-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Status of accepting new ecosystems #3943
Comments
Much of what is said in that document is still true: we're investing heavily in the product, but don't have the expertise to properly maintain every ecosystem being asked for. Right now, the only way we're able to properly support new ecosystems is if the ecosystem maintainers are willing to help support it (so if you know the I'll update Long term, we're looking into what it would take to break up dependabot-core and allow folks to write their own Dependabot updaters and run them on our infrastructure, allowing folks to add arbitrary languages without the need for us to merge them into core. |
The long-term decision sounds fantastic! cc @zkochan |
* Raise on ruby 2.7 deprecation warnings Break tests if we introduce any ruby 2.7 deprecation warnings. * Fix ruby 2.7 deprecations * Add `--no-install-recommends` to all `apt-get install` in Dockerfile This option will prevent not needed package being installed, make the image smaller. * Double quote variables in shellscript This will help prevent globbing and word splitting. Most of them are already quoted, just few of them are missed. * v0.154.1 * Double quote variables in Dockerfile's shellscript, cc dependabot#3917 * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.2...v2.6.3) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bundler: attempt to isolate flaky test Seeing a bunch of CI failures from this force updater spec: `NoMethodError with message: undefined method `name' for "Gemfile":String` Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846 I haven't managed to reproduce this locally yet. * Add more failing specs * Fix ruby 2.7 deprecations in python * Add more flaky test candidates * Github actions: Handle no latest version found When no latest version can be found return nil to prevent the update checker from comparing the version with the current version: ``` ArgumentError: comparison of String with Dependabot::GithubActions::Version failed ``` * Strip auth headers from VCR cassettes * Fix spec * Remove nil guard * Fix cops * Terraform: Handle 401 registry responses Raise a `PrivateSourceAuthenticationFailure` with the provided hostname if the registry responds with a `401`. * v0.154.2 * Terraform: handle dependencies without a namespace Default providers without a namespace to `hashicorp`. * chore: add lint job to check shell scripts * fix shellcheck errors in shellcheck linter script * chore: break out files to each line * chore: use sudo to install apt packages * chore: allow passing args to shellscript. e.g ./bin/lint -f diff * chore: fix SC2006 ```plaintext In ./hex/helpers/build line 18: case `uname` in ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`. Did you mean: case $(uname) in ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: fix SC2086 in docker-dev-shell ```plaintext In ./bin/docker-dev-shell line 61: echo $RUNNING ^------^ SC2086: Double quote to prevent globbing and word splitting. ``` https://github.com/koalaman/shellcheck/wiki/SC2086 * chore: fix SC2006 ```plaintext In ./bin/docker-dev-shell line 14: OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"` ^--^ SC2034: OPTS appears unused. Verify use (or export if used externally). ^-- SC2006: Use $(...) notation instead of legacy backticked `...`. ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: ignore existing shellcheck issues * chore: add ecosystem specific script files to linter list * chore: remove unnecessary headers * rake rubocop:sort * enable Style/* and autofix * enable Lint/* and autoformat * final rubocop warnings * Replace wget with curl for minimized dependency Use single tool for the same purpose, simplify the tool dependency, and also make the Docker image a little bit more smaller. * Fetches upload-pack using git if http fails * test: pin constraint to ensure deterministic test results * test: update declared constraints in expectation * test: tweak assertion to match new constraint * test: update fixture constraint to ensure resolution falls within a deterministic range * chore: install shellcheck in the dev container * Updates existing error handling tests to mock capture3 call * Adds tests for fallback where HTTP fails but git ls-remote succeeds * fix url in test * Reformats lines to accomodate line-length lint finding * Streamlines git ls-remote fallback logic to remove unused response values * Updates github pull request tests to mock-fail git ls-remote fallback * Updates metadata commits finder tests to mock-fail git ls-remote fallback * Updates git commit checker tests to mock-fail git ls-remote fallback * Returns basename and relative path in CodeCommit file fetcher Previously, the `name` and `path` attributes were both the absolute path for all files retrieved from CodeCommit sources. This caused problems in `fetch_file_from_host`, which joins the `directory` from the config with the `filename`. When `filename` is the absolute path, this essentially duplicated the directory in the result, e.g. `directory/directory/relative path`. This change returns the basename and relative path instead, matching the implemenation for azure devops, and allowing the join in `fetch_file_from_host` to return `directory/relative path` * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.28.0...v7.29.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0 Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version. - [Release notes](https://github.com/gjtorikian/commonmarker/releases) - [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2) --- updated-dependencies: - dependency-name: commonmarker dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Clarify support policies in README and Issue template We tend to get a lot of questions here about the Dependabot service that we operate at GitHub. Many of those questions are much easier to resolve when going through Support, as they have much better tooling and processes to follow up on those sorts of questions. This attempts to clarify that in the README and issue template. * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Terraform: handle unreachable private module proxy Raise a `PrivateSourceAuthenticationFailure` when a private module proxy can't be reached. * Terraform: handle missing source Silently ignore failing source requests to not block PR creation. Returning nil here will cause the PR creator to not include any changelogs/release notes. * v0.154.3 * expected credentials * bin/ci-test * Add version_filter module to common, remove from ecosystem update_checker * Check if the version is a Gem::Version, not the advisory * Run rubocop * Run rubocop * Move include up in class hierarchy Co-authored-by: Philip Harrison <[email protected]> * Make filter_vulnerable_versions stateless * Rubocop * Remove VersionFilters include Co-authored-by: Jurre <[email protected]> * Reorder #lowest_security_fix_version filters * Rubocop * ci-test: shellcheck yourself before you shellwreck yourself * docker-dev-shell: do not rename gemspec * devcontainer: do not rename gemspec * Add fetch_lowest_security_fix_version and test * Working security advisory test * Add lowest_resolvable_security_fix_version * Update LatestVersionFinder tests to use new fixture tags * Update test suite, add lowest_security_fix_version tests * Rubocop * temp commit * Initialize :security_advsiories as an empty array, remove pending test * Add latest_version_checker to UpdateChecker, add tests for security advisories * Use stateless filter_vulnerable_versions * Add missing assignment * Clarifying external contribution guidelines See dependabot#3943 * Move `#filter_vulnerable_version` to come before `#filter_ignored_version` * Terraform: handle nested module sources Relax the regex that matches module sources to include nested modules. * v0.154.4 * Create changelog from merge commits * Add link to pr * Check out branch before committing changes * Update bin/bump-version.rb * Swap version filters Co-authored-by: Philip Harrison <[email protected]> * Terraform: install modules when updating lockfile Terraform requires modules to be installed with `terraform init` when updating the lockfile. Opted to only run `terraform init` if the call to `terraform providers lock` bails out and retry. We could opt to always run `terraform init` if there are any modules defined but would mean parsing the dependency files and checking if any of the dependencies are modules as we only have access to the current dependency, which in this case is provider. * Update test to reflect dependency version after update * v0.154.5 * Add test for indirect dependencies to `#lowest_resolvable_security_fix` * v0.155.0 * GemspecSanitizer replace interpolated strings The previous impl only replaced the components of the interpolated string that looked like versions. When this is called with a `replacement_version` read from `Gemfile.lock`, the replacement value based on the interpolated string. * nuget: RepositoryFinder might not find PackageBaseAddress * nuget: handle RepositoryDetails without BaseAddress * autoformat fixture * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.4...v27.0.5) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0. - [Release notes](https://github.com/jazzband/pip-tools/releases) - [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md) - [Commits](jazzband/pip-tools@6.1.0...6.2.0) --- updated-dependencies: - dependency-name: pip-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Terraform: fix module updates with a lockfile This is the other side of dependabot#3968 This fixes module updates when there's a lockfile present. Modules are not included in the lockfile so adding a guard to only attempt lockfile updates for providers. Fixed some test setup to match what the parsed files would look like. * v0.155.1 * feature: Add support for Hex sub-projects * clean: Refactor tests to use new pattern * Terraform: clone repository contents for update Terraform projects can include local path modules that are currently not fetched in the file fetching step so any lockfile update will fail because these files are missing. The easiest fix seemed to be to always start cloning terraform projects as this is what we want to end up doing for all ecosystems. The file fetcher will still hit the gh api when getting the reo contents but this would require changes in common so keen to make that change separately as it currently works. * Stop double writing dependecy files * v0.155.2 * Update CHANGELOG.md * Bump minor for change to cloning Merged too quickly dependabot#3979 Makes sense to bump minor for the terraform cloning change. * Exclude release note merges in changelog Exclude release note merges in generated changelog. For example: dependabot#3977 * build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> * Enable new cops * Fix cops * Terraform: Configure git for `terraform init` and capture errors When attempting to `terraform init` when there are private module sources present, currently we raise a `HelperSubprocessFailed`. Terraform will attempt to use any git credentials that are configured, so passing these along should help in some cases when Dependabot is configured to access these, and when it isn't we should raise a PrivateSourceAuthenticationFailure to communicate more clearly that we cannot reach a certain source. It's a little unfortunate that we even need to do this, because this happens when we attempt to update a lockfile, and these don't support modules. However, `terraform providers lock` will still complain about modules needing to be installed, and this should do a better job of that. * v0.156.1 * Terraform: Prevent `terraform init` from initializing backends * remove `strip_terminal_colors` as its not needed anymore * pin azurerm versions in test fixtures prevents new versions from breaking the tests * prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES * poetry_files_parser ignore paths * poetry ignore url dependencies too * linter * outdated test * v0.156.2 * build(deps-dev): bump prettier in /npm_and_yarn/helpers Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7. - [Release notes](https://github.com/python-poetry/poetry/releases) - [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md) - [Commits](python-poetry/poetry@1.1.6...1.1.7) --- updated-dependencies: - dependency-name: poetry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3. - [Release notes](https://github.com/pypa/pip/releases) - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@21.1.2...21.1.3) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * PR Updater: Handle required status checks As per [the docs][docs] when branch protection rules are enabled, force pushing to them is disabled. This handles errors when this happens and raises a `BranchProtected` error, which will allow us to handle this gracefully and inform the user of this. [docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.3...v2.6.4) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.5...v27.0.6) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> * Add support for fetching extensions.xml files These files contain dependency coordinates for Maven extensions that want to receive the Maven afterSessionStart event. The file is always located in the .mvn folder in the project root and is optional. See also - https://maven.apache.org/guides/mini/guide-using-extensions.html - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html * Add support for extensions.xml to parser extensions.xml files can only contain an extensions block specifying one or more extension dependency. The extension nodes only have groupId, artifactId and version. * Add update support for extension.xml files Adjusts the maven file_updater to also process extensions.xml files. Methods and variables that are now used for either file type have been renamed accordingly. * Fix rubocop violations * Use `if` instead `unless nil` Co-authored-by: Philip Harrison <[email protected]> * Simplify using `fetch_file_if_present` Co-authored-by: Philip Harrison <[email protected]> * Simplify updated files check Co-authored-by: Philip Harrison <[email protected]> * Make sure code works even if `.mvn` directory is missing Co-authored-by: Philip Harrison <[email protected]> * Always require a pom.xml file Co-authored-by: Philip Harrison <[email protected]> * Remove empty line Co-authored-by: Philip Harrison <[email protected]> * Remove empty line Co-authored-by: Philip Harrison <[email protected]> * Fix linter error Co-authored-by: mo khan <[email protected]> * Fix linter error * v0.156.3 * Fix spec stubs * add Unauthorized exception to azure.rb * add tests for azure client * v0.156.4 * fix trailing whitespace * fix trailing whitespace * test: place upper bound on version constraint * Gomod: Handle unrecognized import path error When referencing a go proxy that 404s, we see this error. Previously this would not be handled, but it should result in a DependencyFileNotResolvable error, so users have a sense of what's wrong. * test: reproduce a defect with relative paths using poetry * test: ensure both the pyproject and lock file are updated * fix(poetry): copy all project files when generating lockfile hash * style: fix linter errors * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.29.0...v7.30.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * add response 200 context block for #create_commit test * add 403 test for Azure.create_commit * add test for fetch_commit * fix trailing whitespace * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * v0.156.5 * syntax error Co-authored-by: Philip Harrison <[email protected]> Co-authored-by: Peter Dave Hello <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mo khan <[email protected]> Co-authored-by: Peter Wagner <[email protected]> Co-authored-by: Loren Gordon <[email protected]> Co-authored-by: Jurre Stender <[email protected]> Co-authored-by: Jurre <[email protected]> Co-authored-by: Nish Sinha <[email protected]> Co-authored-by: Mike McDonald <[email protected]> Co-authored-by: Guilherme Duarte <[email protected]> Co-authored-by: Heine Furubotten <[email protected]> Co-authored-by: Benedikt Ritter <[email protected]> Co-authored-by: wolf-cola <[email protected]> Co-authored-by: wolf-cola <[email protected]>
* Raise on ruby 2.7 deprecation warnings Break tests if we introduce any ruby 2.7 deprecation warnings. * Fix ruby 2.7 deprecations * Add `--no-install-recommends` to all `apt-get install` in Dockerfile This option will prevent not needed package being installed, make the image smaller. * Double quote variables in shellscript This will help prevent globbing and word splitting. Most of them are already quoted, just few of them are missed. * v0.154.1 * Double quote variables in Dockerfile's shellscript, cc dependabot#3917 * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.2...v2.6.3) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bundler: attempt to isolate flaky test Seeing a bunch of CI failures from this force updater spec: `NoMethodError with message: undefined method `name' for "Gemfile":String` Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846 I haven't managed to reproduce this locally yet. * Add more failing specs * Fix ruby 2.7 deprecations in python * Add more flaky test candidates * Github actions: Handle no latest version found When no latest version can be found return nil to prevent the update checker from comparing the version with the current version: ``` ArgumentError: comparison of String with Dependabot::GithubActions::Version failed ``` * Strip auth headers from VCR cassettes * Fix spec * Remove nil guard * Fix cops * Terraform: Handle 401 registry responses Raise a `PrivateSourceAuthenticationFailure` with the provided hostname if the registry responds with a `401`. * v0.154.2 * Terraform: handle dependencies without a namespace Default providers without a namespace to `hashicorp`. * chore: add lint job to check shell scripts * fix shellcheck errors in shellcheck linter script * chore: break out files to each line * chore: use sudo to install apt packages * chore: allow passing args to shellscript. e.g ./bin/lint -f diff * chore: fix SC2006 ```plaintext In ./hex/helpers/build line 18: case `uname` in ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`. Did you mean: case $(uname) in ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: fix SC2086 in docker-dev-shell ```plaintext In ./bin/docker-dev-shell line 61: echo $RUNNING ^------^ SC2086: Double quote to prevent globbing and word splitting. ``` https://github.com/koalaman/shellcheck/wiki/SC2086 * chore: fix SC2006 ```plaintext In ./bin/docker-dev-shell line 14: OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"` ^--^ SC2034: OPTS appears unused. Verify use (or export if used externally). ^-- SC2006: Use $(...) notation instead of legacy backticked `...`. ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: ignore existing shellcheck issues * chore: add ecosystem specific script files to linter list * chore: remove unnecessary headers * rake rubocop:sort * enable Style/* and autofix * enable Lint/* and autoformat * final rubocop warnings * Replace wget with curl for minimized dependency Use single tool for the same purpose, simplify the tool dependency, and also make the Docker image a little bit more smaller. * Fetches upload-pack using git if http fails * test: pin constraint to ensure deterministic test results * test: update declared constraints in expectation * test: tweak assertion to match new constraint * test: update fixture constraint to ensure resolution falls within a deterministic range * chore: install shellcheck in the dev container * Updates existing error handling tests to mock capture3 call * Adds tests for fallback where HTTP fails but git ls-remote succeeds * fix url in test * Reformats lines to accomodate line-length lint finding * Streamlines git ls-remote fallback logic to remove unused response values * Updates github pull request tests to mock-fail git ls-remote fallback * Updates metadata commits finder tests to mock-fail git ls-remote fallback * Updates git commit checker tests to mock-fail git ls-remote fallback * Returns basename and relative path in CodeCommit file fetcher Previously, the `name` and `path` attributes were both the absolute path for all files retrieved from CodeCommit sources. This caused problems in `fetch_file_from_host`, which joins the `directory` from the config with the `filename`. When `filename` is the absolute path, this essentially duplicated the directory in the result, e.g. `directory/directory/relative path`. This change returns the basename and relative path instead, matching the implemenation for azure devops, and allowing the join in `fetch_file_from_host` to return `directory/relative path` * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.28.0...v7.29.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0 Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version. - [Release notes](https://github.com/gjtorikian/commonmarker/releases) - [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2) --- updated-dependencies: - dependency-name: commonmarker dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Clarify support policies in README and Issue template We tend to get a lot of questions here about the Dependabot service that we operate at GitHub. Many of those questions are much easier to resolve when going through Support, as they have much better tooling and processes to follow up on those sorts of questions. This attempts to clarify that in the README and issue template. * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Terraform: handle unreachable private module proxy Raise a `PrivateSourceAuthenticationFailure` when a private module proxy can't be reached. * Terraform: handle missing source Silently ignore failing source requests to not block PR creation. Returning nil here will cause the PR creator to not include any changelogs/release notes. * v0.154.3 * expected credentials * bin/ci-test * Add version_filter module to common, remove from ecosystem update_checker * Check if the version is a Gem::Version, not the advisory * Run rubocop * Run rubocop * Move include up in class hierarchy Co-authored-by: Philip Harrison <[email protected]> * Make filter_vulnerable_versions stateless * Rubocop * Remove VersionFilters include Co-authored-by: Jurre <[email protected]> * Reorder #lowest_security_fix_version filters * Rubocop * ci-test: shellcheck yourself before you shellwreck yourself * docker-dev-shell: do not rename gemspec * devcontainer: do not rename gemspec * Add fetch_lowest_security_fix_version and test * Working security advisory test * Add lowest_resolvable_security_fix_version * Update LatestVersionFinder tests to use new fixture tags * Update test suite, add lowest_security_fix_version tests * Rubocop * temp commit * Initialize :security_advsiories as an empty array, remove pending test * Add latest_version_checker to UpdateChecker, add tests for security advisories * Use stateless filter_vulnerable_versions * Add missing assignment * Clarifying external contribution guidelines See dependabot#3943 * Move `#filter_vulnerable_version` to come before `#filter_ignored_version` * Terraform: handle nested module sources Relax the regex that matches module sources to include nested modules. * v0.154.4 * Create changelog from merge commits * Add link to pr * Check out branch before committing changes * Update bin/bump-version.rb * Swap version filters Co-authored-by: Philip Harrison <[email protected]> * Terraform: install modules when updating lockfile Terraform requires modules to be installed with `terraform init` when updating the lockfile. Opted to only run `terraform init` if the call to `terraform providers lock` bails out and retry. We could opt to always run `terraform init` if there are any modules defined but would mean parsing the dependency files and checking if any of the dependencies are modules as we only have access to the current dependency, which in this case is provider. * Update test to reflect dependency version after update * v0.154.5 * Add test for indirect dependencies to `#lowest_resolvable_security_fix` * v0.155.0 * GemspecSanitizer replace interpolated strings The previous impl only replaced the components of the interpolated string that looked like versions. When this is called with a `replacement_version` read from `Gemfile.lock`, the replacement value based on the interpolated string. * nuget: RepositoryFinder might not find PackageBaseAddress * nuget: handle RepositoryDetails without BaseAddress * autoformat fixture * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.4...v27.0.5) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0. - [Release notes](https://github.com/jazzband/pip-tools/releases) - [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md) - [Commits](jazzband/pip-tools@6.1.0...6.2.0) --- updated-dependencies: - dependency-name: pip-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Terraform: fix module updates with a lockfile This is the other side of dependabot#3968 This fixes module updates when there's a lockfile present. Modules are not included in the lockfile so adding a guard to only attempt lockfile updates for providers. Fixed some test setup to match what the parsed files would look like. * v0.155.1 * feature: Add support for Hex sub-projects * clean: Refactor tests to use new pattern * Terraform: clone repository contents for update Terraform projects can include local path modules that are currently not fetched in the file fetching step so any lockfile update will fail because these files are missing. The easiest fix seemed to be to always start cloning terraform projects as this is what we want to end up doing for all ecosystems. The file fetcher will still hit the gh api when getting the reo contents but this would require changes in common so keen to make that change separately as it currently works. * Stop double writing dependecy files * v0.155.2 * Update CHANGELOG.md * Bump minor for change to cloning Merged too quickly dependabot#3979 Makes sense to bump minor for the terraform cloning change. * Exclude release note merges in changelog Exclude release note merges in generated changelog. For example: dependabot#3977 * build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> * Enable new cops * Fix cops * Terraform: Configure git for `terraform init` and capture errors When attempting to `terraform init` when there are private module sources present, currently we raise a `HelperSubprocessFailed`. Terraform will attempt to use any git credentials that are configured, so passing these along should help in some cases when Dependabot is configured to access these, and when it isn't we should raise a PrivateSourceAuthenticationFailure to communicate more clearly that we cannot reach a certain source. It's a little unfortunate that we even need to do this, because this happens when we attempt to update a lockfile, and these don't support modules. However, `terraform providers lock` will still complain about modules needing to be installed, and this should do a better job of that. * v0.156.1 * Terraform: Prevent `terraform init` from initializing backends * remove `strip_terminal_colors` as its not needed anymore * pin azurerm versions in test fixtures prevents new versions from breaking the tests * prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES * poetry_files_parser ignore paths * poetry ignore url dependencies too * linter * outdated test * v0.156.2 * build(deps-dev): bump prettier in /npm_and_yarn/helpers Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7. - [Release notes](https://github.com/python-poetry/poetry/releases) - [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md) - [Commits](python-poetry/poetry@1.1.6...1.1.7) --- updated-dependencies: - dependency-name: poetry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3. - [Release notes](https://github.com/pypa/pip/releases) - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@21.1.2...21.1.3) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * PR Updater: Handle required status checks As per [the docs][docs] when branch protection rules are enabled, force pushing to them is disabled. This handles errors when this happens and raises a `BranchProtected` error, which will allow us to handle this gracefully and inform the user of this. [docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.3...v2.6.4) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.5...v27.0.6) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]> * Add support for fetching extensions.xml files These files contain dependency coordinates for Maven extensions that want to receive the Maven afterSessionStart event. The file is always located in the .mvn folder in the project root and is optional. See also - https://maven.apache.org/guides/mini/guide-using-extensions.html - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html * Add support for extensions.xml to parser extensions.xml files can only contain an extensions block specifying one or more extension dependency. The extension nodes only have groupId, artifactId and version. * Add update support for extension.xml files Adjusts the maven file_updater to also process extensions.xml files. Methods and variables that are now used for either file type have been renamed accordingly. * Fix rubocop violations * Use `if` instead `unless nil` Co-authored-by: Philip Harrison <[email protected]> * Simplify using `fetch_file_if_present` Co-authored-by: Philip Harrison <[email protected]> * Simplify updated files check Co-authored-by: Philip Harrison <[email protected]> * Make sure code works even if `.mvn` directory is missing Co-authored-by: Philip Harrison <[email protected]> * Always require a pom.xml file Co-authored-by: Philip Harrison <[email protected]> * Remove empty line Co-authored-by: Philip Harrison <[email protected]> * Remove empty line Co-authored-by: Philip Harrison <[email protected]> * Fix linter error Co-authored-by: mo khan <[email protected]> * Fix linter error * v0.156.3 * Fix spec stubs * add Unauthorized exception to azure.rb * add tests for azure client * v0.156.4 * fix trailing whitespace * fix trailing whitespace * test: place upper bound on version constraint * Gomod: Handle unrecognized import path error When referencing a go proxy that 404s, we see this error. Previously this would not be handled, but it should result in a DependencyFileNotResolvable error, so users have a sense of what's wrong. * test: reproduce a defect with relative paths using poetry * test: ensure both the pyproject and lock file are updated * fix(poetry): copy all project files when generating lockfile hash * style: fix linter errors * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.29.0...v7.30.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * add response 200 context block for #create_commit test * add 403 test for Azure.create_commit * add test for fetch_commit * fix trailing whitespace * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * v0.156.5 * syntax error Co-authored-by: Philip Harrison <[email protected]> Co-authored-by: Peter Dave Hello <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mo khan <[email protected]> Co-authored-by: Peter Wagner <[email protected]> Co-authored-by: Loren Gordon <[email protected]> Co-authored-by: Jurre Stender <[email protected]> Co-authored-by: Jurre <[email protected]> Co-authored-by: Nish Sinha <[email protected]> Co-authored-by: Mike McDonald <[email protected]> Co-authored-by: Guilherme Duarte <[email protected]> Co-authored-by: Heine Furubotten <[email protected]> Co-authored-by: Benedikt Ritter <[email protected]> Co-authored-by: wolf-cola <[email protected]> Co-authored-by: wolf-cola <[email protected]>
I'm going to close as the info ☝️ answered the original question. As far as an update, unfortunately it's still the current answer. We are hoping to be in a position soon to start to discuss support for new ecosystems, as we've shipped a lot of internal infra over the past few quarters to build out a solid platform, but don't have anything more specific we can share just yet. |
There is a decision for not accepting new ecosystems until June 2021 that is stated in the
CONTRIBUTING.md
file, and I want to ask what are the current decision for supporting new ecosystems?Are there any news from the
dependabot
team since we are in/passing June 2021?dependabot-core/CONTRIBUTING.md
Line 14 in 1b17a40
I'm personally waiting for #1736 to be resolved
The text was updated successfully, but these errors were encountered: