stefangr
Repos
10
Followers
4
Following
5

Events

Terraform 1.3.0

Merge branch 'main' into terraform-1.3.0

Merge pull request #5782 from dependabot/terraform-1.3.0

Terraform 1.3.0

Only shortcut search when non-vuln version of advisory dep is found

There can be other deps marked as vulnerable that aren't the advisory dep (locking parents) and we can't be sure that a non-vulnerable version of those deps doesn't still have a vulnerable version of the advisory dep as a child.

Merge pull request #5796 from dependabot/mctofu/vuln-shortcut

[npm] Only shortcut search when non-vuln version of advisory dep is found

Created at 1 week ago
This bundle used to work without the symfony serializer being installed and enabled
Executing script cache:clear [OK]

That fixes the issue indeed. Thanks.

Created at 1 week ago
This bundle used to work without the symfony serializer being installed and enabled

With version 4.10 I receive this error:

Executing script cache:clear [KO]
 [KO]
Script cache:clear returned with error code 1
!!  
!!  In CheckExceptionOnInvalidReferenceBehaviorPass.php line 86:
!!                                                                                 
!!    The service "nelmio_api_doc.model_describers.object" has a dependency on a   
!!    non-existent service "serializer.mapping.class_metadata_factory".            
!!                                                                 
Created at 1 week ago

Wiring up dev support and fixing json files

Merge branch 'main' into nuget_dev_bugfix

updating unit tests

Merge branch 'nuget_dev_bugfix' of github.com:pangaeatech/dependabot-core into nuget_dev_bugfix

build(deps): bump NPM from 8.18.0 to 8.19.2

Merge branch 'main' into build/npm-8.19.2

Merge branch 'main' into build/npm-8.19.2

Merge pull request #5754 from THETCR/build/npm-8.19.2

build(deps): bump NPM from 8.18.0 to 8.19.2

Explain why a dependency was removed in the PR

Include newline between removed & updated dependency

Merge pull request #5770 from dependabot/mctofu/removed_pr_message

Improve PR message for removed dependencies

Update poetry requirement in /python/helpers

Updates the requirements on poetry to permit the latest version.


updated-dependencies:

  • dependency-name: poetry dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5746 from dependabot/dependabot/pip/python/helpers/poetry-gte-1.1.15-and-lt-1.3.0

Update poetry requirement from <=1.2.0,>=1.1.15 to >=1.1.15,<1.3.0 in /python/helpers

Bump @npmcli/arborist from 5.6.1 to 5.6.2 in /npm_and_yarn/helpers

Bumps @npmcli/arborist from 5.6.1 to 5.6.2.


updated-dependencies:

  • dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5747 from dependabot/dependabot/npm_and_yarn/npm_and_yarn/helpers/npmcli/arborist-5.6.2

Bump @npmcli/arborist from 5.6.1 to 5.6.2 in /npm_and_yarn/helpers

Bump commonmarker from 0.23.5 to 0.23.6 in /updater

Bumps commonmarker from 0.23.5 to 0.23.6.


updated-dependencies:

  • dependency-name: commonmarker dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5773 from dependabot/dependabot/bundler/updater/commonmarker-0.23.6

Bump commonmarker from 0.23.5 to 0.23.6 in /updater

Merge branch 'dependabot:main' into nuget_dev_bugfix

Merge pull request #4774 from pangaeatech/nuget_dev_bugfix

Fixing issue with nuget devDependency support

Add yarn berry file parser test case

Created at 1 week ago

Adds #transitive_multidependency_intro

Checks for a mix of top_level? and !top_level? dependencies to determine whether a PR updates a transitive dependency.

Might be enough to just check for !top_level?

Add newline after intro message

Fix rubocop complexity errors

Avoid transitive_multidependency_intro if any dependencies are removed

Test transitive_multidependency_intro message

Undo moving dependency = dependencies.first

Factor out updating_top_level_and_transitive_dependencies?

Removes rubocop:disable CyclomaticComplexity

Merge branch 'main' into nishnha/transitive-pr-message

sanitize links and mentions for gitlab as well

fix gitlab spec

Merge pull request #3437 from andrcuns/sanitize-gitlab

Sanitize mentions for merge requests in Gitlab

Support increase-if-necessary versioning strategy in python

Merge pull request #5605 from dependabot/deivid-rodriguez/pip-increase-if-necessary

Support increase-if-necessary versioning strategy in python

Allow updating Java images with "update releases"

As per https://www.oracle.com/java/technologies/javase/versioning-naming.html, an underscore is used for "update release" segments.

Co-authored-by: Rodrigo Petter rodrigo-daniel@defensoria.rs.gov.br

Merge pull request #5734 from dependabot/deivid-rodriguez/docker-issues

Allow updating Java images with "update releases"

Fix multiple Python requirements separated by whitespace

Standard Python does not support this, but Poetry does, so when they appear on Poetry dependency files, they make dependabot crash.

Merge pull request #5735 from dependabot/deivid-rodriguez/odd-poetry-reqs

Fix multiple Python requirements separated by whitespace

Log the versions when installing Flutter

Revert spurious whitespace

Created at 1 week ago

Remove prefix in function name constants (#4043)

The constants in the Symplify\PhpConfigPrinter\ValueObject\FunctionName class should not be prefixed, as they will be used to create php config files and symfony will throw an exception if the generated config files have the prefixed namespace.

Fixes #3976

[Feature][ClassNamespaceGuardRule] Add configurable rule for guarding of allowed namespaces for classes (#4042)

  • [Feature][ClassNamespaceGuardRule] Add configurable rule for guarding of allowed namespaces for classes

  • [Feature][ClassNamespaceGuardRule] Allow namespace pattern in guarded subject

  • Extract ClassLikeNameMatcher and cover it with tests
  • Extract ClassLikeNameFinder and cover it with tests
  • [Feature][ClassExtendingExclusiveNamespaceRule] Simplify conditions, rename rule

  • [Feature][ClassExtendingExclusiveNamespaceRule] Fix too long file path, limit phpstan/phpstan to 1.5.*

  • [[Feature][ClassExtendingExclusiveNamespaceRule] Revert composer.json changes, fix tests

Co-authored-by: Jiří Bok jiri.bok@protonmail.com

Post phpstan cleanup (#4046)

  • fix static

  • remove RuleRequiresNodeConnectingVisitorInterface

Bump to PHPStan 1.6 (#4047)

[PHPStanRules] Use dynamic way to fetch rule from container (#4048)

[PHPStanRules] Make use of more parent rule test case directly (#4049)

[ECS] Fix autoloading collision from non direct run

prepare release

open 10.3-dev

[PHPStanRules] Add NoPublicPropertyByTypeRule (#4051)

Co-authored-by: GitHub Action action@github.com

[PHPStanRules] Skip NoNestedFuncCallRule on closure compares (#4052)

note (#4054)

[PHPStanRules] Deprecate single-rule mini sets, merge them to static rules set (#4055)

Try Rector dev with Scope refresh (#4056)

[PHPStanRules] Improve rules (#4057)

[PHPStanRules] Make use of Rule directly (#4058)

  • [PHPStanRules] Make ValidNetteInjectRule use directly Rule interface

  • [PHPStanRule] Make PreferredAttributeOverAnnotationRule work with Rule interface

  • remove unused ClassReflectionResolver

  • [PHPStanRules] Make RequireAttributeNameRule use directly Rule

  • [PHPStanRules] make RequireConstantInAttributeArgumentRule use of Rule

  • bump PHPStan to 1.6.8

  • [ci-review] Rector Rectify

Co-authored-by: GitHub Action action@github.com

Bump downgrade of packages from PHP 7.1 to 7.2 (#4059)

Bump to php-cs-fixer 3.8 (#4060)

  • bump to php-cs-fixer 3.8

  • cut waiting

  • trigger CI

move autoloader class to position PHPStan can understand

static fixes

Created at 2 weeks ago

Watch the new updater/Gemfile

Now that we've merged updater into core, we should also have Dependabot watch its Gemfile.

Merge pull request #5697 from dependabot/make-dependabot-watch-updater-gemfile

Watch the new updater/Gemfile

Rename .php_cs -> .php-cs-fixer.dist.php

Fix deprecation warning by renaming the config file:

  15.95 > php-cs-fixer fix --diff --verbose '--dry-run'
  16.10 You are running PHP CS Fixer v2, which is not maintained anymore. Please update to v3.
  16.10 You may find an UPGRADE guide at https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v3.3.0/UPGRADE-v3.md .
  16.10 If you need help while solving warnings, ask at https://gitter.im/PHP-CS-Fixer, we will help you!
  16.10
  16.10 PHP CS Fixer 2.19.3 Testament by Fabien Potencier and Dariusz Ruminski
  16.10 Runtime: PHP 7.4.30
  16.10 Loaded config default from "/opt/composer/v1/.php_cs".
  16.14 ......
  16.26 Legend: ?-unknown, I-invalid file syntax (file ignored), S-skipped (cached or empty file), .-no changes, F-fixed, E-error
  16.26
  16.26 Checked all files in 0.134 seconds, 14.000 MB memory used
  16.26
  16.26 Detected deprecations in use:
  16.26 - Configuration file `.php_cs` is deprecated, rename to `.php-cs-fixer.php`.

From https://github.com/dependabot/dependabot-core/actions/runs/3040792095/jobs/4897247001#step:6:6736

The warning suggests to rename to php-cs-fixer.php. However, looking at https://github.com/keradus/PHP-CS-Fixer/blob/master/UPGRADE-v3.md I see that is the recommended file name for the local development config file. The distributed one should be .php-cs-fixer.dist.php, so I used that instead. More details on the distinction between the two types of files here: https://github.com/FriendsOfPHP/PHP-CS-Fixer/pull/5607

Merge pull request #5691 from jeffwidman/rename-php_cs-to-php-cs-fixer.php

Rename .php_cs -> .php-cs-fixer.dist.php

Fix typo

Merge pull request #5705 from HonkingGoose/fix-typo

Fix typo

Fix typo

Merge pull request #5696 from dependabot/fix-typo-nativate

Fix typo

Rename phpstan.neon -> phpstan.dist.neon

Per https://phpstan.org/config-reference#config-file:

The usual practice is to have phpstan.neon.dist or phpstan.dist.neon under version control, and allow the user to override certain settings in their environment (on their own computer or on a continuous integration server) by creating phpstan.neon that’s present in .gitignore file.

I picked phpstan.dist.neon for consistency with .php-cs-fixer.dist.php config (#5691).

I didn't add the file to .gitignore because I actually want to know if there starts being a new file under that name and see it in git...

Merge pull request #5692 from jeffwidman/rename-phpstan.neon-phpstan.dist.neon

Rename phpstan.neon -> phpstan.dist.neon

Bump rubocop from 1.33.0 to 1.36.0 in /updater

Bumps rubocop from 1.33.0 to 1.36.0.


updated-dependencies:

  • dependency-name: rubocop dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5702 from dependabot/dependabot/bundler/updater/rubocop-1.36.0

Bump rubocop from 1.33.0 to 1.36.0 in /updater

Bump rubocop-performance from 1.14.3 to 1.15.0 in /updater

Bumps rubocop-performance from 1.14.3 to 1.15.0.


updated-dependencies:

  • dependency-name: rubocop-performance dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5703 from dependabot/dependabot/bundler/updater/rubocop-performance-1.15.0

Bump rubocop-performance from 1.14.3 to 1.15.0 in /updater

forks can't run this workflow, it needs write access

Merge branch 'main' into fix-branch-on-forks

Merge pull request #5709 from jakecoffman/fix-branch-on-forks

disable branch release workflow for forks

Revert "disable branch release workflow for forks"

Merge pull request #5711 from dependabot/revert-5709-fix-branch-on-forks

Revert "disable branch release workflow for forks"

Fix PHP-CS-Fixer deprecation warnings

Fix the following warnings:

15.95 > php-cs-fixer fix --diff --verbose '--dry-run'
16.10 You are running PHP CS Fixer v2, which is not maintained anymore. Please update to v3.
16.10 You may find an UPGRADE guide at https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v3.3.0/UPGRADE-v3.md .
16.10 If you need help while solving warnings, ask at https://gitter.im/PHP-CS-Fixer, we will help you!
16.10
16.10 PHP CS Fixer 2.19.3 Testament by Fabien Potencier and Dariusz Ruminski
16.10 Runtime: PHP 7.4.30
16.10 Loaded config default from "/opt/composer/v1/.php_cs".
16.14 ......
16.26 Legend: ?-unknown, I-invalid file syntax (file ignored), S-skipped (cached or empty file), .-no changes, F-fixed, E-error
16.26
16.26 Checked all files in 0.134 seconds, 14.000 MB memory used
16.26
16.26 Detected deprecations in use:
16.26 - Option "ensure_fully_multiline" for rule "method_argument_space" is deprecated and will be removed in version 3.0. Use option "on_multiline" instead.
16.26 - Option "use_yoda_style" for rule "is_null" is deprecated and will be removed in version 3.0. Use "yoda_style" fixer instead.
16.26 - PhpCsFixer\Config::create is deprecated since 2.17 and will be removed in 3.0, use the constructor instead.
16.26 - Rule "no_multiline_whitespace_before_semicolons" is deprecated. Use "multiline_whitespace_before_semicolons" instead.

Originally I tried bumping php-cs-fixer to v3 as suggested. But in https://github.com/dependabot/dependabot-core/pull/5694 I realized that was impossible given that composer/composer v1 depended composer/semver ^v1 but php-cs-fixer v3 requires composer/semver v3...

So for now just fix some old deprecation warnings and move on.

At least I got what I really wanted from this, which was to learn how Composer works.

Created at 2 weeks ago
Add composer fields to silence PHPStan

@jeffwidman With a fresh checkout of this branch and a composer install to install the dependencies from the current composer.lock file, the result of a composer update --lock is as I expected.

v1/composer.lock

  • Only the content-hash is changed

v2/composer.lock

  • The content-hash is changed
  • A support section is added to some of the dependencies (when run with the composer v2 executable)

In the vendor/composer directory composer keeps a file (installed.json) that contains the actual versions of the installed dependencies. If you have updated dependencies in a different branch, than that is in the installed.json. If you perform a composer install the installed.json file is updated to the situation from the composer.lock.

My guess is that you did not perform a composer install before executing the composer update --lock while the installed.json from the vendor directory was updated in one of the other composer related branches.

Created at 2 weeks ago
Add composer fields to silence PHPStan

@jeffwidman use composer update --lock to only update the lockfile, but not the libraries.

See: https://getcomposer.org/doc/03-cli.md#update-u

Created at 3 weeks ago

allow deploying fork PRs before merging

use cherry-pick since merging main errors

It errors with: "fatal: refusing to merge unrelated histories"

Handle removed dependencies in existing PRs

Reword comment & fix typo

Merge pull request #5682 from dependabot/jeffwidman-patch-2

Reword comment & fix typo

Fix typo: spwans -> spawns

Merge pull request #5681 from dependabot/fix-typo

Fix typo: spwans -> spawns

Update rubocop-performance requirement from ~> 1.14.2 to ~> 1.15.0

Updates the requirements on rubocop-performance to permit the latest version.


updated-dependencies:

  • dependency-name: rubocop-performance dependency-type: direct:development ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5680 from dependabot/dependabot/bundler/common/rubocop-performance-tw-1.15.0

Update rubocop-performance requirement from ~> 1.14.2 to ~> 1.15.0 in /common

build(deps): bump terraform from 1.2.8 to 1.2.9

Merge pull request #5675 from HorizonNet/update-terraform-version

build(deps): bump terraform from 1.2.8 to 1.2.9

Update file size to 500 kilobytes

Merge pull request #5596 from stulle123/update-file-size

Increase the max file size of parsed *.txt files to 500 kilobytes. The limit exists to prevent ingesting documentation files etc that are massive.

However, the previous limit of 200 KB was too small... Especially in large projects, pip-tools-compiled requirement.txt files can get pretty big.

python/helpers/build: fix a pip warning related to pipfile installation

The pipfile package doesn't have published wheels, so pip has to build it from source. By default, it tries to do that in the current environment, but it lacks the wheel package, so pip falls back to the legacy setup.py install method, which generates a build warning. The --use-pep517 option lets pip do the build in an isolated environment, automatically downloading the necessary dependencies.

Merge pull request #5587 from SpecLad/use-pep517

python/helpers/build: fix a pip warning related to pipfile installation

Bump eslint from 8.22.0 to 8.23.1 in /npm_and_yarn/helpers

Bumps eslint from 8.22.0 to 8.23.1.


updated-dependencies:

  • dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5679 from dependabot/dependabot/npm_and_yarn/npm_and_yarn/helpers/eslint-8.23.1

Bump eslint from 8.22.0 to 8.23.1 in /npm_and_yarn/helpers

make it clear which PR this was generated for

Merge branch 'main' into jakecoffman/fork-docker-images

Merge pull request #5668 from dependabot/jakecoffman/fork-docker-images

deploy from a fork using a workflow

Created at 3 weeks ago

Propagate author details when initializing PullRequestUpdater for Azure.

Merge pull request #5613 from dependabot/revert-5542-nishnha/npm-helpful-errors

Revert "Add more helpful error messaging when a vulnerable dependency cannot be upgraded"

To prevent dependabot-core from failing when the incorrect release tag is created for a release, adding a rescue statement

Merge branch 'fix-pip-faiure-rate' of https://github.com/dependabot/dependabot-core into fix-pip-faiure-rate

fixing Style/RedundantReturn: Redundant return detected

Removing extra whitespaces at the beginning of the file

fixing Layout/EmptyLinesAroundExceptionHandlingKeywords

Merge branch 'main' into fix-pip-faiure-rate

Fixed regex to validate correct python version release tag

Merge branch 'fix-pip-faiure-rate' of https://github.com/dependabot/dependabot-core into fix-pip-faiure-rate

Merge branch 'main' into fix-pip-faiure-rate

Added test case to validate two dashes release version

Merge branch 'fix-pip-faiure-rate' of https://github.com/dependabot/dependabot-core into fix-pip-faiure-rate

Fixed error add empty line after guard clause

branch naming for removed dependencies

Use "--removed" as the branch suffix for removed deps

Co-Authored-By: Landon Grindheim landongrindheim@github.com

Merge branch 'main' into azure_pullrequestupdater_author

Reorder native helper build scripts to be more efficient

Right now if I'm working on Pub native helpers and I rebuild the image, I need to reinstall all native helpers for all other ecosystems. This change avoids some unnecessary build scripts, depending on the ecosystem.

Use a single layer for building each ecosystem

Merge pull request #5624 from dependabot/deivid-rodriguez/speedup-developing-native-helpers

Speedup rebuilding native helper changes

Created at 3 weeks ago

build(deps): bump terraform from 1.2.3 to 1.2.8

Dependabot Ltd -> GitHub Inc

Dependabot was acquired back in 2019 and is now a part of GitHub.

See also: https://github.com/dependabot/dependabot-core/pull/4463

Merge pull request #5592 from dependabot/jeffwidman-patch-1

Dependabot Ltd -> GitHub Inc

Convert issue templates to issue forms

Fix typo

Use emojis in issue names

Merge pull request #5600 from HonkingGoose/chore/use-forms

Convert issue templates to issue forms

Use correct label for tech debt form

Merge pull request #5602 from HonkingGoose/patch-1

Use correct label for tech debt form

Add an explanation when the vulnerablility auditor fix is unavailable instead of raising

Add tests for vulnerability auditor explanation

Undo lockfile error message changes

conflicting_dependencies also returns vulnerablilty_audit

Improve removed dependency error messaging

Co-authored-by: David Rodríguez deivid.rodriguez@riseup.net

Check fix_available key instead of its value

explain_fix_unavailable returns explanation string instead of fix_unavailable object

Rubocop method length

Merge previously private updater code into core

This adds a new component to dependabot-core that is only used and useful to GitHub internally, it's part of how we run Dependabot in our internal systems. By merging this into the main codebase we hope to be able to simplify both it and how core works going forward, and it will open up some simplifications in our deployment and development processes.

This code is not useful to anyone outside of GitHub, other than maybe informative in how to run dependabot-core in a service setting. It's also explicitly not a goal for this code to be useful or reusable outside of its current context.

One thing that is useful to outside contributors, is that this change also includes a set of smoke tests that run against both the core ecosystems and the updater. This will give us higher confidence when reviewing + merging PRs.

The code in this PR was contributed to by many people, and it has a rich history available in an internal repository. Since those commits were made in a private context, we've squashed all of them in a single commit and omitted any non GitHub-owned email-addresses.

Co-authored-by: Barry Gordon 896971+brrygrdn@users.noreply.github.com Co-authored-by: David McIntosh 804610+mctofu@users.noreply.github.com Co-authored-by: Grey Baker greysteil@github.com Co-authored-by: Harry Marr hmarr@github.com Co-authored-by: Jake Coffman jakecoffman@github.com Co-authored-by: Jason Rudolph jasonrudolph@github.com Co-authored-by: Jeff Widman jeffwidman@github.com Co-authored-by: Jurre Stender jurre@github.com Co-authored-by: Landon Grindheim landongrindheim@github.com Co-authored-by: Lane Seppala lseppala@github.com Co-authored-by: Mattt mattt@github.com Co-authored-by: Nickolas Means nmeans@github.com Co-authored-by: Nish Sinha nishnha@github.com Co-authored-by: Pete Wagner 1559510+thepwagner@users.noreply.github.com Co-authored-by: Philip Harrison feelepxyz@github.com Co-authored-by: mo khan xlgmokha@github.com

Merge pull request #5608 from dependabot/jurre/the-big-merge

Merge previously private updater code into core

Merge pull request #5542 from dependabot/nishnha/npm-helpful-errors

Add more helpful error messaging when a vulnerable dependency cannot be upgraded

Created at 1 month ago

[terraform] Cache client-side timeouts when a remote host is unreachable

Bump docker_registry2 to fix #3989

The latest version of docker_registry2 has the fix for #3989.

Allow diverged-commit pinned Actions to be updated

The established wisdom for versioning actions is to syn major version tags to the most recent corresponding release/tag (eg. v2 == v2.2.3). However, there doesn't seem to be any recommendations for versioning via commit SHA.

This commit makes the assumption that we should look up the version of diverged commits and make the update based on the version rather than the commit. Until now, we've been bailing when commits have diverged (aka no longer exist as part of a branch's lineage).

Use the latest tag when commits have diverged

Use commits/tags consistently

I'm a little torn on this, but it's been pitched to me that we should upgrade to a commit if a user has pinned their Action to a commit already. My hesitation has to do with a lack of transparency between the version/tag to which the commit belongs. However, that transparency is always lacking when pinning to a commit.

build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps eslint from 8.21.0 to 8.22.0.


updated-dependencies:

  • dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Update Dockerfile updater to also update Kubernetes YAML.

Remove duplicate files.

Address comments.

Address comments.

Retry if --resolver is not an available arg

Use the python version as the key to indicate backwards compatibility mode.

Simplify commit-updating logic

This reflects what had been updated in #fetch_latest_version_for_git_dependency. I had added some redundant logic which made some incorrect assumptions.

Co-authored-by: David McIntosh 804610+mctofu@users.noreply.github.com

PR feedback changes

invert logic of the version check

Merge branch 'main' into brrygrdn/cache-timeouts-for-terraform

Use a more precise version match

temporary fix for broken setuptools

Revert "temporary fix for broken setuptools"

This reverts commit 67f5e248b4fc72129cdeaedb699adbf3dc7a1144.

Merge branch 'main' into pavera/fix-5405

Created at 1 month ago

Python private package fix

Strip protocol when matching authed url

Merge branch 'dependabot:main' into python-auth-fix

Run shellcheck on all native helper build scripts

It was not being run for Bundler and Composer due to having a slightly different structure.

[Bitbucket] Add default reviewers to pull request

Fix rubocop issues

Remove debug gem from Bundler 1 native helpers Gemfile

It causing several dependency conflict that cause specs to fail to even start.

Make failures in Bundler 1 native helper specs actually fail CI

This is a fun one.

Consider the following script

#!/bin/bash

set -e

true

if [[ "$SUITE_NAME" == "bundler1" ]]; then
  cd helpers/v1 \
    && false \
    && cd -
fi

if [[ "$SUITE_NAME" == "bundler2" ]]; then
  cd helpers/v2 \
    && false \
    && cd -
fi

Believe or not, this is what you get when you run it

$ SUITE_NAME=bundler1 ./script/ci-test-dummy; echo $?
=> 0

$ SUITE_NAME=bundler2 ./script/ci-test-dummy; echo $?
=> 1

You can read more about this here: http://mywiki.wooledge.org/BashFAQ/105, but the conclusion is that set -e is brittle.

Yet I think adding || exit 1 to all commands is painful.

As an alternative, I added a full if-else construct that works as expected, with a note on top. I'm not fully sold on this solution, but it's simple and it also lets the script default to Bundler 2 when run without SUITE_NAME set, which seems handy.

Merge pull request #5517 from dependabot/deivid-rodriguez/ci-red-iif-changes-break-tests

Make failures in Bundler 1 native helper specs actually fail CI

Adding a TODO and more detailed comment about python 3.6 support

Merge pull request #5526 from stefangr/bitbucket-add-default-reviewers-to-pull-request

[Bitbucket] Add default reviewers to pull request

Merge pull request #5527 from dependabot/pavera/add-python36-todo

Adds a TODO and more detailed comment about python 3.6 support

Merge pull request #5452 from andrcuns/python-auth-fix

Python private registry authentication fix

Share omnibus gems with all projects to reduce install time

build(deps): bump @dependabot/yarn-lib in /npm_and_yarn/helpers

Bumps @dependabot/yarn-lib from 1.21.1 to 1.22.19.


updated-dependencies:

  • dependency-name: "@dependabot/yarn-lib" dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5519 from dependabot/deivid-rodriguez/run-shellcheck-on-all-native-helper-build-scripts

Run shellcheck on all native helper build scripts

Restore ability to run tools without invoking bundler exec

common no longer needs special casing

Undo all changes to root Dockerfile as they aren't needed

Merge pull request #5531 from dependabot/dependabot/npm_and_yarn/npm_and_yarn/helpers/dependabot/yarn-lib-1.22.19

build(deps): bump @dependabot/yarn-lib from 1.21.1 to 1.22.19 in /npm_and_yarn/helpers

Created at 1 month ago
delete branch
stefangr delete branch bitbucket-add-default-reviewers-to-pull-request
Created at 1 month ago

Fix rubocop issues

Created at 1 month ago

Stablize vcr cassettes

missing cassettes

Merge pull request #5508 from dependabot/mctofu/cassette-fixes

Pin MessageBuilder cassette names

Adding a monkey patch to prevent gemspec.rz fetch

v0.206.0

Merge pull request #5511 from dependabot/v0.206.0-release-notes

v0.206.0

Debug reasons why npm audit can't succeed

Rename happy result to :viable for consistency

Merge pull request #5512 from dependabot/mctofu/npm-audit-debug

Log reasons why npm audit can't succeed

Merge pull request #5510 from dependabot/pavera/bundler-gemspec-patch

Monkey patch bundler EndpointSpecification

v0.207.0

Merge pull request #5514 from dependabot/v0.207.0-release-notes

v0.207.0

Remove ENV no longer necessary

Thankfully we moved away from Debian-packaged Ruby, so we no longer need this.

Merge pull request #5515 from dependabot/deivid-rodriguez/debian-leftover

Remove ENV no longer necessary

Cleanup Ruby sources after installing Ruby

To make the image thinner.

Merge pull request #5522 from dependabot/deivid-rodriguez/cleanup-ruby-sources

Cleanup Ruby sources after installing Ruby

Optional options arg for FileFetcher

Originally introduced by @brendandburns in https://github.com/dependabot/dependabot-core/pull/5348,

This allows our FileFetcher to accept an optional options hash, that we can use for feature-flagging, like we do in the FileUpdater/UpdateChecker etc.

This does not make use of the functionality yet, but it will enable us to start passing the argument in our internal systems.

No tests are added or changed, because right now the behavior is not altered, as long as the existing tests keep working, we're good!

Merge pull request #5524 from dependabot/jurre-brendandburns/file-fetcher-options

Optional options arg for FileFetcher

Created at 1 month ago
pull request opened
[Bitbucket] Add default reviewers to pull request

If any users are defined as default reviewer for the repository, they are added as reviewer to the pull request.

Created at 1 month ago
delete branch
stefangr delete branch bitbucket-add-default-to-pull-request-reviewers
Created at 1 month ago
create branch
stefangr create branch bitbucket-add-default-reviewers-to-pull-request
Created at 1 month ago
create branch
stefangr create branch bitbucket-add-default-to-pull-request-reviewers
Created at 1 month ago

build(deps): update octokit requirement from ~> 4.6 to >= 4.6, < 6.0

Updates the requirements on octokit to permit the latest version.


updated-dependencies:

  • dependency-name: octokit dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

Refactor with top-down traversal

Include top-level ancestors in response

Handle case in which vuln dep is not in tree

Remove unused import

Suppress detached head advice during git clone

I noticed the following logs during the docker build:

0.906 You are in 'detached HEAD' state. You can look around, make experimental
0.906 changes and commit them, and you can discard any commits you make in this
0.906 state without impacting any branches by switching back to a branch.
0.906
0.906 If you want to create a new branch to retain commits you create, you may
0.906 do so (now or later) by using -c with the switch command. Example:
0.906
0.906   git switch -c <new-branch-name>
0.906
0.906 Or undo this operation with:
0.906
0.906   git switch -
0.906
0.906 Turn off this advice by setting config variable advice.detachedHead to false

Passing the config this way sets it only for this command (we don't want to set it globally).

Details: https://stackoverflow.com/a/72588008/770425

Bitbucket does not support HTML in pull request message

Merge pull request #5481 from stefangr/bitbucket-does-not-support-html-in-pull-request

Bitbucket does not support HTML in pull request message

Merge pull request #5476 from jeffwidman/suppress-detached-head-advice

Suppress "detached head" advice during git clone

Skip installing docs when installing Ruby

I noticed that our Ruby installs included generating docs, which takes ~30 seconds: https://github.com/dependabot/dependabot-core/runs/7646741836?check_suite_focus=true#step:3:5996

But we don't need docs in our docker images--humans can always look them up online.

So skip installing docs and cut 30s off our CI times.

Thanks to @deivid-rodriguez for the tip on how to pass the arg through ruby-install to the underlying ruby.

Fix #5475

Migrate from actions/setup-ruby to ruby/setup-ruby

The actions/setup-ruby action was deprecated in favor of ruby/setup-ruby.

So this switches to that.

Reading the docs for ruby/setup-ruby, all the examples include the following params:

with:
        ruby-version: '3.0' # Not needed with a .ruby-version file
        bundler-cache: true # runs 'bundle install' and caches installed gems automatically

However, the ruby-version looked like it needed to be specified for actions/setup-ruby as well, and it wasn't, so maybe there's a default that suffices?

And I suspect the bundler-cache arg is only relevant for repeated calls to ruby/bundler within a single CI run... whereas we only call this action once for the following ruby call:

gem install rake && rake gems:release

So I doubt that caching adds value. Happy to be proved wrong if someone more familiar with Ruby knows more.

Merge pull request #5482 from jeffwidman/skip-installing-ruby-docs

Skip installing docs when installing Ruby

Adding a test and support for traversing multiple sequential wildcards

a little style cleanup

Merge pull request #5484 from dependabot/pavera/add-multi-level-wildcards

Add support for multi-level wildcard paths in composer

Remove unnecessary line

Update test case to ensure top-level ancestors are populated

Edit test scenario description

Add a .ruby-version file

We're starting to pin the desired ruby version in multiple places:

  • Rubocop
  • the new ruby/setup-ruby action that we're adding in https://github.com/dependabot/dependabot-core/pull/5433

We used to not ship the .ruby-version file, with the thought that this is a library... but this file isn't included in the gemfile spec, so we're not tying the hands of our users. This merely sets the default version of Ruby that we're using for development. We will keep this in sync with the version of Ruby installed in the Dockerfile, so it'll target the version of Ruby we use in production at GitHub. But since not included in the gem, others are free to use a different Ruby version.

Copy the .ruby-version file into the CI container.

Bump to go 1.19

Announcement: https://go.dev/blog/go1.19

Full release notes: https://go.dev/doc/go1.19

I read through both, and nothing looks relevant for us, other than picking up possible bug fixes / perf improvements. Potentially we could leverage the new "soft hint" to the garbage collector, but I'm not aware that we run out of memory in our containers.

Created at 1 month ago
delete branch
stefangr delete branch bitbucket-does-not-support-html-in-pull-request
Created at 2 months ago
Bitbucket does not support HTML in pull request message

@jeffwidman This is what I found in the documentation: https://support.atlassian.com/bitbucket-cloud/docs/markup-comments/

So basically only markdown (with some bitbucket specifics).

Created at 2 months ago
pull request opened
Bitbucket does not support HTML in pull request message
Created at 2 months ago
create branch
stefangr create branch bitbucket-does-not-support-html-in-pull-request
Created at 2 months ago

use a "shim" to fix inability to rewrite git commands to use HTTPS URLs

update shim to not rewrite file protocol

fix error message regexes changed due to the switch to git cli

update url

build(deps): bump json-schema in /npm_and_yarn/helpers

Bumps json-schema from 0.2.3 to 0.4.0.


updated-dependencies:

  • dependency-name: json-schema dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com

build(deps): bump minimist from 1.2.5 to 1.2.6 in /npm_and_yarn/helpers

Bumps minimist from 1.2.5 to 1.2.6.


updated-dependencies:

  • dependency-name: minimist dependency-type: indirect ...

Signed-off-by: dependabot[bot] support@github.com

build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps eslint from 8.19.0 to 8.21.0.


updated-dependencies:

  • dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

build(deps): bump cython from 0.29.30 to 0.29.32 in /python/helpers

Bumps cython from 0.29.30 to 0.29.32.


updated-dependencies:

  • dependency-name: cython dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Remove unnecessarily hardcoded versions

There's only two versions of Bundler installed (1.17.3, and 2.3.x), and RubyGems chooses the highest version by default. So there's no need to explicitly pin the version when we want to use Bundler 2.3.x.

Remove NOTE not totally accurate

This note makes total sense for helpers/v1/build, because there we explicitly pass BUNDLER_VERSION=1.17.3 to bundle install, which generates a Gemfile.lock using that version, which indeed forces RubyGems into choosing Bundler 1.17.3 instead of the highest version installed.

Here, however, we would get the same behaviour of 2.3.18 being chosen, with or without a Gemfile.lock using that, because it's the highest version.

Keep Bundler version at a single place

When shelling out to native helpers, we don't need to know the exact version, we just need to know the major version to figure out the path to native helpers run.rb script and everything else. Proper activation of bundler can be done inside the run.rb script without needing the full version either.

build(deps): bump flake8 from 5.0.1 to 5.0.3 in /python/helpers

Bumps flake8 from 5.0.1 to 5.0.3.


updated-dependencies:

  • dependency-name: flake8 dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Allow Actions to be fetched from non-GitHub source

I don't think we realized that we lacked the ability to fetch Actions from non-GitHub.com sources. With this change, we're now able to fetch Actions from GitHub Enterprise Server instances.

Merge branch 'main' into jakecoffman/git-shim

Update ruby gems using the --no-document flag

The --no-document flag skips installing documentation,so is faster.

This was originally proposed by @deivid-rodriguez as part of https://github.com/dependabot/dependabot-core/pull/5035, but was lost when https://github.com/dependabot/dependabot-core/pull/5048 reverted the version bump.

So this adds back only the --no-document flag, but doesn't touch the version.

v0.203.0

Merge pull request #5472 from dependabot/v0.203.0-release-notes

v0.203.0

Merge pull request #5332 from dependabot/jakecoffman/git-shim

use a "shim" to fix inability to rewrite git commands to use HTTPS URLs

v0.204.0

Merge pull request #5473 from dependabot/v0.204.0-release-notes

v0.204.0

Created at 2 months ago

fix(terraform): correctly keep platform hashes when multiple providers are installed

Signed-off-by: Markus Maga markus@maga.se

build(deps): update faraday requirement from = 1.10.0 to = 2.3.0

Updates the requirements on faraday to permit the latest version.


updated-dependencies:

  • dependency-name: faraday dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

fix: set correct url for terraform module version download

According to the docs (https://www.terraform.io/internals/module-registry-protocol) the correct download url for a terraform module registry is /v1/modules/:namespace/:name/:system/:version/download The source is returned in the X-Terraform-Get header and not body. Also since there is no body, the return code is 204 and not 200

feat: move get_proxied_source to terraform helper class in order to be reused in registry download

feat: handle relative url returned from terraform registry module download

test: update terraform metadata_finder_spec with correct return url

fix: use . and not :: for terraform helper function call

ci: fix syntax errors in ci test for terraform

fix: regex to support Gitlab subgroups

[Nuget] Cache client-side timeouts when a remote host is unreachable

[gomod] Cache client-side timeouts when a remote host is unreachable

[cargo] Cache client-side timeouts when a remote host is unreachable

[elm] Cache client-side timeouts when a remote host is unreachable

[gradle] Cache client-side timeouts when a remote host is unreachable

[hex] Cache client-side timeouts when a remote host is unreachable

[pub] Cache client-side timeouts when a remote host is unreachable

[Cargo] Correctly handle unused subdependencies of path dependencies

Merge pull request #5399 from dependabot/brrygrdn/cache-timeouts-for-nuget

[Nuget] Cache client-side timeouts when a remote host is unreachable

Merge pull request #5414 from dependabot/brrygrdn/cargo-fix-optional-path-deps

[Cargo] Correctly handle unused subdependencies of path dependencies

v0.201.1

Created at 2 months ago

Add support for Python 3.10.5 & 3.9.13

build(deps): bump nock from 13.2.7 to 13.2.8 in /npm_and_yarn/helpers

Bumps nock from 13.2.7 to 13.2.8.


updated-dependencies:

  • dependency-name: nock dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

build(deps): update pip-tools requirement in /python/helpers

Updates the requirements on pip-tools to permit the latest version.


updated-dependencies:

  • dependency-name: pip-tools dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

build(deps-dev): update rubocop requirement from ~> 1.30.1 to ~> 1.31.2

Updates the requirements on rubocop to permit the latest version.


updated-dependencies:

  • dependency-name: rubocop dependency-type: direct:development ...

Signed-off-by: dependabot[bot] support@github.com

build(deps): update gitlab requirement from = 4.18.0 to = 4.19.0

Updates the requirements on gitlab to permit the latest version.


updated-dependencies:

  • dependency-name: gitlab dependency-type: direct:production ...

Signed-off-by: dependabot[bot] support@github.com

Install Ruby with ruby-install

build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps eslint from 8.18.0 to 8.19.0.


updated-dependencies:

  • dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Move RegistryClient from maven to common

Merge pull request #5343 from dependabot/dependabot/npm_and_yarn/npm_and_yarn/helpers/eslint-8.19.0

build(deps-dev): bump eslint from 8.18.0 to 8.19.0 in /npm_and_yarn/helpers

Merge pull request #5336 from dependabot/dependabot/npm_and_yarn/npm_and_yarn/helpers/nock-13.2.8

build(deps): bump nock from 13.2.7 to 13.2.8 in /npm_and_yarn/helpers

Install bison system dependency

Co-authored-by: Jurre jurre@github.com

Merge pull request #5355 from dependabot/dependabot/bundler/common/gitlab-eq-4.19.0

build(deps): update gitlab requirement from = 4.18.0 to = 4.19.0 in /common

build(deps): bump poetry from 1.1.13 to 1.1.14 in /python/helpers

Bumps poetry from 1.1.13 to 1.1.14.


updated-dependencies:

  • dependency-name: poetry dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

build(deps-dev): bump friendsofphp/php-cs-fixer in /composer/helpers/v2

Bumps friendsofphp/php-cs-fixer from 3.8.0 to 3.9.2.


updated-dependencies:

  • dependency-name: friendsofphp/php-cs-fixer dependency-type: direct:development update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #5354 from dependabot/dependabot/pip/python/helpers/poetry-1.1.14

build(deps): bump poetry from 1.1.13 to 1.1.14 in /python/helpers

Merge pull request #5350 from dependabot/dependabot/bundler/common/rubocop-tw-1.31.2

build(deps-dev): update rubocop requirement from ~> 1.30.1 to ~> 1.31.2 in /common

Merge pull request #5337 from dependabot/dependabot/pip/python/helpers/pip-tools-gte-6.4.0-and-lt-6.8.1

build(deps): update pip-tools requirement from <=6.6.2,>=6.4.0 to >=6.4.0,<6.8.1 in /python/helpers

Merge pull request #5357 from dependabot/dependabot/composer/composer/helpers/v2/friendsofphp/php-cs-fixer-3.9.2

build(deps-dev): bump friendsofphp/php-cs-fixer from 3.8.0 to 3.9.2 in /composer/helpers/v2

Merge pull request #5333 from ulgens/python3_10_5

Add support for Python 3.10.5 & 3.9.13

v0.196.3

Created at 2 months ago

build(deps): bump cython from 0.29.28 to 0.29.30 in /python/helpers

Bumps cython from 0.29.28 to 0.29.30.


updated-dependencies:

  • dependency-name: cython dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

build(deps-dev): update debase-ruby_core_source requirement from = 0.10.14 to = 0.10.16

Updates the requirements on debase-ruby_core_source to permit the latest version.


updated-dependencies:

  • dependency-name: debase-ruby_core_source dependency-type: direct:development ...

Signed-off-by: dependabot[bot] support@github.com

Basic attempt to update the parent to unlock a transitive dependency update

hack in a check that we can get to a non-vulnerable version

enable auditing npm dependencies for specific advisories

Parse passed advisories to build nock response

Add VulnerabilityAuditor

Expose #vulnerable_version_strings

Start integrating vulnerability auditor into update checker

Update helper to return desired format

  • We now call Arborist.audit() twice: once as pre-flight, once with fix: true

Remove unused try/catch

Assign unique id to advisories to prevent deduplication

Update for helper response and log helper errors

Require VulnerabilityAuditor

Don't json parse object

Specify force:true in contructor for major version updates to work

Co-Authored-By: Nish Sinha nishnha@github.com

Seems to work for npm6 lockfiles

Remove LockedSubdependencyVersionResolver experiment

Response is expected to use strings instead of keys

Wire vulnerability_audit response to updated dependencies

Created at 2 months ago