Backport NuGet auth fix to update_script; Prevent NuGet leaking passwords in logs
#1256
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Based on comments from #1243 (comment) |
rhyskoedijk
changed the title
update_script; Prevent NuGet.exe leaking passwords in logsupdate_script; Prevent NuGet leaking passwords in logs
mburumaxwell
approved these changes
Jul 30, 2024
kzhuklinets
added a commit
to kirillcoso/dependabot-azure-devops
that referenced
this pull request
Aug 13, 2024
* Bump the event-bus group with 2 updates (tinglesoftware#1156) Bumps the event-bus group with 2 updates: [Tingle.EventBus.Transports.Azure.ServiceBus](https://github.com/tinglesoftware/eventbus) and [Tingle.EventBus.Transports.InMemory](https://github.com/tinglesoftware/eventbus). Updates `Tingle.EventBus.Transports.Azure.ServiceBus` from 0.21.2 to 0.22.0 - [Release notes](https://github.com/tinglesoftware/eventbus/releases) - [Commits](tinglesoftware/eventbus@0.21.2...0.22.0) Updates `Tingle.EventBus.Transports.InMemory` from 0.21.2 to 0.22.0 - [Release notes](https://github.com/tinglesoftware/eventbus/releases) - [Commits](tinglesoftware/eventbus@0.21.2...0.22.0) --- updated-dependencies: - dependency-name: Tingle.EventBus.Transports.Azure.ServiceBus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: event-bus - dependency-name: Tingle.EventBus.Transports.InMemory dependency-type: direct:production update-type: version-update:semver-minor dependency-group: event-bus ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Change updates time from 04:00 to 02:00 to be consistent with our other repositories and hence ease management * Bump the tingle group with 3 updates (tinglesoftware#1157) * Import constants for requirements_update_strategy (tinglesoftware#1159) * Bump rubocop-performance in /updater in the rubocop group (tinglesoftware#1165) * Bump ts-jest from 29.1.4 to 29.1.5 in /extension in the jest group (tinglesoftware#1164) * Bump YamlDotNet from 15.1.6 to 15.3.0 (tinglesoftware#1163) * Bump the azure group with 2 updates (tinglesoftware#1162) * Bump dependabot-omnibus from 0.260.0 to 0.261.0 in /updater (tinglesoftware#1166) * Regenerate lock file which fixes vulnerabilities * Set packageManager in package.json * Bump @types/node in /extension in the js-ts-types group (tinglesoftware#1172) * Bump Azure.Identity from 1.11.4 to 1.12.0 in the azure group (tinglesoftware#1176) * Bump turbo_tests from 2.2.3 to 2.2.4 in /updater (tinglesoftware#1168) * Create groups for sentry and opentelemetry updates * Bump the opentelemetry group in /updater with 4 updates (tinglesoftware#1177) Bumps the opentelemetry group in /updater with 4 updates: [opentelemetry-exporter-otlp](https://github.com/open-telemetry/opentelemetry-ruby), [opentelemetry-instrumentation-excon](https://github.com/open-telemetry/opentelemetry-ruby-contrib), [opentelemetry-instrumentation-faraday](https://github.com/open-telemetry/opentelemetry-ruby-contrib) and [opentelemetry-instrumentation-net_http](https://github.com/open-telemetry/opentelemetry-ruby-contrib). Updates `opentelemetry-exporter-otlp` from 0.27.0 to 0.28.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/exporter/otlp/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-exporter-otlp/v0.27.0...opentelemetry-exporter-otlp/v0.28.0) Updates `opentelemetry-instrumentation-excon` from 0.22.2 to 0.22.3 - [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-ruby-contrib/blob/main/instrumentation/excon/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-excon/v0.22.2...opentelemetry-instrumentation-excon/v0.22.3) Updates `opentelemetry-instrumentation-faraday` from 0.24.3 to 0.24.5 - [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-ruby-contrib/blob/main/instrumentation/faraday/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-faraday/v0.24.3...opentelemetry-instrumentation-faraday/v0.24.5) Updates `opentelemetry-instrumentation-net_http` from 0.22.5 to 0.22.6 - [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-ruby-contrib/blob/main/instrumentation/net_http/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-net_http/v0.22.5...opentelemetry-instrumentation-net_http/v0.22.6) --- updated-dependencies: - dependency-name: opentelemetry-exporter-otlp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: opentelemetry - dependency-name: opentelemetry-instrumentation-excon dependency-type: direct:production update-type: version-update:semver-patch dependency-group: opentelemetry - dependency-name: opentelemetry-instrumentation-faraday dependency-type: direct:production update-type: version-update:semver-patch dependency-group: opentelemetry - dependency-name: opentelemetry-instrumentation-net_http dependency-type: direct:production update-type: version-update:semver-patch dependency-group: opentelemetry ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump typescript from 5.4.5 to 5.5.2 in /extension (tinglesoftware#1173) * Bump typescript from 5.4.5 to 5.5.2 in /extension Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.4.5 to 5.5.2. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml) - [Commits](microsoft/TypeScript@v5.4.5...v5.5.2) --- updated-dependencies: - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Update target ESLINT --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Maxwell Weru <[email protected]> * Bump dependabot-omnibus from 0.261.0 to 0.262.0 in /updater (tinglesoftware#1170) Bumps [dependabot-omnibus](https://github.com/dependabot/dependabot-core) from 0.261.0 to 0.262.0. - [Release notes](https://github.com/dependabot/dependabot-core/releases) - [Changelog](https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG_ARCHIVE_2019_TO_SWITCH_TO_GITHUB_RELEASES.md) - [Commits](dependabot/dependabot-core@v0.261.0...v0.262.0) --- updated-dependencies: - dependency-name: dependabot-omnibus dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Remove codeql workflows so that we can leverage the automatic setup * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Bump @types/node in /extension in the js-ts-types group (tinglesoftware#1179) * Bump the tingle group with 3 updates (tinglesoftware#1182) * Bump Microsoft.VisualStudio.Azure.Containers.Tools.Targets (tinglesoftware#1183) * Bump Microsoft.FeatureManagement.AspNetCore in the microsoft group (tinglesoftware#1181) * Bump Azure.ResourceManager.AppContainers in the azure group (tinglesoftware#1180) * Bump the sentry group in /updater with 2 updates (tinglesoftware#1184) * Bump dependabot-omnibus from 0.262.0 to 0.263.0 in /updater (tinglesoftware#1185) * Fix missing module name (tinglesoftware#1187) * Reorganise code in to lib folder; seperate dependabot code from tinglesoftware code using unique module names (tinglesoftware#1188) * Add developer guide documentation; ignore extension build artifacts (tinglesoftware#1189) * Bump the sentry group in /updater with 2 updates (tinglesoftware#1193) * Bump @types/node in /extension in the js-ts-types group (tinglesoftware#1195) * Bump typescript from 5.5.2 to 5.5.3 in /extension (tinglesoftware#1196) * Bump dependabot-omnibus from 0.263.0 to 0.264.0 (tinglesoftware#1191) * Use correct version of dependabot-updater base image when running the 'updater' workflow (tinglesoftware#1192) * Fix module name (tinglesoftware#1199) * Use latest dependabot updater code; Remove scripts from `updater/bin` that don't work (tinglesoftware#1197) * Add some more debug statements, and validate data length before reading result (tinglesoftware#1200) * Changes to `.rubocop*.yml`, `.ruby-version`, and `Rakefile` should trigger the updater workflow * Update update-files.ps1 and related files (tinglesoftware#1202) * Enable sorbet and update files (tinglesoftware#1203) * Bump dependabot-omnibus from 0.264.0 to 0.265.0 in /updater (tinglesoftware#1205) Bumps [dependabot-omnibus](https://github.com/dependabot/dependabot-core) from 0.264.0 to 0.265.0. - [Release notes](https://github.com/dependabot/dependabot-core/releases) - [Changelog](https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG_ARCHIVE_2019_TO_SWITCH_TO_GITHUB_RELEASES.md) - [Commits](dependabot/dependabot-core@v0.264.0...v0.265.0) --- updated-dependencies: - dependency-name: dependabot-omnibus dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * If allow condition "dependency-name" is nil, use "*"; Use wildcard matching instead of regex matching (tinglesoftware#1208) * Bump the xunit group with 2 updates (tinglesoftware#1212) * Bump the microsoft group with 8 updates (tinglesoftware#1211) * Bump ts-jest from 29.1.5 to 29.2.2 in /extension in the jest group (tinglesoftware#1215) * Bump dotnet-ef from 8.0.6 to 8.0.7 (tinglesoftware#1214) * Fix allow condition logic (tinglesoftware#1209) * Add missing early return statement * Bump YamlDotNet from 15.3.0 to 16.0.0 (tinglesoftware#1213) Bumps YamlDotNet from 15.3.0 to 16.0.0. --- updated-dependencies: - dependency-name: YamlDotNet dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * New "vNext" update script using dependabot-core updater; aligns update behaviour more closely with the GitHub Dependabot service (tinglesoftware#1186) * DevOps extension task new updater commands and options (tinglesoftware#1216) * Bump dependabot-omnibus from 0.265.0 to 0.266.0 in /updater (tinglesoftware#1218) Bumps [dependabot-omnibus](https://github.com/dependabot/dependabot-core) from 0.265.0 to 0.266.0. - [Release notes](https://github.com/dependabot/dependabot-core/releases) - [Changelog](https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG_ARCHIVE_2019_TO_SWITCH_TO_GITHUB_RELEASES.md) - [Commits](dependabot/dependabot-core@v0.265.0...v0.266.0) --- updated-dependencies: - dependency-name: dependabot-omnibus dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix error when attempting to update a pre-1.30 pull request using the new vNext script (tinglesoftware#1219) * Fix PRs being incorrectly abandoned when using multiple package ecosystems (tinglesoftware#1221) * Bump the tingle group with 3 updates (tinglesoftware#1229) * Bump Azure.Messaging.ServiceBus from 7.17.5 to 7.18.0 in the azure group (tinglesoftware#1226) * Bump the event-bus group with 2 updates (tinglesoftware#1227) * Bump ts-jest from 29.2.2 to 29.2.3 in /extension in the jest group (tinglesoftware#1224) * Bump @types/node in /extension in the js-ts-types group (tinglesoftware#1225) * Update groups * Log updated file diffs when 'skip pull requests' and 'debug' options are true (tinglesoftware#1230) * Fix for group PRs being closed on refresh when nothing has changed (tinglesoftware#1222) * Bump Microsoft.FeatureManagement.AspNetCore (tinglesoftware#1231) * Fix logging error when creating new PR and the open PR limit has been reached (tinglesoftware#1223) * Automatically install the Azure Artifacts Credential Provider if DevOps NuGet feeds are configured (tinglesoftware#1233) * Bump the sentry group in /updater with 2 updates (tinglesoftware#1235) Bumps the sentry group in /updater with 2 updates: [sentry-opentelemetry](https://github.com/getsentry/sentry-ruby) and [sentry-ruby](https://github.com/getsentry/sentry-ruby). Updates `sentry-opentelemetry` from 5.18.1 to 5.18.2 - [Release notes](https://github.com/getsentry/sentry-ruby/releases) - [Changelog](https://github.com/getsentry/sentry-ruby/blob/master/CHANGELOG.md) - [Commits](getsentry/sentry-ruby@5.18.1...5.18.2) Updates `sentry-ruby` from 5.18.1 to 5.18.2 - [Release notes](https://github.com/getsentry/sentry-ruby/releases) - [Changelog](https://github.com/getsentry/sentry-ruby/blob/master/CHANGELOG.md) - [Commits](getsentry/sentry-ruby@5.18.1...5.18.2) --- updated-dependencies: - dependency-name: sentry-opentelemetry dependency-type: direct:production update-type: version-update:semver-patch dependency-group: sentry - dependency-name: sentry-ruby dependency-type: direct:production update-type: version-update:semver-patch dependency-group: sentry ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Sync files for updater version 0.266.0 (tinglesoftware#1236) Follow up to tinglesoftware#1235 * Regenerate Gemfile.lock * Bump @types/node in /extension in the js-ts-types group (tinglesoftware#1237) Bumps the js-ts-types group in /extension with 1 update: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `@types/node` from 20.14.11 to 20.14.12 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch dependency-group: js-ts-types ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump typescript from 5.5.3 to 5.5.4 in /extension (tinglesoftware#1239) Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.5.3 to 5.5.4. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml) - [Commits](microsoft/TypeScript@v5.5.3...v5.5.4) --- updated-dependencies: - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump gittools/actions from 1 to 2 (tinglesoftware#1238) Bumps [gittools/actions](https://github.com/gittools/actions) from 1 to 2. - [Release notes](https://github.com/gittools/actions/releases) - [Commits](GitTools/actions@v1...v2) --- updated-dependencies: - dependency-name: gittools/actions dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump Microsoft.Azure.AppConfiguration.AspNetCore in the azure group (tinglesoftware#1240) Bumps the azure group with 1 update: [Microsoft.Azure.AppConfiguration.AspNetCore](https://github.com/Azure/Azconfig-DotnetProvider). Updates `Microsoft.Azure.AppConfiguration.AspNetCore` from 7.2.0 to 7.3.0 - [Release notes](https://github.com/Azure/Azconfig-DotnetProvider/releases) - [Commits](Azure/AppConfiguration-DotnetProvider@7.2.0...7.3.0) --- updated-dependencies: - dependency-name: Microsoft.Azure.AppConfiguration.AspNetCore dependency-type: direct:production update-type: version-update:semver-minor dependency-group: azure ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * NuGet feed auth support for Azure DevOps, Azure DevOps Server, and third-party NuGet servers (tinglesoftware#1241) * Add `helpUrl` and `releaseNotes` to the extension task. * Remove unused `useConfigFile` input (tinglesoftware#1244) * Reference discussion for permission in bug report template * Remove docker demand and rely on `tl.which` (tinglesoftware#1246) This should allow private agents with non-standard discovery. * Bump @types/node in /extension in the js-ts-types group (tinglesoftware#1250) * Bump dependabot-omnibus from 0.266.0 to 0.267.0 in /updater (tinglesoftware#1252) * Bump the opentelemetry group in /updater with 6 updates (tinglesoftware#1249) * Fix nuget.config not using correct credentials during NuGet updates of .NET Framework projects (tinglesoftware#1248) * Sync files for updater version 0.267.0 * Enable opentelemetry in `updater_script_vnext` (tinglesoftware#1254) This is the first step towards adding telemetry to the updater. Useful in debugging of issues and general analytics. It follows what the GitHub hosted version has. * Enable sentry in `updater_script_vnext` (tinglesoftware#1255) This is the second step towards monitoring the updater. Useful in debugging of issues and general analytics. It follows what the GitHub hosted version has. OpenTelemetry was setup in tinglesoftware#1254. Next step is to connect the error handler. * Update update_script.rb * Backport NuGet auth fix to `update_script`; Prevent NuGet leaking passwords in logs (tinglesoftware#1256) * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Bump axios from 1.7.2 to 1.7.3 in /extension (tinglesoftware#1264) * Bump @types/node in /extension in the js-ts-types group (tinglesoftware#1262) * Bump ts-jest from 29.2.3 to 29.2.4 in /extension in the jest group (tinglesoftware#1261) * Bump azure-pipelines-task-lib from 4.13.0 to 4.15.0 in /extension (tinglesoftware#1263) * Bump Azure.Messaging.ServiceBus from 7.18.0 to 7.18.1 in the azure group (tinglesoftware#1258) * Bump dependabot-omnibus from 0.267.0 to 0.268.0 in /updater (tinglesoftware#1259) Bumps [dependabot-omnibus](https://github.com/dependabot/dependabot-core) from 0.267.0 to 0.268.0. - [Release notes](https://github.com/dependabot/dependabot-core/releases) - [Changelog](https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG_ARCHIVE_2019_TO_SWITCH_TO_GITHUB_RELEASES.md) - [Commits](dependabot/dependabot-core@v0.267.0...v0.268.0) --- updated-dependencies: - dependency-name: dependabot-omnibus dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Regenerate Gemfile.lock * Sync files for updater version 0.268.0 * Update rubocop * Update update_script.rb * Make use of OpenTelemetry in the updater (tinglesoftware#1268) * Update azure.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update azure.rb * Update azure.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update Gemfile * Update update_script.rb * Update Gemfile * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update GitVersion and react to changes (tinglesoftware#1270) * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update updater.yml * revert * Update updater.yml * Update updater.yml * Update updater.yml * Update updater.yml * Update updater.yml * Update updater.yml * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * Update update_script.rb * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * test * testt * test * test * Update GitVersion.yml so that CI artifacts have better naming * test * test * test * test * clean up * clean up --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Maxwell Weru <[email protected]> Co-authored-by: Rhys Koedijk <[email protected]> Co-authored-by: Berend Haan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
update_script.rb, all thenuget.configauth fixes should be applied.Changes
nuget_config_credential_helpers.rbinupdate_script.rbnuget_config_credential_helpers.rb, if the username and password are the same value, we assume that "token" auth is being used and that the username is not significant, so redact username to something generic to avoid NuGet leaking sensitive information. Given current documentation in README.md, leaking was unlikely to actually happen, but it could happen ifdependabot.ymlwas misconfigured.