jeffwidman
Repos
36
Followers
240
Following
62

A SQLAlchemy recipe for managing PostgreSQL Materialized Views:

90
8

Works on *nix, optimized for macOS. Managed using Stow

48
8

Python client for Apache Kafka

5042
1256

Kazoo is a high-level Python library that makes it easier to use Apache Zookeeper.

1226
353

Home of the cqlsh package on PyPI. Repackages the official Cassandra cqlsh for lighter-weight installs.

14
6

The configuration framework for Zsh

13134
4282

Events

Write out .yarnrc registry and auth info before findConflictingDependencies is called

Add in Yarn Classic and Yarn Berry private registry config during YarnLockfileUpdater and DependencyFilesBuilder steps

Specify yarn lock when writing dependency files

Use Yarn registry regex from RegistryFinder

Remove Current User From List of Default Reviewer

Merge branch 'main' into bitbucket-remove-current-user-from-default-reviewer

Fix for lint

Merge branch 'bitbucket-remove-current-user-from-default-reviewer' of https://github.com/Kimor-hello/dependabot-core into bitbucket-remove-current-user-from-default-reviewer

Merge branch 'main' into bitbucket-remove-current-user-from-default-reviewer

Only write out .yarnrc.yml if it exists

Bump @npmcli/arborist from 5.6.2 to 6.0.0 in /npm_and_yarn/helpers

Bumps @npmcli/arborist from 5.6.2 to 6.0.0.


updated-dependencies:

  • dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5955 from dependabot/dependabot/npm_and_yarn/npm_and_yarn/helpers/npmcli/arborist-6.0.0

Bump @npmcli/arborist from 5.6.2 to 6.0.0 in /npm_and_yarn/helpers

Remove Unused file

Merge branch 'bitbucket-remove-current-user-from-default-reviewer' of https://github.com/Kimor-hello/dependabot-core into bitbucket-remove-current-user-from-default-reviewer

Merge branch 'main' into bitbucket-remove-current-user-from-default-reviewer

Merge pull request #5968 from Kimor-hello/bitbucket-remove-current-user-from-default-reviewer

Remove Current User From List of Default Reviewer

prevent failing to create a PR due to metadata gathering errors

prevent trying to get a commit that can't exist

Reorganize method definition order for clarity

Private methods were interspersed with protected methods under comment heading, 'INTERNAL METHODS (not for use by sub-classes)'. This change simply moves the protected methods above this heading.

Add #recurse_submodules_when_cloning? to control cloning behavior

Created at 10 hours ago
opened issue
`key: :99` reports value as `:"99"` rather than `":99"`

Over in https://github.com/dependabot/dependabot-core/issues/5453 a user reported a parsing difficulty with the following example YAML file:

env:
  DISPLAY: :99

So I tried parsing it:

irb(main):002:0> s = Psych.safe_load('env:\n  DISPLAY: :99', permitted_classes: [Symbol])
=> {"env:\\n  DISPLAY"=>:"99"}
# Now try quoting w/o permitting Symbol:
irb(main):003:0> w = Psych.safe_load('env:\n  DISPLAY: ":99"')
=> {"env:\\n  DISPLAY"=>":99"}
irb(main):006:0> s.values
=> [:"99"]
irb(main):007:0> w.values
=> [":99"]

Notice that these two values differ... :"99" rather than the expected ":99, ie symbol for "99"vs full string":99"`.

Is there a way to configure Psych to treat the colon as part of the string and not a symbol indicator?

Created at 11 hours ago
Update Docker image tags in Maven files (pom.xml)

Interesting, I didn't realize they could be tagged there.

The docker ecosystem currently will inspect any file matching: https://github.com/dependabot/dependabot-core/blob/7353a1e4083f840c5be916d0e33d64557f8b722e/docker/lib/dependabot/docker/file_fetcher.rb#L12

As well as kubernetes files: https://github.com/dependabot/dependabot-core/blob/7353a1e4083f840c5be916d0e33d64557f8b722e/docker/lib/dependabot/docker/file_fetcher.rb#L73

And helm charts: https://github.com/dependabot/dependabot-core/blob/7353a1e4083f840c5be916d0e33d64557f8b722e/docker/lib/dependabot/docker/file_fetcher.rb#L81

We do receive requests to bump image references in a few other places, and before we do that we'll probably need to add an additional config that allows a user to specify a sub-type of an ecosystem so we know what to actually parse...

Related:

  • https://github.com/dependabot/dependabot-core/issues/390
  • https://github.com/dependabot/dependabot-core/issues/5541
  • https://github.com/dependabot/dependabot-core/issues/5819
Created at 12 hours ago
YAML parser for github-actions tries to symbolize strings starting with :

Is there an existing issue for this?

  • [X] I have searched the existing issues

Package ecosystem

github-actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

I expect a string ":foo" to be parsed as ":foo", e.g. in the yaml

mykey: :foo

actually saw:

/usr/local/lib/ruby/3.1.0/psych/class_loader.rb:99:in `find': Tried to load unspecified class: Symbol (Psych::DisallowedClass)

Note that I only see this when using docker-dev-shell, in github (under Insights > Dependency graph > Dependabot) I only saw

Header (red):

⚠️ Dependabot can't parse your integration.yml Dependabot failed to update your dependencies because there was an error parsing the integration.yml found at /.github/workflows/workflow.yml.

Dependabot encountered the following error:

Dependabot::DependencyFileNotParseable Learn more

The "log" below contains no useful information regarding the source of the error, all I get is

updater | INFO Results: updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

name: :foo
Created at 13 hours ago
YAML parser for github-actions tries to symbolize strings starting with :

👋 thanks for the report.

This looks like a duplicate of https://github.com/dependabot/dependabot-core/issues/5453#issuecomment-1205481750.

Created at 13 hours ago
NPM: do not switch dependency source from git to public registry

It's a fairly common use case where someone needs to pickup some fix that isn't release yet, so they'll temp pin to a SHA, but want to revert back to to the latest version once it includes the fix.

I've done this myself multiple times for deps in the go, python, and github-actions ecosystems, and it's what we've even been recommending folks do to pickup the changes here in dependabot-core until we get a process in place to release more frequently.

Created at 15 hours ago
Add support for Swift Package Manager

If / when we do pick this up, there's also prior art over in https://github.com/dependabot/dependabot-core/pull/5562/ that may be useful. That PR also has some NotImplemented bits so neither one is completely ready, but that one does look to have some additional test cases and some features that haven't been completed yet in this PR etc. So worth a skim to see if any commits should be cherry-picked into this.

Created at 15 hours ago
Consider not validating all modules for go updates

Is there an existing issue for this?

  • [X] I have searched the existing issues

Code improvement description

Migrating from our internal issue tracker since the affected code resides here in dependabot-core:

@mctofu:

In a go module update we make an extra call o go get -d: https://github.com/dependabot/dependabot-core/blob/b5833e47efb31bd9547a5536a9dd891815018af1/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb#L99-L102 This is intended to fix up bad go.mod files but shouldn't have any affect on a healthy go.mod. In addition, Dependabot is not expected to put the go.mod into a bad state during an update.

The downside of making this extra call is that it results in extra time and network activity during the update job. For projects with large numbers of dependencies this can lead to slow updates or timeouts.

TODO: Find examples of why go get -d was originally added to validate there's no harm in removing this.

@jurre:

I think it was introduced when we added support for go mod tidy, or this commit: https://github.com/dependabot/dependabot-core/commit/6a48ffc97ad2ae0134488d2c641f68ef5cac1ada, I hope that one of those tests covers this behavior (or possibly one of the others added in that PR), but it's been a while and I'm a little fuzzy on all the details.

@jeffwidman:

If we went this route, it may have an impact on the solution required for:

  • https://github.com/dependabot/dependabot-core/issues/4536
Created at 16 hours ago

Bump RUBY_INSTALL_VERSION to 0.8.5

https://github.com/postmodern/ruby-install/tags

This may (or may not, I'm not sure) be helpful when bumping ruby to 3.1.3 / upcoming 3.2...

I figured might as well bump it.

Created at 2 days ago
jeffwidman delete branch bump-ruby-install-version
Created at 2 days ago
pull request closed
Bump `RUBY_INSTALL_VERSION` to `0.8.5`

https://github.com/postmodern/ruby-install/tags

This may (or may not, I'm not sure) be helpful when bumping ruby to 3.1.3 / upcoming 3.2...

I figured might as well bump it.

Created at 2 days ago
issue comment
improve result diffing

Oh thanks, I totally overlooked that.

Created at 2 days ago
Bump octokit from 4.25.1 to 6.0.1 in /updater

Two major version bumps. What could go wrong? 😛

Created at 2 days ago
pull request opened
Bump `RUBY_INSTALL_VERSION` to `0.8.5`

https://github.com/postmodern/ruby-install/tags

This may (or may not, I'm not sure) be helpful when bumping ruby to 3.1.3 / upcoming 3.2...

I figured might as well bump it.

Created at 2 days ago
jeffwidman create branch bump-ruby-install-version
Created at 2 days ago
Update faraday requirement from = 2.6.0 to = 2.7.1 in /omnibus

@dependabot rebase

Created at 2 days ago
Repositories fetched over HTTPS rely on redirection instead of using direct clone link

To clarify my understanding:

  1. this should manifest against public repo's as well... the inclusion of the gitlab-ci-token shouldn't matter...
  2. this should manifest whenever the dependency's repo is on gitlab / a service that doesn't auto-redirect... it would happen regardless of whether Dependabot running in gitlab vs github vs Azure DO... Is both of ☝️ correct?
  3. You're running this on Gitlab, via an entrypoint like dependabot-script? Because on GitHub for additional security we run within a custom proxy that prevent dependabot-core from ever seeing the secrets, so I'd like to eliminate that as a potential culprit.

This sure sounds like a legit bug, but I suspect this only impacts terraform repos hosted on Gitlab, so given the relative impact here this may not get prioritized for a bit. However, if you want to dig into it further using the dry-run script (or even your current entrypoint) and then put together a PR I'd be happy to guide you / answer any questions.

Created at 2 days ago
Dependabot update to single (poetry-managed) package unexpectedly removes packages from lockfile

👋 Sorry for the bug... clearly affecting a lot of folks. Myself or @pavera or someone else on the team will try to dig into this tomorrow, although as y'all know could take a few days to fix... won't know til we've looked into it.

Created at 2 days ago
"Dependabot encountered an unknown error" or times out systematically since a few weeks

👋 sorry to hear about this.

When it's somewhat ambiguous bugs like this on a private repo, you'll need to help us out with a little more info:

  1. Is there a publicly accessible repository where this reproduces? (Or can you make one by stripping out your proprietary code?)
  2. What happens if you run it locally using the dry-run script within the docker container? Does it ever complete? If so, how long does it take?
  3. You can also file a support ticket if you want, sometimes that makes it easier to have conversations about issues with private repositories.
Created at 2 days ago
Custom labels do not work for Azure DevOps

👋 Sorry for the delay on this one, and I appreciate the nudge on the PR. I left a comment on it.

Created at 2 days ago
Remove label filter for azure

And to be clear, I 100% support what you're trying to do here... just want to try to avoid special cases leaking out from specific client implementations if possible.

Created at 2 days ago