stefangr
Repos
13
Followers
5
Following
5

Events

issue comment
getsentry/self-hosted
Issues -> All Events Does Not Work With 50+ Events

Is there perhaps another nginx (or http proxy) before the nginx that is part of the self-hosted sentry?

Because in my situation there was and I had to change the buffer configuration in both nginx instances.

Created at 2 days ago
issue comment
getsentry/self-hosted
All Events tab doesn't work for issue with lots of events

Maybe this should be solved by applying the change to the nginx.conf. That way new installations don't encounter this problem.

@hubertdeng123

Created at 1 month ago
push
stefangr/easy-coding-standard
stefangr push stefangr/easy-coding-standard

show different code on found errors, and on fatal errors (#40)

use monorepo builder

add basic mb config

cs

push tag

Cleanup docs (#44)

  • docs

  • simpler

Remove Markdown formatter, not that useful and often breaking (#45)

add BC info about check-markdown command

add paths

cs

Add handy config initializer for easier 1st run (#46)

move only locally

make init bare

Tidy init in README (#47)

skip database, storage and migrations from the init directories

line

Upgrade to PHPUnit 10 (#49)

Always render system errors on exit regardless of fixer status (#51)

Don't remove cache directories when invalidating cache items (#52)

Co-authored-by: Tomas Votruba tomas.vot@gmail.com

Merge branch 'easy-coding-standard:main' into checkstyle-output-formatter

Created at 1 month ago
push
stefangr/easy-coding-standard
stefangr push stefangr/easy-coding-standard

show different code on found errors, and on fatal errors (#40)

use monorepo builder

add basic mb config

cs

push tag

Cleanup docs (#44)

  • docs

  • simpler

Remove Markdown formatter, not that useful and often breaking (#45)

add BC info about check-markdown command

add paths

cs

Add handy config initializer for easier 1st run (#46)

move only locally

make init bare

Tidy init in README (#47)

skip database, storage and migrations from the init directories

line

Upgrade to PHPUnit 10 (#49)

Always render system errors on exit regardless of fixer status (#51)

Don't remove cache directories when invalidating cache items (#52)

Co-authored-by: Tomas Votruba tomas.vot@gmail.com

Created at 1 month ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

rename hex image to match YAML value (#6501)

Bump phpstan/phpstan from 1.9.13 to 1.9.14 in /composer/helpers/v2 (#6497)

Bumps phpstan/phpstan from 1.9.13 to 1.9.14.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump args from 2.3.1 to 2.3.2 in /pub/helpers (#6500)

Bumps args from 2.3.1 to 2.3.2.

updated-dependencies:

  • dependency-name: args dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump phpstan/phpstan from 1.9.13 to 1.9.14 in /composer/helpers/v1 (#6498)

Bumps phpstan/phpstan from 1.9.13 to 1.9.14.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Update faraday requirement from = 2.7.3 to = 2.7.4 in /omnibus (#6499)

  • Update faraday requirement from = 2.7.3 to = 2.7.4 in /omnibus

Updates the requirements on faraday to permit the latest version.

updated-dependencies:

  • dependency-name: faraday dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Widman jeff@jeffwidman.com

Add compatibility with composer v2.4+ (#6503)

When running the dependabot-script with DEBUG_HELPERS=true I saw this error:

PHP Deprecated:  Installer::setIgnorePlatformRequirements is deprecated since Composer 2.2, use setPlatformRequirementFilter instead. in /opt/composer/v2/vendor/composer/composer/src/Composer/Installer.php on line 1289

So this commit resolves the deprecations and also added a forward compatible change to disable the audit.

Applied changes:

Co-authored-by: Stefan Grootscholten stefan.grootscholten@tripolis.com

Fix typo to avoid test confusion (#6505)

build(deps): bump composer/composer in /composer/helpers/v2

Bumps composer/composer from 2.3.9 to 2.4.1.

updated-dependencies:

  • dependency-name: composer/composer dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

setAudit should always be present on composer >= 2.4

Merge pull request #5577 from dependabot/dependabot/composer/composer/helpers/v2/composer/composer-2.4.1

build(deps): bump composer/composer from 2.3.9 to 2.4.1 in /composer/helpers/v2

add missing if causing the updater-core to build for no reason (#6508)

Fix two pending tests (#6194)

Per the discussion in https://github.com/dependabot/dependabot-core/pull/3319#discussion_r599482825, these only temporarily needed to be marked pending until https://github.com/dependabot/dependabot-core/pull/3327 was merged.

From the first thread it looks like the intent was to remove the pending marker, but that accidentally got overlooked.

So this removes the pending marker, and then fixes the failures:

  1. The first was a straightforward change from method to hash value.
  2. The second wasn't raising the expected error... However, this has been true since this code was originally committed (once #3327 was merged to make the test work). So I deleted the test as it added no value.

add missing CI tests for common and updater (#6504)

build(deps): bump commonmarker from 0.23.6 to 0.23.7 in /updater (#6511)

Bumps commonmarker from 0.23.6 to 0.23.7.

updated-dependencies:

  • dependency-name: commonmarker dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

build(deps-dev): bump rimraf in /npm_and_yarn/helpers (#6513)

Bumps rimraf from 4.1.1 to 4.1.2.

updated-dependencies:

  • dependency-name: rimraf dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

build(deps-dev): bump jest in /npm_and_yarn/helpers (#6514)

Bumps jest from 29.3.1 to 29.4.0.

updated-dependencies:

  • dependency-name: jest dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Don't try to update path dependencies (#6084)

Since by definition they're at the latest version.

There were actually specs positively checking for this, but I believe they may have been an oversight. They were introduced when adding support for updating subdpendencies at b8010392313fa97dbbdb74792e3fafc7deb35d67, and I don't think this change regresses there.

Fallback to github.com for actions source

There have been a few reported issues where Dependabot is attempting to source actions incorrectly from non-github.com sources. This implements a check and fallback so non-github sources will work, but will default to github.com if the non-github source is incorrect/inaccessible

factor out the init so lint is happy

I don't like this refactor. how can I do it better?

Created at 1 month ago
delete branch
stefangr/dependabot-core
stefangr delete branch add-compatibility-with-composer-v2.4-v2.5
Created at 2 months ago
issue comment
dependabot/dependabot-core
Add compatibility with composer v2.4+

For simplicity of working across timezones / PR rebases, does the following sound reasonable?

1. Merge this

2. Rebase the Dependabot PR to bump `composer` to `2.5.x`

3. Add a commit remove the optional checks, such that `setAudit` is always called.

4. Merge... so hopefully we'll be back up to `composer` `latest` by EOD +1

That sounds completely reasonable. :+1:

Created at 2 months ago
pull request opened
dependabot/dependabot-core
Add compatibility with composer v2.4+

When running the dependabot-script with DEBUG_HELPERS=true I saw this error:

PHP Deprecated:  Installer::setIgnorePlatformRequirements is deprecated since Composer 2.2, use setPlatformRequirementFilter instead. in /opt/composer/v2/vendor/composer/composer/src/Composer/Installer.php on line 1289

In this PR I work around the deprecations (there was one more, which was not verbose) and also added a forward compatible change to disable the audit.

Applied changes:

Created at 2 months ago
create branch
stefangr/dependabot-core
stefangr create branch add-compatibility-with-composer-v2.4-v2.5
Created at 2 months ago
issue comment
getsentry/self-hosted
All Events tab doesn't work for issue with lots of events

Thanks for that. I tried it and the problem is persistent even with larger buffer sizes.

This call just worked in version 22.12.0 without having to change the nginx configuration.

Created at 2 months ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

Fix RuboCop excludes not respected in the updater CI

In the Dockerfile.updater, the layout of rubocop configurations is the following:

~/.rubocop.yml
~/updater/.rubocop.yml

Note that this slightly differs from the setup of other "components" in the Dockerfile.ci. For example:

~/dependabot-core/.rubocop.yml
~/dependabot-core/bundler/.rubocop.yml

This subtle difference makes running the script/lint script in the updater's CI fail, so we had to workaround that by passing explicit folders to RuboCop (docker_bundle_exec rubocop lib/ spec/)

The reason is that in the updater CI, exclusions in the main RuboCop config are not correctly interpreted, because they are resolved using the current directory as a base, not the directory of the configuration file itself.

So the following exclusion

---
AllCops:
  DisplayCopNames: true
  Exclude:
  - "*/vendor/**/*"

is interpreted as ~/updater/*/vendor/**/*, so the stuff installed at ~/updater/vendor/**/* is not properly ignored.

The reason for this is that a ~/.rubocop.yml configuration (located at the HOME folder) has special behavior with respect to exclusions. Normally, this file is shared as a base configuration to be shared among all your applications, so the special behavior of making exclude patterns be based on the PWD instead of on the path to the configuration itself makes sense to me. BUT, it breaks our particular case.

For the curious, this is where RuboCop special cases this:

https://github.com/rubocop/rubocop/blob/a643eaaa00dd65ba5aacff98b027e5b5a40c1561/lib/rubocop/config.rb#L211-L224

The solution is to move the common configuration to live in the omnibus folder instead. This way, this special behavior does not affect us.

There were other alternatives like:

  • Keep the current workaround, but RuboCop also behaves specially when given explicit folders, so I think better to normalize things to avoid surprises.

  • Relax the current Exclude patterns to catch everything. That could work, but we leave the ~/.rubocop.yml file in place, but I believe the special behavior of this file will be likely to bite us again.

Merge pull request #5609 from dependabot/deivid-rodriguez/fix-rubocop-excludes-not-respected

Fix RuboCop excludes not respected in the updater CI

remove Dockerfile.ci since it is redundant (#6424)

Co-authored-by: David Rodríguez deivid.rodriguez@riseup.net

fix git config not present for certain tests (#6431)

Fix Nullpointer for Gradle Parsing

Bump phpstan/phpstan from 1.9.8 to 1.9.11 in /composer/helpers/v2

Bumps phpstan/phpstan from 1.9.8 to 1.9.11.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump @npmcli/arborist from 6.1.5 to 6.1.6 in /npm_and_yarn/helpers

Bumps @npmcli/arborist from 6.1.5 to 6.1.6.

updated-dependencies:

  • dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Update parallel_tests requirement from ~> 4.0.0 to ~> 4.1.0 in /omnibus

Updates the requirements on parallel_tests to permit the latest version.

updated-dependencies:

  • dependency-name: parallel_tests dependency-type: direct:development ...

Signed-off-by: dependabot[bot] support@github.com

Bump licensed from 4.0.1 to 4.0.2 in /updater

Bumps licensed from 4.0.1 to 4.0.2.

updated-dependencies:

  • dependency-name: licensed dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump phpstan/phpstan from 1.9.8 to 1.9.11 in /composer/helpers/v1

Bumps phpstan/phpstan from 1.9.8 to 1.9.11.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump rimraf from 3.0.2 to 4.0.7 in /npm_and_yarn/helpers

Bumps rimraf from 3.0.2 to 4.0.7.

updated-dependencies:

  • dependency-name: rimraf dependency-type: direct:development update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] support@github.com

Bump prettier from 2.8.2 to 2.8.3 in /npm_and_yarn/helpers

Bumps prettier from 2.8.2 to 2.8.3.

updated-dependencies:

  • dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump nock from 13.2.9 to 13.3.0 in /npm_and_yarn/helpers

Bumps nock from 13.2.9 to 13.3.0.

updated-dependencies:

  • dependency-name: nock dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Bump eslint from 8.31.0 to 8.32.0 in /npm_and_yarn/helpers

Bumps eslint from 8.31.0 to 8.32.0.

updated-dependencies:

  • dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Update faraday requirement from = 2.7.2 to = 2.7.3 in /omnibus (#6449)

Updates the requirements on faraday to permit the latest version.

updated-dependencies:

  • dependency-name: faraday dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Widman jeff@jeffwidman.com

Remove duplicate sanitization

While working on https://github.com/dependabot/dependabot-core/pull/6434, I discovered that my prior change https://github.com/dependabot/dependabot-core/pull/6291/files#diff-82bee76077e5dbd4f3073948aa2ad29eec23333f9b4e06550fbf54c259875a24R343 was blowing up because error.message cannot be directly modified.

When I started to look how to change that, I realized that we already sanitize all URL credentials from any message at the global level:

  • https://github.com/dependabot/dependabot-core/pull/2828

So there's no need to sanitize here.

I compared the two regexes: https://github.com/dependabot/dependabot-core/blob/9a941db3517eb407f00c5832c902a57a8762f1cb/common/lib/dependabot/errors.rb#L7 https://github.com/dependabot/dependabot-core/blob/9a941db3517eb407f00c5832c902a57a8762f1cb/composer/lib/dependabot/composer/update_checker/version_resolver.rb#L526

and while they differ, they both strip username/password from the sensitive_error test case: https://github.com/dependabot/dependabot-core/blob/9a941db3517eb407f00c5832c902a57a8762f1cb/common/spec/helpers/test/run.rb#L11

I also grep'ed around, and we don't do creds sanitization for URLs in any other ecosystem... so it's best to remove this. If we do hear reports of unredacted creds getting into logs, then we certainly would rather fix at the global level regex, and not solely here in composer.

Also, from a GitHub security perspective, these creds never even make it to dependabot-core since we use a separate proxy for handling credentials... so this only affects users running dependabot-core on their own.

Support Poetry group dependencies

Fixes #5766

Bump rspec and rspec-its to latest versions

Instruct commonmarker not to format to HTML for bitbucket

Added Ruby 3.2.0 to RubyRequirementSetter version requirements

Created at 2 months ago
opened issue
getsentry/self-hosted
All Events tab doesn't work for issue with lots of events

Self-Hosted Version

23.1.0

CPU Architecture

x86_64

Docker Version

20.10.23

Docker Compose Version

2.15.1

Steps to Reproduce

  1. Have an issue with more than ~50 individual events
  2. Open the "All events" tab

Expected Result

The all events page shows the list of all events paginated

Actual Result

The browser gets a HTTP 502 Bad Gateway returned.

The spinner animation on the "All events" tab is permanent.

Relevant nginx log output:

sentry-self-hosted-nginx-1                                     | 2023/01/20 07:28:12 [error] 27#27: *2985 upstream sent too big header while reading response header from upstream, client: yy.yy.yy.yy, server: , request: "GET /api/0/issues/13177/attachments/?per_page=50&types=event.minidump&event_id=d58d7624c3214558810510c8ec0e4e8c&event_id=241c7e629ba74abcae9bd4374095eae1&event_id=f77a3d03635e467688f10fc744395270&event_id=75d53c47b96c4194a1a6f6ba67f0f192&event_id=11784f253ffc41c6a656b1e47a06262d&event_id=9c2c886a05374dfabf7c0c58c97e661c&event_id=8719783fe3d74a2aa48587f705170cbc&event_id=bdf25f593208444d89934f6963a9b62a&event_id=8369b6c2408b42ae95f5b082de6dca0b&event_id=f4674866da5e43bbad4dc3003ece4124&event_id=4c50f2863cfc42aaa1d8ff4e4a7bc364&event_id=8d5bf7e16a72496b9fc7c2fa118b13b9&event_id=3c7b52123f284ea8806ab65b4c8e10e4&event_id=53df552adf254d47bd3f727e7d657342&event_id=d6bc29cb49004ce19ecd3e24a409dee1&event_id=a00b60bbb9d64634bd86944060058991&event_id=3e699fe3bf03439c9ed409aeb7a299ac&event_id=d0799b9456be46c59a8cd8ab443fff8b&event_id=59f5efa1af74495d8ac3ec767bd4d4b7&event_id=86d1528f022a4a9eae0ef7b825d09be7&event_id=76e5878ff51249be9230b888f1b70756&event_id=02279bb8966d4fb4857b2f59e9ebc08f&event_id=e1cd1684eeae48fcb7d15f15b4b2e3db&event_id=3542672ce48a401abb05740a54c8cfad&event_id=d18b40a3c3f740f798823ef8228a7eb5&event_id=8c43f7e36730440394f777dd834c09d8&event_id=cb7ed9d24b1645bdbf067f9814520dba&event_id=4d1350f02fdf4dd79dbe05f67a412ffe&event_id=c085713affa347f2ac5a740f6a80e46d&event_id=2f4ffc32960e4e6aa74961faea5eaf0b&event_id=90b1ba37848546948872c20bb475abd1&event_id=fe094d5a8197413c8bbc777140017fd4&event_id=eac8d43f1ab244838a00e2c85cda59a8&event_id=799c86012448496b9624db39e5d37a3f&event_id=a256fc31028245f5b6f1176b698fcc09&event_id=15e97942653a4ffe8d69cee68a4aedfc&event_id=7557606f2af94905a4b97e60b33b0e44&event_id=3bbc4b4346214bd3a9470166c923b429&event_id=1870a844883148b58d5ce2a922e379b9&event_id=1001faab384140ad90a8897186532295&event_id=6154f30380fd460292d205b6d44068a4&event_id=d9c514620d36413abdaacebbe7915444&event_id=18ac58cab74945a0b0beb1a70c71d55c&event_id=ffcd
sentry-self-hosted-nginx-1                                     | yy.yy.yy.yy - - [20/Jan/2023:07:28:12 +0000] "GET /api/0/issues/13177/attachments/?per_page=50&types=event.minidump&event_id=d58d7624c3214558810510c8ec0e4e8c&event_id=241c7e629ba74abcae9bd4374095eae1&event_id=f77a3d03635e467688f10fc744395270&event_id=75d53c47b96c4194a1a6f6ba67f0f192&event_id=11784f253ffc41c6a656b1e47a06262d&event_id=9c2c886a05374dfabf7c0c58c97e661c&event_id=8719783fe3d74a2aa48587f705170cbc&event_id=bdf25f593208444d89934f6963a9b62a&event_id=8369b6c2408b42ae95f5b082de6dca0b&event_id=f4674866da5e43bbad4dc3003ece4124&event_id=4c50f2863cfc42aaa1d8ff4e4a7bc364&event_id=8d5bf7e16a72496b9fc7c2fa118b13b9&event_id=3c7b52123f284ea8806ab65b4c8e10e4&event_id=53df552adf254d47bd3f727e7d657342&event_id=d6bc29cb49004ce19ecd3e24a409dee1&event_id=a00b60bbb9d64634bd86944060058991&event_id=3e699fe3bf03439c9ed409aeb7a299ac&event_id=d0799b9456be46c59a8cd8ab443fff8b&event_id=59f5efa1af74495d8ac3ec767bd4d4b7&event_id=86d1528f022a4a9eae0ef7b825d09be7&event_id=76e5878ff51249be9230b888f1b70756&event_id=02279bb8966d4fb4857b2f59e9ebc08f&event_id=e1cd1684eeae48fcb7d15f15b4b2e3db&event_id=3542672ce48a401abb05740a54c8cfad&event_id=d18b40a3c3f740f798823ef8228a7eb5&event_id=8c43f7e36730440394f777dd834c09d8&event_id=cb7ed9d24b1645bdbf067f9814520dba&event_id=4d1350f02fdf4dd79dbe05f67a412ffe&event_id=c085713affa347f2ac5a740f6a80e46d&event_id=2f4ffc32960e4e6aa74961faea5eaf0b&event_id=90b1ba37848546948872c20bb475abd1&event_id=fe094d5a8197413c8bbc777140017fd4&event_id=eac8d43f1ab244838a00e2c85cda59a8&event_id=799c86012448496b9624db39e5d37a3f&event_id=a256fc31028245f5b6f1176b698fcc09&event_id=15e97942653a4ffe8d69cee68a4aedfc&event_id=7557606f2af94905a4b97e60b33b0e44&event_id=3bbc4b4346214bd3a9470166c923b429&event_id=1870a844883148b58d5ce2a922e379b9&event_id=1001faab384140ad90a8897186532295&event_id=6154f30380fd460292d205b6d44068a4&event_id=d9c514620d36413abdaacebbe7915444&event_id=18ac58cab74945a0b0beb1a70c71d55c&event_id=ffcdbd5a18704d6aa492912e93abb147&event_id=263e3b9e9b7b41cabadda69f485e36d2&event_id=4765139fbd7f4129891ce64d3eba4567&event_id=b4a595b71a4249c09bfdad7a4d0d053b&event_id=177a622c76b44971b2048807bdabffa8&event_id=13f9622d6f654194875eeb7be3082168&event_id=7be914ef1be9455ea27c3043e3ed7448 HTTP/1.0" 502 150 "https://sentry.ourdomain.ext/organizations/organization-name/issues/13177/events/?project=3&referrer=issue-stream&sort=freq&statsPeriod=14d" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" "xx.xx.xx.xx"

Event ID

No response

Created at 2 months ago
create branch
stefangr/easy-coding-standard
stefangr create branch checkstyle-output-formatter
Created at 2 months ago
fork
stefangr/easy-coding-standard
stefangr forked symplify/easy-coding-standard
Created at 2 months ago
delete branch
stefangr/dependabot-core
stefangr delete branch bitbucket-convert-html-to-markdown
Created at 2 months ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

Update excon requirement from ~> 0.75, < 0.94 to ~> 0.75, < 0.97

Updates the requirements on excon to permit the latest version.

updated-dependencies:

  • dependency-name: excon dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

run bundle install to regenerate Gemfile.lock

Update pip-tools requirement in /python/helpers

Updates the requirements on pip-tools to permit the latest version.

updated-dependencies:

  • dependency-name: pip-tools dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

update test to match reworded error message from upstream

Update faraday requirement from = 2.6.0 to = 2.7.2 in /omnibus

Updates the requirements on faraday to permit the latest version.

updated-dependencies:

  • dependency-name: faraday dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

run bundle install to regenerate updater/Gemfile.lock

Bump phpstan/phpstan from 1.9.4 to 1.9.8 in /composer/helpers/v1

Bumps phpstan/phpstan from 1.9.4 to 1.9.8.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump friendsofphp/php-cs-fixer in /composer/helpers/v2

Bumps friendsofphp/php-cs-fixer from 3.13.1 to 3.13.2.

updated-dependencies:

  • dependency-name: friendsofphp/php-cs-fixer dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump phpstan/phpstan from 1.9.4 to 1.9.8 in /composer/helpers/v2

Bumps phpstan/phpstan from 1.9.4 to 1.9.8.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump eslint-config-prettier from 8.5.0 to 8.6.0 in /npm_and_yarn/helpers

Bumps eslint-config-prettier from 8.5.0 to 8.6.0.

updated-dependencies:

  • dependency-name: eslint-config-prettier dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Bump prettier from 2.8.1 to 2.8.2 in /npm_and_yarn/helpers

Bumps prettier from 2.8.1 to 2.8.2.

updated-dependencies:

  • dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump cython from 0.29.32 to 0.29.33 in /python/helpers

Bumps cython from 0.29.32 to 0.29.33.

updated-dependencies:

  • dependency-name: cython dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump licensed from 3.9.1 to 4.0.1 in /updater

Bumps licensed from 3.9.1 to 4.0.1.

updated-dependencies:

  • dependency-name: licensed dependency-type: direct:development update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] support@github.com

Update rubocop requirement from ~> 1.39.0 to ~> 1.42.0 in /omnibus

Updates the requirements on rubocop to permit the latest version.

updated-dependencies:

  • dependency-name: rubocop dependency-type: direct:development ...

Signed-off-by: dependabot[bot] support@github.com

Bump rubocop from 1.39.0 to 1.42.0 in /updater

Bumps rubocop from 1.39.0 to 1.42.0.

updated-dependencies:

  • dependency-name: rubocop dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Disable Style/RedundantConstantBase

This rule is causing some issues for us, see https://github.com/rubocop/rubocop/issues/11401.

We chatted about it internally and nobody really minds the :: prefix so decided to disable the rule for now.

Update poetry requirement in /python/helpers

Updates the requirements on poetry to permit the latest version.

updated-dependencies:

  • dependency-name: poetry dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

Update excon requirement from ~> 0.75, < 0.97 to ~> 0.75, < 0.98 in /omnibus (#6403)

Updates the requirements on excon to permit the latest version.

updated-dependencies:

  • dependency-name: excon dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Widman jeff@jeffwidman.com

Bump activesupport from 6.1.4.4 to 6.1.7 in /updater

Bumps activesupport from 6.1.4.4 to 6.1.7.

updated-dependencies:

  • dependency-name: activesupport dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Use latest Python patch releases for builds

Follow-up to #6375 this activates those latest patch releases during runtime

Created at 2 months ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

Update excon requirement from ~> 0.75, < 0.94 to ~> 0.75, < 0.97

Updates the requirements on excon to permit the latest version.

updated-dependencies:

  • dependency-name: excon dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

run bundle install to regenerate Gemfile.lock

Update pip-tools requirement in /python/helpers

Updates the requirements on pip-tools to permit the latest version.

updated-dependencies:

  • dependency-name: pip-tools dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

update test to match reworded error message from upstream

Update faraday requirement from = 2.6.0 to = 2.7.2 in /omnibus

Updates the requirements on faraday to permit the latest version.

updated-dependencies:

  • dependency-name: faraday dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

run bundle install to regenerate updater/Gemfile.lock

Bump phpstan/phpstan from 1.9.4 to 1.9.8 in /composer/helpers/v1

Bumps phpstan/phpstan from 1.9.4 to 1.9.8.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump friendsofphp/php-cs-fixer in /composer/helpers/v2

Bumps friendsofphp/php-cs-fixer from 3.13.1 to 3.13.2.

updated-dependencies:

  • dependency-name: friendsofphp/php-cs-fixer dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump phpstan/phpstan from 1.9.4 to 1.9.8 in /composer/helpers/v2

Bumps phpstan/phpstan from 1.9.4 to 1.9.8.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump eslint-config-prettier from 8.5.0 to 8.6.0 in /npm_and_yarn/helpers

Bumps eslint-config-prettier from 8.5.0 to 8.6.0.

updated-dependencies:

  • dependency-name: eslint-config-prettier dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Bump prettier from 2.8.1 to 2.8.2 in /npm_and_yarn/helpers

Bumps prettier from 2.8.1 to 2.8.2.

updated-dependencies:

  • dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump cython from 0.29.32 to 0.29.33 in /python/helpers

Bumps cython from 0.29.32 to 0.29.33.

updated-dependencies:

  • dependency-name: cython dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump licensed from 3.9.1 to 4.0.1 in /updater

Bumps licensed from 3.9.1 to 4.0.1.

updated-dependencies:

  • dependency-name: licensed dependency-type: direct:development update-type: version-update:semver-major ...

Signed-off-by: dependabot[bot] support@github.com

Update rubocop requirement from ~> 1.39.0 to ~> 1.42.0 in /omnibus

Updates the requirements on rubocop to permit the latest version.

updated-dependencies:

  • dependency-name: rubocop dependency-type: direct:development ...

Signed-off-by: dependabot[bot] support@github.com

Bump rubocop from 1.39.0 to 1.42.0 in /updater

Bumps rubocop from 1.39.0 to 1.42.0.

updated-dependencies:

  • dependency-name: rubocop dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Disable Style/RedundantConstantBase

This rule is causing some issues for us, see https://github.com/rubocop/rubocop/issues/11401.

We chatted about it internally and nobody really minds the :: prefix so decided to disable the rule for now.

Update poetry requirement in /python/helpers

Updates the requirements on poetry to permit the latest version.

updated-dependencies:

  • dependency-name: poetry dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

Update excon requirement from ~> 0.75, < 0.97 to ~> 0.75, < 0.98 in /omnibus (#6403)

Updates the requirements on excon to permit the latest version.

updated-dependencies:

  • dependency-name: excon dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jeff Widman jeff@jeffwidman.com

Bump activesupport from 6.1.4.4 to 6.1.7 in /updater

Bumps activesupport from 6.1.4.4 to 6.1.7.

updated-dependencies:

  • dependency-name: activesupport dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Use latest Python patch releases for builds

Follow-up to #6375 this activates those latest patch releases during runtime

Created at 2 months ago
issue comment
dependabot/dependabot-core
Do not convert the markdown PR description to HTML for bitbucket

I traced the change back to the upgrade of the dependabot-omnibus package from 0.212.0 to 0.214.0.

There I found this little change. Which is fine of course and should stay.

Created at 2 months ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

Bump to Ruby 3.1.3

Saw this warning in the logs, which reminded me it's time to bump ruby to 3.1.3:

warning: parser/current is loading parser/ruby31, which recognizes3.1.3-compliant syntax, but you are running 3.1.2.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.

Also bumped bundler to 2.3.26 match what comes with Ruby by default.

Co-authored-by: David Rodríguez deivid.rodriguez@riseup.net

Fix lints

Various lints flagged by Rubocop.

Instruct commonmarker not to format to HTML for bitbucket

Created at 2 months ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

Bump to Ruby 3.1.3

Saw this warning in the logs, which reminded me it's time to bump ruby to 3.1.3:

warning: parser/current is loading parser/ruby31, which recognizes3.1.3-compliant syntax, but you are running 3.1.2.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.

Also bumped bundler to 2.3.26 match what comes with Ruby by default.

Co-authored-by: David Rodríguez deivid.rodriguez@riseup.net

Fix lints

Various lints flagged by Rubocop.

Created at 2 months ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

Verify Dart SHA256 hashes

In addition to downloading the Dart SDK, also download and verify SHA256 hashes.

Dart includes both the hash value and the downloaded file name in the hash file. To avoid having to parse the hash file, the script moves to the /tmp/ directory to verify the hash.

Bump the Dart SDK version

Bump phpstan/phpstan from 1.9.2 to 1.9.4 in /composer/helpers/v1

Bumps phpstan/phpstan from 1.9.2 to 1.9.4.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump phpstan/phpstan from 1.9.2 to 1.9.4 in /composer/helpers/v2

Bumps phpstan/phpstan from 1.9.2 to 1.9.4.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump eslint from 8.29.0 to 8.30.0 in /npm_and_yarn/helpers

Bumps eslint from 8.29.0 to 8.30.0.

updated-dependencies:

  • dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Remove superfluous v customization in test fixture

Historical context: In https://github.com/dependabot/dependabot-core/commit/77406d5d220ce7c61c7d68d1bacb8b8fadf59277, support was added for version numbers that included a "v" prefix. At the time, the only packagist test fixture was this single file: https://github.com/dependabot/dependabot-core/tree/77406d5d220ce7c61c7d68d1bacb8b8fadf59277/spec/fixtures/php So to test this, Grey added a customization to force a "v" prefix on a version.

However, we now have a whole folder of packagist responses: https://github.com/dependabot/dependabot-core/tree/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/fixtures/packagist_responses

And several of those include "v" prefixes:

  • https://github.com/dependabot/dependabot-core/blob/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/fixtures/packagist_responses/symfony--polyfill-mbstring.json#L875
  • https://raw.githubusercontent.com/dependabot/dependabot-core/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/fixtures/packagist_responses/illuminate--console.json

And I confirmed that we do run tests against some of those: https://github.com/dependabot/dependabot-core/blob/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/dependabot/composer/file_updater_spec.rb#L94

So we no longer need this customization.

And tracking down these customizations has been a royal pain while working on https://github.com/dependabot/dependabot-core/issues/3010.

While retaining it is semi-harmless, explicitly removing this provides a git blame trail because in a future PR I'll be removing this generic packagist_response.json file completely in favor of using the explicit packagist response files.

Update monolog/monolog fixture to latest packagist response

For a few upcoming PR's, it'll be helpful if the monolog/monolog packagist fixture is current to match what's actually returned by https://repo.packagist.org/p/monolog/monolog.json.

Initially I updated all the other fixtures as well, but the illuminate/* fixtures ballooned to 43+ MB... and then when I switched them to the v2 metadata endpoint (https://github.com/dependabot/dependabot-core/issues/3010) they shrank back down... no point in adding that much cruft to our git history when I'm going to almost immediately drop it.

But the monolog/monolog change is necessary because I'll be updating all the tests that point at the generic packagist_response.json to point at this fixture... and since it already has a newer version than is in packagist_response.json, might as well first ensure the fixture is fully-up-to-date.

Stop using handcrafted fixture for packagist responses

As part of working on https://github.com/dependabot/dependabot-core/issues/3010, I need to update the test fixtures to match what the Packagist v2 metadata API returns.

However, we have a custom packagist_response.json fixture which cloned the response for monolog/monolog and then applied a couple of handcrafted customizations... So when updating the fixture, I needed to re-copy the upstream monolog/monolog, then apply the customizations. However, the upstream API now minifies the resulting output, which makes correctly applying customizations a little more risky.

In https://github.com/dependabot/dependabot-core/pull/6332 / https://github.com/dependabot/dependabot-core/commit/2d20ff2e0424c2810be4ad583182c07d942d2280 I removed one of the customizations, so the only one left was having a pre-release version. However, we already have an existing fixture in the doctrine--dbal.json file that has several pre-release versions. So by flipping those tests using pre-releases to use that fixture, we could actually drop the packagist_response.json file entirely.

Going forward, we can use off-the-shelf fixture responses directly from Packagist, which will be much easier to maintain.

So this PR does the following:

  1. Makes the way that the packagist_url / packagist_response param handling consistent in all three files that called out to packagist_response.json.
  2. Flips them all from using packagist_response.json to instead using the off-the-shelf fixtures in the packagist_responses directory. We already have a monolog--monolog.json fixture (which I just updated in https://github.com/dependabot/dependabot-core/pull/6334), so I didn't need to replacement fixture.
  3. Deletes the old custom packagist.json fixture that is no longer used.
  4. Flips the tests for pre-release versions to use the doctrine--dbal.json fixture.
  5. Minor refactorings on a couple of tests to make them more readable/internally consistent.

This should greatly increase our confidence for https://github.com/dependabot/dependabot-core/issues/3010 that our tests are matching what we're actually receiving from Packagist.

Bump friendsofphp/php-cs-fixer in /composer/helpers/v2

Bumps friendsofphp/php-cs-fixer from 3.13.0 to 3.13.1.

updated-dependencies:

  • dependency-name: friendsofphp/php-cs-fixer dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Clarify composer v1 PEAR unit test

It took me a while to understand this unit test, because this package is actually present on packagist: https://repo.packagist.org/p/pear-pear.horde.org/horde_date.json

However, from the associated composer.json fixture plus the existing fixture, it's clear that this test is checking what happens when a PEAR dependency is not present on packagist.

So remove the fixture from the packagist_responses directory which is supposed to match what Packagist actually returns and hardcode the response for this single unit test to avoid confusion of future devs thinking they need to update it to match the actual packagist response.

This will make the https://github.com/dependabot/dependabot-core/pull/6315 a bit more straightforward because composer v1 doesn't know about the v2 metadata API so I will need to hardcode both v1 and v2 metadata responses (which return different HTTP status codes).

PEAR is mostly dead it seems, but it doesn't hurt to leave it around in case any old composer v1 projects still have PEAR deps listed... and this will all be gone soon enough once we remove support for composer v1:

  • https://github.com/dependabot/dependabot-core/issues/6298

Allow optional single and double quotes in yaml versions/tags

Generate compare path and fetch commits for Azure in metadata

Support pulling changelog and related files from Azure based repos

Added tests

Add CommitFinder tests for Azure added in #6321

Migrate to packagist's v2 metadata API

As explained in https://github.com/dependabot/dependabot-core/issues/3010:

Packagist supports a new metadata format (introduced for composer 2 as composer 1 does not know how to use it) for better performance and reduced bandwidth. The composer team plans to deprecate the v1 metadata format and disable it on packagist.org in the future ... The new endpoint is at https://repo.packagist.org/p2/ instead of https://repo.packagist.org/p/

The differences between the v1 and v2 metadata formats are documented in https://github.com/composer/composer/blob/master/UPGRADE-2.0.md#for-composer-repository-implementors. Here are the main highlights:

  • metadata are minified (this can be detected based on the "minified": "composer/2.0" top-level key in the file) to reduce the file size thanks to the fact that most releases don't change most of the metadata fields compared to the previous release. This will probably impact dependabot as it will need to un-minify the metadata
  • only metadata for the package itself are in the file, not other packages providing the same name (should not be an issue for dependabot if it cares about the versions for the package name it loads)
  • dev versions (corresponding to git branches rather than tags) are in a separate file (most projects don't allow dev versions of their dependencies and so don't need the metadata for git branches. Splitting them allowed a better caching as releases happen less often than pushes to branches)
  • absence of a package is now always represented by a 404 response rather than sometimes returning a 200 response with an empty list in the packages key.

So I did the following steps:

  1. Update the two places we call this endpoing to hit /p2/ rather than /p/
  2. Update the code that parses those URL responses to handle the change from returning a hash of version listings to an array of version listings.
  3. Research the minification impact--it turned out to not affect us because we were already searching for the newest source URL link, which is the one that doesn't get minified away.
  4. Update the content of the packagist response test fixtures to match what's returned by the new endpoint. This was by far the most time consuming part as we had some test fixtures that tried to do double-duty in various ways, so I cleaned those up on a few separate PR's, which made the updates in this PR much more straightforward.
  5. Decide how to handle the move of dev versions (aka branches rather than tags) to an outside channel. Since these are tied to a branch rather than a tag, it doesn't really make sense to support these, as currently I'm not aware of a way to know "this branch updates to this other branch". (At least not for composer, GitHub actions obviously is different.) Additionally, pre-release version suffixes such as BETA1 or -RC1 are still returned on the main channel, so anyone who really wants pre-release versions that are upgradeable can still use those.
  6. Investigate if any tests needed updating that were looking for 200 response and a missing package now that Packagist guarantees they'll return a 404 for missing packages. The only tests affected were a couple that check if Packagist returns an empty array, and I'd rather keep those for defensive coding purposes, as they may occur in the future if Packagist ever has bugs.

Fix https://github.com/dependabot/dependabot-core/issues/3010

Bump debug from 1.7.0 to 1.7.1 in /updater

Bumps debug from 1.7.0 to 1.7.1.

updated-dependencies:

  • dependency-name: debug dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump minimatch from 3.0.4 to 3.1.2 in /npm_and_yarn/helpers

Bumps minimatch from 3.0.4 to 3.1.2.

updated-dependencies:

  • dependency-name: minimatch dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com

Mention "metadata" in --pull-request description

I was helping a friend repro a bug, and he was using the dry-run script... when we initially grep'd for "metadata", we didn't find this --pull-request option, so adding it here for easier grep'ability.

Bump rubocop-performance from 1.15.1 to 1.15.2 in /updater

Bumps rubocop-performance from 1.15.1 to 1.15.2.

updated-dependencies:

  • dependency-name: rubocop-performance dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Created at 2 months ago
push
stefangr/dependabot-core
stefangr push stefangr/dependabot-core

Verify Dart SHA256 hashes

In addition to downloading the Dart SDK, also download and verify SHA256 hashes.

Dart includes both the hash value and the downloaded file name in the hash file. To avoid having to parse the hash file, the script moves to the /tmp/ directory to verify the hash.

Bump the Dart SDK version

Bump phpstan/phpstan from 1.9.2 to 1.9.4 in /composer/helpers/v1

Bumps phpstan/phpstan from 1.9.2 to 1.9.4.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump phpstan/phpstan from 1.9.2 to 1.9.4 in /composer/helpers/v2

Bumps phpstan/phpstan from 1.9.2 to 1.9.4.

updated-dependencies:

  • dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump eslint from 8.29.0 to 8.30.0 in /npm_and_yarn/helpers

Bumps eslint from 8.29.0 to 8.30.0.

updated-dependencies:

  • dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Remove superfluous v customization in test fixture

Historical context: In https://github.com/dependabot/dependabot-core/commit/77406d5d220ce7c61c7d68d1bacb8b8fadf59277, support was added for version numbers that included a "v" prefix. At the time, the only packagist test fixture was this single file: https://github.com/dependabot/dependabot-core/tree/77406d5d220ce7c61c7d68d1bacb8b8fadf59277/spec/fixtures/php So to test this, Grey added a customization to force a "v" prefix on a version.

However, we now have a whole folder of packagist responses: https://github.com/dependabot/dependabot-core/tree/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/fixtures/packagist_responses

And several of those include "v" prefixes:

  • https://github.com/dependabot/dependabot-core/blob/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/fixtures/packagist_responses/symfony--polyfill-mbstring.json#L875
  • https://raw.githubusercontent.com/dependabot/dependabot-core/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/fixtures/packagist_responses/illuminate--console.json

And I confirmed that we do run tests against some of those: https://github.com/dependabot/dependabot-core/blob/dc6584174b027b7313e1ccc92adae209417c8910/composer/spec/dependabot/composer/file_updater_spec.rb#L94

So we no longer need this customization.

And tracking down these customizations has been a royal pain while working on https://github.com/dependabot/dependabot-core/issues/3010.

While retaining it is semi-harmless, explicitly removing this provides a git blame trail because in a future PR I'll be removing this generic packagist_response.json file completely in favor of using the explicit packagist response files.

Update monolog/monolog fixture to latest packagist response

For a few upcoming PR's, it'll be helpful if the monolog/monolog packagist fixture is current to match what's actually returned by https://repo.packagist.org/p/monolog/monolog.json.

Initially I updated all the other fixtures as well, but the illuminate/* fixtures ballooned to 43+ MB... and then when I switched them to the v2 metadata endpoint (https://github.com/dependabot/dependabot-core/issues/3010) they shrank back down... no point in adding that much cruft to our git history when I'm going to almost immediately drop it.

But the monolog/monolog change is necessary because I'll be updating all the tests that point at the generic packagist_response.json to point at this fixture... and since it already has a newer version than is in packagist_response.json, might as well first ensure the fixture is fully-up-to-date.

Stop using handcrafted fixture for packagist responses

As part of working on https://github.com/dependabot/dependabot-core/issues/3010, I need to update the test fixtures to match what the Packagist v2 metadata API returns.

However, we have a custom packagist_response.json fixture which cloned the response for monolog/monolog and then applied a couple of handcrafted customizations... So when updating the fixture, I needed to re-copy the upstream monolog/monolog, then apply the customizations. However, the upstream API now minifies the resulting output, which makes correctly applying customizations a little more risky.

In https://github.com/dependabot/dependabot-core/pull/6332 / https://github.com/dependabot/dependabot-core/commit/2d20ff2e0424c2810be4ad583182c07d942d2280 I removed one of the customizations, so the only one left was having a pre-release version. However, we already have an existing fixture in the doctrine--dbal.json file that has several pre-release versions. So by flipping those tests using pre-releases to use that fixture, we could actually drop the packagist_response.json file entirely.

Going forward, we can use off-the-shelf fixture responses directly from Packagist, which will be much easier to maintain.

So this PR does the following:

  1. Makes the way that the packagist_url / packagist_response param handling consistent in all three files that called out to packagist_response.json.
  2. Flips them all from using packagist_response.json to instead using the off-the-shelf fixtures in the packagist_responses directory. We already have a monolog--monolog.json fixture (which I just updated in https://github.com/dependabot/dependabot-core/pull/6334), so I didn't need to replacement fixture.
  3. Deletes the old custom packagist.json fixture that is no longer used.
  4. Flips the tests for pre-release versions to use the doctrine--dbal.json fixture.
  5. Minor refactorings on a couple of tests to make them more readable/internally consistent.

This should greatly increase our confidence for https://github.com/dependabot/dependabot-core/issues/3010 that our tests are matching what we're actually receiving from Packagist.

Bump friendsofphp/php-cs-fixer in /composer/helpers/v2

Bumps friendsofphp/php-cs-fixer from 3.13.0 to 3.13.1.

updated-dependencies:

  • dependency-name: friendsofphp/php-cs-fixer dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Clarify composer v1 PEAR unit test

It took me a while to understand this unit test, because this package is actually present on packagist: https://repo.packagist.org/p/pear-pear.horde.org/horde_date.json

However, from the associated composer.json fixture plus the existing fixture, it's clear that this test is checking what happens when a PEAR dependency is not present on packagist.

So remove the fixture from the packagist_responses directory which is supposed to match what Packagist actually returns and hardcode the response for this single unit test to avoid confusion of future devs thinking they need to update it to match the actual packagist response.

This will make the https://github.com/dependabot/dependabot-core/pull/6315 a bit more straightforward because composer v1 doesn't know about the v2 metadata API so I will need to hardcode both v1 and v2 metadata responses (which return different HTTP status codes).

PEAR is mostly dead it seems, but it doesn't hurt to leave it around in case any old composer v1 projects still have PEAR deps listed... and this will all be gone soon enough once we remove support for composer v1:

  • https://github.com/dependabot/dependabot-core/issues/6298

Allow optional single and double quotes in yaml versions/tags

Generate compare path and fetch commits for Azure in metadata

Support pulling changelog and related files from Azure based repos

Added tests

Add CommitFinder tests for Azure added in #6321

Migrate to packagist's v2 metadata API

As explained in https://github.com/dependabot/dependabot-core/issues/3010:

Packagist supports a new metadata format (introduced for composer 2 as composer 1 does not know how to use it) for better performance and reduced bandwidth. The composer team plans to deprecate the v1 metadata format and disable it on packagist.org in the future ... The new endpoint is at https://repo.packagist.org/p2/ instead of https://repo.packagist.org/p/

The differences between the v1 and v2 metadata formats are documented in https://github.com/composer/composer/blob/master/UPGRADE-2.0.md#for-composer-repository-implementors. Here are the main highlights:

  • metadata are minified (this can be detected based on the "minified": "composer/2.0" top-level key in the file) to reduce the file size thanks to the fact that most releases don't change most of the metadata fields compared to the previous release. This will probably impact dependabot as it will need to un-minify the metadata
  • only metadata for the package itself are in the file, not other packages providing the same name (should not be an issue for dependabot if it cares about the versions for the package name it loads)
  • dev versions (corresponding to git branches rather than tags) are in a separate file (most projects don't allow dev versions of their dependencies and so don't need the metadata for git branches. Splitting them allowed a better caching as releases happen less often than pushes to branches)
  • absence of a package is now always represented by a 404 response rather than sometimes returning a 200 response with an empty list in the packages key.

So I did the following steps:

  1. Update the two places we call this endpoing to hit /p2/ rather than /p/
  2. Update the code that parses those URL responses to handle the change from returning a hash of version listings to an array of version listings.
  3. Research the minification impact--it turned out to not affect us because we were already searching for the newest source URL link, which is the one that doesn't get minified away.
  4. Update the content of the packagist response test fixtures to match what's returned by the new endpoint. This was by far the most time consuming part as we had some test fixtures that tried to do double-duty in various ways, so I cleaned those up on a few separate PR's, which made the updates in this PR much more straightforward.
  5. Decide how to handle the move of dev versions (aka branches rather than tags) to an outside channel. Since these are tied to a branch rather than a tag, it doesn't really make sense to support these, as currently I'm not aware of a way to know "this branch updates to this other branch". (At least not for composer, GitHub actions obviously is different.) Additionally, pre-release version suffixes such as BETA1 or -RC1 are still returned on the main channel, so anyone who really wants pre-release versions that are upgradeable can still use those.
  6. Investigate if any tests needed updating that were looking for 200 response and a missing package now that Packagist guarantees they'll return a 404 for missing packages. The only tests affected were a couple that check if Packagist returns an empty array, and I'd rather keep those for defensive coding purposes, as they may occur in the future if Packagist ever has bugs.

Fix https://github.com/dependabot/dependabot-core/issues/3010

Bump debug from 1.7.0 to 1.7.1 in /updater

Bumps debug from 1.7.0 to 1.7.1.

updated-dependencies:

  • dependency-name: debug dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Bump minimatch from 3.0.4 to 3.1.2 in /npm_and_yarn/helpers

Bumps minimatch from 3.0.4 to 3.1.2.

updated-dependencies:

  • dependency-name: minimatch dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com

Mention "metadata" in --pull-request description

I was helping a friend repro a bug, and he was using the dry-run script... when we initially grep'd for "metadata", we didn't find this --pull-request option, so adding it here for easier grep'ability.

Bump rubocop-performance from 1.15.1 to 1.15.2 in /updater

Bumps rubocop-performance from 1.15.1 to 1.15.2.

updated-dependencies:

  • dependency-name: rubocop-performance dependency-type: direct:development update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Created at 2 months ago
fork
stefangr/cron-expression
stefangr forked dragonmantank/cron-expression
Created at 2 months ago