies, if possible
- Correctly list path-based dependencies
- Replace less than matcher (and <= matcher) with ~> during file updates
- Handle Ruby version constraints for dependencies Dependabot itself relies on
- Bump yarn (fixes non-deterministic lockfile generation)
- Cache
commit
in file fetcher, and ensure files fetched are for that commit
- BREAKING: Drop Dependabot::Repo in favour of just passing the repo's name
- Better tag/release lookup: handle completely unprefixed tags/releases
- FIX: Honour Ruby version when determining latest resolvable version
- FIX: Improved Bundler bug workaround, with specs
- FIX: Work around Bundler bug when doing Ruby update checks
- FIX: Pass GitHub credentials as
x-access-token
password. This allows us to clone private repos using app access tokens, whilst maintaining support for doing so using OAuth tokens.
- Clean version strings in JavaScript parser
- FIX: Require Octokit and Gitlab where used
- Full support for Bitbucket changelogs and commit comparisons
- Full support for GitLab changelogs, release notes, and commit comparisons
- Link to GitLab dependency sources, too
- BREAKING: drop support for Ruby 2.3
- Link to Bitbucket dependency sources (and lay groundwork for changelogs etc.)
- Improve commit comparison URL generation (handle arbitrary prefixes)
- Handle npm packages with an old 'latest' tag
- Strip leading 'v' prefix from PHP version strings
- Return fetched dependency file contents as UTF-8
- Don't blow up when deps are missing from yarn.lock
- Ignore JS prerelease versions
- Use HTTPS when talking to the NPM registry
- Handle PHP composer.json files that specify a PHP version / extensions
- Minor improvement to GitHub release finding (finds unnamed releases)
- Update pull request titles to include from-version
- Add short-circuit lookup for update checkers
- Rename to dependabot-core
- Fix PHP issues from initial beta test (#61)
- Add support for PHP (Composer) projects
- Even better version pattern updating for JS
- Better version pattern updating for JS
- Make yarn run in non-interactive mode
- BREAKING: Organise by package manager, not language (#55)
- BREAKING: Refactor error handling (#54)
- Don't change yarn.lock version comments (#53)
- Ignore exotic (git, path, etc) JavaScript dependencies (#52)
- Raise a bespoke error for Ruby path sources (#51)
- Back out CocoaPods support, since it pins ActiveSupport to < 5 (#50)
- Look for any release ending with the dependency version (#49)
- Slightly shorter branch names (#43)
- Do JavaScript file updating in JavaScript (#41)
- Include details of the directory (if present) in the PR name (#40)
- Raise Bump::VersionConflict if a conflict stops us getting a gem version (#38)
- Use folders for branch names, and namespace under language and directory (#39)
- Extract the correct versions of JavaScript dependencies in the parser (#36)
- Consider resolvability when calculating latest_version in Ruby (#35)
- BREAKING: require
github_access_token
when creating an UpdateChecker
- Allow
pr_message_footer
argument to be passed toPullRequestCreator
(#32)
- BREAKING: Make language a required attribute for Bump::Dependency (#29)
- Handle PR creation races gracefully (#31)
- Minor improvement to PR text
- Better JavaScript and Python metadata finding
- Exposed
.required_files
method on dependency file fetchers
- Escape scoped package names in MetadataFinders::JavaScript (#27)
- Look for JavaScript GitHub link in most recent releases first (#28)
- Don't discard DependencyFile details when updating (#24)
- Support fetching dependency files from a specified directory (#23)
- BREAKING: Rename Node to JavaScript everywhere (#22)
- Store the failed git command on GitCommandError (#21)
- BREAKING: Rename Bump::FileUpdaters::VersionConflict (#20)
- Add DependencyFileNotEvaluatable error (#17)
- Stop updating RUBY VERSION and BUNDLED WITH details in Ruby lockfiles (#18)
- Handle public git sources gracefully (#19)
- Add PullRequestUpdate class (see #15)
- Raise a Bump::DependencyFileNotFound error if files can't be found (see #16)
- Handle 404s for Rubygems when creating PRs (see #13)
- Set backtrace on errors raised in a forked process (see #11)
- Ignore Ruby version specified in the Gemfile (for now) (see #10)
- Support non-Rubygems sources (so private gems can now be bumped) (see #8)
- Handle all exceptions in forked process (see #9)
- Follow redirects in Excon everywhere (fixes #4)
- Initial extraction of core logic from https://github.com/gocardless/bump