Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Status of accepting new ecosystems #3943

Closed
seahindeniz opened this issue Jun 20, 2021 · 3 comments
Closed

Status of accepting new ecosystems #3943

seahindeniz opened this issue Jun 20, 2021 · 3 comments
Labels
core 🍏 Relates to the dependabot-core library itself service 💁 Relates to Dependabot features GitHub provides T: new-ecosystem Requests for new ecosystems/languages

Comments

@seahindeniz
Copy link

seahindeniz commented Jun 20, 2021

There is a decision for not accepting new ecosystems until June 2021 that is stated in the CONTRIBUTING.md file, and I want to ask what are the current decision for supporting new ecosystems?
Are there any news from the dependabot team since we are in/passing June 2021?

We are not currently accepting new ecosystems into dependabot-core, starting in December 2020 until at least June 2021.

We are not currently accepting new ecosystems into `dependabot-core`, starting in December 2020 until at least June 2021.

I'm personally waiting for #1736 to be resolved

@asciimike
Copy link
Contributor

Much of what is said in that document is still true: we're investing heavily in the product, but don't have the expertise to properly maintain every ecosystem being asked for. Right now, the only way we're able to properly support new ecosystems is if the ecosystem maintainers are willing to help support it (so if you know the pnpm maintainers, please have them chime in on that issue).

I'll update CONTRIBUTING.md to remove the date and clarify that.

Long term, we're looking into what it would take to break up dependabot-core and allow folks to write their own Dependabot updaters and run them on our infrastructure, allowing folks to add arbitrary languages without the need for us to merge them into core.

asciimike added a commit that referenced this issue Jun 21, 2021
@seahindeniz
Copy link
Author

The long-term decision sounds fantastic!

cc @zkochan

milind009 added a commit to GiriB/dependabot-core that referenced this issue Oct 6, 2021
* Raise on ruby 2.7 deprecation warnings

Break tests if we introduce any ruby 2.7 deprecation warnings.

* Fix ruby 2.7 deprecations

* Add `--no-install-recommends` to all `apt-get install` in Dockerfile

This option will prevent not needed package being installed, make the
image smaller.

* Double quote variables in shellscript

This will help prevent globbing and word splitting. Most of them are
already quoted, just few of them are missed.

* v0.154.1

* Double quote variables in Dockerfile's shellscript, cc dependabot#3917

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.2...v2.6.3)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bundler: attempt to isolate flaky test

Seeing a bunch of CI failures from this force updater spec:
`NoMethodError with message: undefined method `name' for "Gemfile":String`

Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846

I haven't managed to reproduce this locally yet.

* Add more failing specs

* Fix ruby 2.7 deprecations in python

* Add more flaky test candidates

* Github actions: Handle no latest version found

When no latest version can be found return nil to prevent the update
checker from comparing the version with the current version:

```
ArgumentError: comparison of String with Dependabot::GithubActions::Version failed
```

* Strip auth headers from VCR cassettes

* Fix spec

* Remove nil guard

* Fix cops

* Terraform: Handle 401 registry responses

Raise a `PrivateSourceAuthenticationFailure` with the provided hostname
if the registry responds with a `401`.

* v0.154.2

* Terraform: handle dependencies without a namespace

Default providers without a namespace to `hashicorp`.

* chore: add lint job to check shell scripts

* fix shellcheck errors in shellcheck linter script

* chore: break out files to each line

* chore: use sudo to install apt packages

* chore: allow passing args to shellscript. e.g ./bin/lint -f diff

* chore: fix SC2006

```plaintext
In ./hex/helpers/build line 18:
case `uname` in
     ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`.

Did you mean:
case $(uname) in
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: fix SC2086 in docker-dev-shell

```plaintext
In ./bin/docker-dev-shell line 61:
echo $RUNNING
     ^------^ SC2086: Double quote to prevent globbing and word splitting.
```

https://github.com/koalaman/shellcheck/wiki/SC2086

* chore: fix SC2006

```plaintext
In ./bin/docker-dev-shell line 14:
OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"`
^--^ SC2034: OPTS appears unused. Verify use (or export if used externally).
     ^-- SC2006: Use $(...) notation instead of legacy backticked `...`.
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: ignore existing shellcheck issues

* chore: add ecosystem specific script files to linter list

* chore: remove unnecessary headers

* rake rubocop:sort

* enable Style/* and autofix

* enable Lint/* and autoformat

* final rubocop warnings

* Replace wget with curl for minimized dependency

Use single tool for the same purpose, simplify the tool dependency, and
also make the Docker image a little bit more smaller.

* Fetches upload-pack using git if http fails

* test: pin constraint to ensure deterministic test results

* test: update declared constraints in expectation

* test: tweak assertion to match new constraint

* test: update fixture constraint to ensure resolution falls within a deterministic range

* chore: install shellcheck in the dev container

* Updates existing error handling tests to mock capture3 call

* Adds tests for fallback where HTTP fails but git ls-remote succeeds

* fix url in test

* Reformats lines to accomodate line-length lint finding

* Streamlines git ls-remote fallback logic to remove unused response values

* Updates github pull request tests to mock-fail git ls-remote fallback

* Updates metadata commits finder tests to mock-fail git ls-remote fallback

* Updates git commit checker tests to mock-fail git ls-remote fallback

* Returns basename and relative path in CodeCommit file fetcher

Previously, the `name` and `path` attributes were both the absolute
path for all files retrieved from CodeCommit sources. This caused
problems in `fetch_file_from_host`, which joins the `directory`
from the config with the `filename`. When `filename` is the absolute
path, this essentially duplicated the directory in the result, e.g.
`directory/directory/relative path`.

This change returns the basename and relative path instead, matching
the implemenation for azure devops, and allowing the join in `fetch_file_from_host`
to return `directory/relative path`

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.28.0...v7.29.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0

Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version.
- [Release notes](https://github.com/gjtorikian/commonmarker/releases)
- [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2)

---
updated-dependencies:
- dependency-name: commonmarker
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Clarify support policies in README and Issue template

We tend to get a lot of questions here about the Dependabot service that
we operate at GitHub. Many of those questions are much easier to resolve
when going through Support, as they have much better tooling and
processes to follow up on those sorts of questions.

This attempts to clarify that in the README and issue template.

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Terraform: handle unreachable private module proxy

Raise a `PrivateSourceAuthenticationFailure` when a private module proxy
can't be reached.

* Terraform: handle missing source

Silently ignore failing source requests to not block PR creation.
Returning nil here will cause the PR creator to not include any
changelogs/release notes.

* v0.154.3

* expected credentials

* bin/ci-test

* Add version_filter module to common, remove from ecosystem update_checker

* Check if the version is a Gem::Version, not the advisory

* Run rubocop

* Run rubocop

* Move include up in class hierarchy

Co-authored-by: Philip Harrison <[email protected]>

* Make filter_vulnerable_versions stateless

* Rubocop

* Remove VersionFilters include

Co-authored-by: Jurre <[email protected]>

* Reorder #lowest_security_fix_version filters

* Rubocop

* ci-test: shellcheck yourself

before you shellwreck yourself

* docker-dev-shell: do not rename gemspec

* devcontainer: do not rename gemspec

* Add fetch_lowest_security_fix_version and test

* Working security advisory test

* Add lowest_resolvable_security_fix_version

* Update LatestVersionFinder tests to use new fixture tags

* Update test suite, add lowest_security_fix_version tests

* Rubocop

* temp commit

* Initialize :security_advsiories as an empty array, remove pending test

* Add latest_version_checker to UpdateChecker, add tests for security advisories

* Use stateless filter_vulnerable_versions

* Add missing assignment

* Clarifying external contribution guidelines

See dependabot#3943

* Move `#filter_vulnerable_version` to come before `#filter_ignored_version`

* Terraform: handle nested module sources

Relax the regex that matches module sources to include nested modules.

* v0.154.4

* Create changelog from merge commits

* Add link to pr

* Check out branch before committing changes

* Update bin/bump-version.rb

* Swap version filters

Co-authored-by: Philip Harrison <[email protected]>

* Terraform: install modules when updating lockfile

Terraform requires modules to be installed with `terraform init` when
updating the lockfile. Opted to only run `terraform init` if the call to
`terraform providers lock` bails out and retry.

We could opt to always run `terraform init` if there are any modules
defined but would mean parsing the dependency files and checking if any
of the dependencies are modules as we only have access to the current
dependency, which in this case is provider.

* Update test to reflect dependency version after update

* v0.154.5

* Add test for indirect dependencies to `#lowest_resolvable_security_fix`

* v0.155.0

* GemspecSanitizer replace interpolated strings

The previous impl only replaced the components of the interpolated
string that looked like versions.

When this is called with a `replacement_version` read from
`Gemfile.lock`, the replacement value based on the interpolated string.

* nuget: RepositoryFinder might not find PackageBaseAddress

* nuget: handle RepositoryDetails without BaseAddress

* autoformat fixture

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.4...v27.0.5)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers

Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md)
- [Commits](jazzband/pip-tools@6.1.0...6.2.0)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Terraform: fix module updates with a lockfile

This is the other side of dependabot#3968

This fixes module updates when there's a lockfile present. Modules are
not included in the lockfile so adding a guard to only attempt lockfile
updates for providers.

Fixed some test setup to match what the parsed files would look like.

* v0.155.1

* feature: Add support for Hex sub-projects

* clean: Refactor tests to use new pattern

* Terraform: clone repository contents for update

Terraform projects can include local path modules that are currently not
fetched in the file fetching step so any lockfile update will fail
because these files are missing.

The easiest fix seemed to be to always start cloning terraform projects
as this is what we want to end up doing for all ecosystems.

The file fetcher will still hit the gh api when getting the reo contents
but this would require changes in common so keen to make that change
separately as it currently works.

* Stop double writing dependecy files

* v0.155.2

* Update CHANGELOG.md

* Bump minor for change to cloning

Merged too quickly dependabot#3979
Makes sense to bump minor for the terraform cloning change.

* Exclude release note merges in changelog

Exclude release note merges in generated changelog.

For example: dependabot#3977

* build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.16.0...v1.17.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

* Enable new cops

* Fix cops

* Terraform: Configure git for `terraform init` and capture errors

When attempting to `terraform init` when there are private module
sources present, currently we raise a `HelperSubprocessFailed`.

Terraform will attempt to use any git credentials that are configured,
so passing these along should help in some cases when Dependabot is
configured to access these, and when it isn't we should raise a
PrivateSourceAuthenticationFailure to communicate more clearly that we
cannot reach a certain source.

It's a little unfortunate that we even need to do this, because this
happens when we attempt to update a lockfile, and these don't support
modules. However, `terraform providers lock` will still complain about
modules needing to be installed, and this should do a better job of
that.

* v0.156.1

* Terraform: Prevent `terraform init` from initializing backends

* remove `strip_terminal_colors`

as its not needed anymore

* pin azurerm versions in test fixtures

prevents new versions from breaking the tests

* prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES

* poetry_files_parser ignore paths

* poetry ignore url dependencies too

* linter

* outdated test

* v0.156.2

* build(deps-dev): bump prettier in /npm_and_yarn/helpers

Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers

Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md)
- [Commits](python-poetry/poetry@1.1.6...1.1.7)

---
updated-dependencies:
- dependency-name: poetry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers

Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3.
- [Release notes](https://github.com/pypa/pip/releases)
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@21.1.2...21.1.3)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* PR Updater: Handle required status checks

As per [the docs][docs] when branch protection rules are enabled, force
pushing to them is disabled.

This handles errors when this happens and raises a `BranchProtected`
error, which will allow us to handle this gracefully and inform the user
of this.

[docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.5...v27.0.6)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add support for fetching extensions.xml files

These files contain dependency coordinates for Maven extensions that
want to receive the Maven afterSessionStart event. The file is always
located in the .mvn folder in the project root and is optional.

See also
  - https://maven.apache.org/guides/mini/guide-using-extensions.html
  - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html

* Add support for extensions.xml to parser

extensions.xml files can only contain an extensions block specifying one
or more extension dependency. The extension nodes only have groupId,
artifactId and version.

* Add update support for extension.xml files

Adjusts the maven file_updater to also process extensions.xml files.
Methods and variables that are now used for either file type have been
renamed accordingly.

* Fix rubocop violations

* Use `if` instead `unless nil`

Co-authored-by: Philip Harrison <[email protected]>

* Simplify using `fetch_file_if_present`

Co-authored-by: Philip Harrison <[email protected]>

* Simplify updated files check

Co-authored-by: Philip Harrison <[email protected]>

* Make sure code works even if `.mvn` directory is missing

Co-authored-by: Philip Harrison <[email protected]>

* Always require a pom.xml file

Co-authored-by: Philip Harrison <[email protected]>

* Remove empty line

Co-authored-by: Philip Harrison <[email protected]>

* Remove empty line

Co-authored-by: Philip Harrison <[email protected]>

* Fix linter error

Co-authored-by: mo khan <[email protected]>

* Fix linter error

* v0.156.3

* Fix spec stubs

* add Unauthorized exception to azure.rb

* add tests for azure client

* v0.156.4

* fix trailing whitespace

* fix trailing whitespace

* test: place upper bound on version constraint

* Gomod: Handle unrecognized import path error

When referencing a go proxy that 404s, we see this error. Previously
this would not be handled, but it should result in a
DependencyFileNotResolvable error, so users have a sense of what's
wrong.

* test: reproduce a defect with relative paths using poetry

* test: ensure both the pyproject and lock file are updated

* fix(poetry): copy all project files when generating lockfile hash

* style: fix linter errors

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.29.0...v7.30.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* add response 200 context block for #create_commit test

* add 403 test for Azure.create_commit

* add test for fetch_commit

* fix trailing whitespace

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* v0.156.5

* syntax error

Co-authored-by: Philip Harrison <[email protected]>
Co-authored-by: Peter Dave Hello <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mo khan <[email protected]>
Co-authored-by: Peter Wagner <[email protected]>
Co-authored-by: Loren Gordon <[email protected]>
Co-authored-by: Jurre Stender <[email protected]>
Co-authored-by: Jurre <[email protected]>
Co-authored-by: Nish Sinha <[email protected]>
Co-authored-by: Mike McDonald <[email protected]>
Co-authored-by: Guilherme Duarte <[email protected]>
Co-authored-by: Heine Furubotten <[email protected]>
Co-authored-by: Benedikt Ritter <[email protected]>
Co-authored-by: wolf-cola <[email protected]>
Co-authored-by: wolf-cola <[email protected]>
AlekhyaYalla pushed a commit to GiriB/dependabot-core that referenced this issue Nov 9, 2021
* Raise on ruby 2.7 deprecation warnings

Break tests if we introduce any ruby 2.7 deprecation warnings.

* Fix ruby 2.7 deprecations

* Add `--no-install-recommends` to all `apt-get install` in Dockerfile

This option will prevent not needed package being installed, make the
image smaller.

* Double quote variables in shellscript

This will help prevent globbing and word splitting. Most of them are
already quoted, just few of them are missed.

* v0.154.1

* Double quote variables in Dockerfile's shellscript, cc dependabot#3917

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.2...v2.6.3)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bundler: attempt to isolate flaky test

Seeing a bunch of CI failures from this force updater spec:
`NoMethodError with message: undefined method `name' for "Gemfile":String`

Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846

I haven't managed to reproduce this locally yet.

* Add more failing specs

* Fix ruby 2.7 deprecations in python

* Add more flaky test candidates

* Github actions: Handle no latest version found

When no latest version can be found return nil to prevent the update
checker from comparing the version with the current version:

```
ArgumentError: comparison of String with Dependabot::GithubActions::Version failed
```

* Strip auth headers from VCR cassettes

* Fix spec

* Remove nil guard

* Fix cops

* Terraform: Handle 401 registry responses

Raise a `PrivateSourceAuthenticationFailure` with the provided hostname
if the registry responds with a `401`.

* v0.154.2

* Terraform: handle dependencies without a namespace

Default providers without a namespace to `hashicorp`.

* chore: add lint job to check shell scripts

* fix shellcheck errors in shellcheck linter script

* chore: break out files to each line

* chore: use sudo to install apt packages

* chore: allow passing args to shellscript. e.g ./bin/lint -f diff

* chore: fix SC2006

```plaintext
In ./hex/helpers/build line 18:
case `uname` in
     ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`.

Did you mean:
case $(uname) in
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: fix SC2086 in docker-dev-shell

```plaintext
In ./bin/docker-dev-shell line 61:
echo $RUNNING
     ^------^ SC2086: Double quote to prevent globbing and word splitting.
```

https://github.com/koalaman/shellcheck/wiki/SC2086

* chore: fix SC2006

```plaintext
In ./bin/docker-dev-shell line 14:
OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"`
^--^ SC2034: OPTS appears unused. Verify use (or export if used externally).
     ^-- SC2006: Use $(...) notation instead of legacy backticked `...`.
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: ignore existing shellcheck issues

* chore: add ecosystem specific script files to linter list

* chore: remove unnecessary headers

* rake rubocop:sort

* enable Style/* and autofix

* enable Lint/* and autoformat

* final rubocop warnings

* Replace wget with curl for minimized dependency

Use single tool for the same purpose, simplify the tool dependency, and
also make the Docker image a little bit more smaller.

* Fetches upload-pack using git if http fails

* test: pin constraint to ensure deterministic test results

* test: update declared constraints in expectation

* test: tweak assertion to match new constraint

* test: update fixture constraint to ensure resolution falls within a deterministic range

* chore: install shellcheck in the dev container

* Updates existing error handling tests to mock capture3 call

* Adds tests for fallback where HTTP fails but git ls-remote succeeds

* fix url in test

* Reformats lines to accomodate line-length lint finding

* Streamlines git ls-remote fallback logic to remove unused response values

* Updates github pull request tests to mock-fail git ls-remote fallback

* Updates metadata commits finder tests to mock-fail git ls-remote fallback

* Updates git commit checker tests to mock-fail git ls-remote fallback

* Returns basename and relative path in CodeCommit file fetcher

Previously, the `name` and `path` attributes were both the absolute
path for all files retrieved from CodeCommit sources. This caused
problems in `fetch_file_from_host`, which joins the `directory`
from the config with the `filename`. When `filename` is the absolute
path, this essentially duplicated the directory in the result, e.g.
`directory/directory/relative path`.

This change returns the basename and relative path instead, matching
the implemenation for azure devops, and allowing the join in `fetch_file_from_host`
to return `directory/relative path`

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.28.0...v7.29.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0

Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version.
- [Release notes](https://github.com/gjtorikian/commonmarker/releases)
- [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2)

---
updated-dependencies:
- dependency-name: commonmarker
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Clarify support policies in README and Issue template

We tend to get a lot of questions here about the Dependabot service that
we operate at GitHub. Many of those questions are much easier to resolve
when going through Support, as they have much better tooling and
processes to follow up on those sorts of questions.

This attempts to clarify that in the README and issue template.

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Terraform: handle unreachable private module proxy

Raise a `PrivateSourceAuthenticationFailure` when a private module proxy
can't be reached.

* Terraform: handle missing source

Silently ignore failing source requests to not block PR creation.
Returning nil here will cause the PR creator to not include any
changelogs/release notes.

* v0.154.3

* expected credentials

* bin/ci-test

* Add version_filter module to common, remove from ecosystem update_checker

* Check if the version is a Gem::Version, not the advisory

* Run rubocop

* Run rubocop

* Move include up in class hierarchy

Co-authored-by: Philip Harrison <[email protected]>

* Make filter_vulnerable_versions stateless

* Rubocop

* Remove VersionFilters include

Co-authored-by: Jurre <[email protected]>

* Reorder #lowest_security_fix_version filters

* Rubocop

* ci-test: shellcheck yourself

before you shellwreck yourself

* docker-dev-shell: do not rename gemspec

* devcontainer: do not rename gemspec

* Add fetch_lowest_security_fix_version and test

* Working security advisory test

* Add lowest_resolvable_security_fix_version

* Update LatestVersionFinder tests to use new fixture tags

* Update test suite, add lowest_security_fix_version tests

* Rubocop

* temp commit

* Initialize :security_advsiories as an empty array, remove pending test

* Add latest_version_checker to UpdateChecker, add tests for security advisories

* Use stateless filter_vulnerable_versions

* Add missing assignment

* Clarifying external contribution guidelines

See dependabot#3943

* Move `#filter_vulnerable_version` to come before `#filter_ignored_version`

* Terraform: handle nested module sources

Relax the regex that matches module sources to include nested modules.

* v0.154.4

* Create changelog from merge commits

* Add link to pr

* Check out branch before committing changes

* Update bin/bump-version.rb

* Swap version filters

Co-authored-by: Philip Harrison <[email protected]>

* Terraform: install modules when updating lockfile

Terraform requires modules to be installed with `terraform init` when
updating the lockfile. Opted to only run `terraform init` if the call to
`terraform providers lock` bails out and retry.

We could opt to always run `terraform init` if there are any modules
defined but would mean parsing the dependency files and checking if any
of the dependencies are modules as we only have access to the current
dependency, which in this case is provider.

* Update test to reflect dependency version after update

* v0.154.5

* Add test for indirect dependencies to `#lowest_resolvable_security_fix`

* v0.155.0

* GemspecSanitizer replace interpolated strings

The previous impl only replaced the components of the interpolated
string that looked like versions.

When this is called with a `replacement_version` read from
`Gemfile.lock`, the replacement value based on the interpolated string.

* nuget: RepositoryFinder might not find PackageBaseAddress

* nuget: handle RepositoryDetails without BaseAddress

* autoformat fixture

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.4...v27.0.5)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers

Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md)
- [Commits](jazzband/pip-tools@6.1.0...6.2.0)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Terraform: fix module updates with a lockfile

This is the other side of dependabot#3968

This fixes module updates when there's a lockfile present. Modules are
not included in the lockfile so adding a guard to only attempt lockfile
updates for providers.

Fixed some test setup to match what the parsed files would look like.

* v0.155.1

* feature: Add support for Hex sub-projects

* clean: Refactor tests to use new pattern

* Terraform: clone repository contents for update

Terraform projects can include local path modules that are currently not
fetched in the file fetching step so any lockfile update will fail
because these files are missing.

The easiest fix seemed to be to always start cloning terraform projects
as this is what we want to end up doing for all ecosystems.

The file fetcher will still hit the gh api when getting the reo contents
but this would require changes in common so keen to make that change
separately as it currently works.

* Stop double writing dependecy files

* v0.155.2

* Update CHANGELOG.md

* Bump minor for change to cloning

Merged too quickly dependabot#3979
Makes sense to bump minor for the terraform cloning change.

* Exclude release note merges in changelog

Exclude release note merges in generated changelog.

For example: dependabot#3977

* build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.16.0...v1.17.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

* Enable new cops

* Fix cops

* Terraform: Configure git for `terraform init` and capture errors

When attempting to `terraform init` when there are private module
sources present, currently we raise a `HelperSubprocessFailed`.

Terraform will attempt to use any git credentials that are configured,
so passing these along should help in some cases when Dependabot is
configured to access these, and when it isn't we should raise a
PrivateSourceAuthenticationFailure to communicate more clearly that we
cannot reach a certain source.

It's a little unfortunate that we even need to do this, because this
happens when we attempt to update a lockfile, and these don't support
modules. However, `terraform providers lock` will still complain about
modules needing to be installed, and this should do a better job of
that.

* v0.156.1

* Terraform: Prevent `terraform init` from initializing backends

* remove `strip_terminal_colors`

as its not needed anymore

* pin azurerm versions in test fixtures

prevents new versions from breaking the tests

* prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES

* poetry_files_parser ignore paths

* poetry ignore url dependencies too

* linter

* outdated test

* v0.156.2

* build(deps-dev): bump prettier in /npm_and_yarn/helpers

Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers

Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md)
- [Commits](python-poetry/poetry@1.1.6...1.1.7)

---
updated-dependencies:
- dependency-name: poetry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers

Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3.
- [Release notes](https://github.com/pypa/pip/releases)
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@21.1.2...21.1.3)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* PR Updater: Handle required status checks

As per [the docs][docs] when branch protection rules are enabled, force
pushing to them is disabled.

This handles errors when this happens and raises a `BranchProtected`
error, which will allow us to handle this gracefully and inform the user
of this.

[docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.5...v27.0.6)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add support for fetching extensions.xml files

These files contain dependency coordinates for Maven extensions that
want to receive the Maven afterSessionStart event. The file is always
located in the .mvn folder in the project root and is optional.

See also
  - https://maven.apache.org/guides/mini/guide-using-extensions.html
  - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html

* Add support for extensions.xml to parser

extensions.xml files can only contain an extensions block specifying one
or more extension dependency. The extension nodes only have groupId,
artifactId and version.

* Add update support for extension.xml files

Adjusts the maven file_updater to also process extensions.xml files.
Methods and variables that are now used for either file type have been
renamed accordingly.

* Fix rubocop violations

* Use `if` instead `unless nil`

Co-authored-by: Philip Harrison <[email protected]>

* Simplify using `fetch_file_if_present`

Co-authored-by: Philip Harrison <[email protected]>

* Simplify updated files check

Co-authored-by: Philip Harrison <[email protected]>

* Make sure code works even if `.mvn` directory is missing

Co-authored-by: Philip Harrison <[email protected]>

* Always require a pom.xml file

Co-authored-by: Philip Harrison <[email protected]>

* Remove empty line

Co-authored-by: Philip Harrison <[email protected]>

* Remove empty line

Co-authored-by: Philip Harrison <[email protected]>

* Fix linter error

Co-authored-by: mo khan <[email protected]>

* Fix linter error

* v0.156.3

* Fix spec stubs

* add Unauthorized exception to azure.rb

* add tests for azure client

* v0.156.4

* fix trailing whitespace

* fix trailing whitespace

* test: place upper bound on version constraint

* Gomod: Handle unrecognized import path error

When referencing a go proxy that 404s, we see this error. Previously
this would not be handled, but it should result in a
DependencyFileNotResolvable error, so users have a sense of what's
wrong.

* test: reproduce a defect with relative paths using poetry

* test: ensure both the pyproject and lock file are updated

* fix(poetry): copy all project files when generating lockfile hash

* style: fix linter errors

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.29.0...v7.30.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* add response 200 context block for #create_commit test

* add 403 test for Azure.create_commit

* add test for fetch_commit

* fix trailing whitespace

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* v0.156.5

* syntax error

Co-authored-by: Philip Harrison <[email protected]>
Co-authored-by: Peter Dave Hello <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mo khan <[email protected]>
Co-authored-by: Peter Wagner <[email protected]>
Co-authored-by: Loren Gordon <[email protected]>
Co-authored-by: Jurre Stender <[email protected]>
Co-authored-by: Jurre <[email protected]>
Co-authored-by: Nish Sinha <[email protected]>
Co-authored-by: Mike McDonald <[email protected]>
Co-authored-by: Guilherme Duarte <[email protected]>
Co-authored-by: Heine Furubotten <[email protected]>
Co-authored-by: Benedikt Ritter <[email protected]>
Co-authored-by: wolf-cola <[email protected]>
Co-authored-by: wolf-cola <[email protected]>
@jurre jurre added T: new-ecosystem Requests for new ecosystems/languages core 🍏 Relates to the dependabot-core library itself service 💁 Relates to Dependabot features GitHub provides labels Nov 30, 2021
@jeffwidman
Copy link
Member

I'm going to close as the info ☝️ answered the original question.

As far as an update, unfortunately it's still the current answer. We are hoping to be in a position soon to start to discuss support for new ecosystems, as we've shipped a lot of internal infra over the past few quarters to build out a solid platform, but don't have anything more specific we can share just yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core 🍏 Relates to the dependabot-core library itself service 💁 Relates to Dependabot features GitHub provides T: new-ecosystem Requests for new ecosystems/languages
Projects
None yet
Development

No branches or pull requests

4 participants