WIP: Add Pub/Dart support #3438
Conversation
|
Can I help testing or something? |
|
@rolandgeider the PR is currently in an early state where not all required parts are implemented yet. Due to this, I am only working with unit tests.
Everything is now finished, underlying implementations might change based on feedback.
MetadaFinder is implemented 💪 Would be happy to have any help I can get once the implementation is finished 😍 |
|
@JohannSchramm I like how clean your implementation is 😍 What I am currently strugeling is to decide what the ultimately best implementation for Pub support is... I see multiple options we could take and every would have some downsides:
I had huge a discussion on the Flutter/Dart Discord with @jonasf on what might be the best approach and he strongly suggested to used Would be happy to collaborate on this here. |
This isn't just a @IchordeDionysos, @JohannSchramm, if you have ideas for tweaks we should make to |
That's the case for most package managers, if those packages are transitive dependencies and not pulled in as top-level, dependabot will always just update them, for top-level dependencies we raise an error in most scenario's and attempt to explain why we could not perform the update. |
| headers: { | ||
| accept: "application/vnd.pub.v2+json", | ||
| "X-Pub-Environment": "dependabot" | ||
| # TODO: Condier adding X-Pub-Headers (https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md) |
|
@Stargator thanks for commenting on the PR. |
The requirements are not changed as they do not add any value for updating the files. So we remove the change if they are changed as otherwise the script would fail even if there are changes we can make.
This reverts commit e54f984.
|
Thanks for all your great input 😍 @JohannSchramm @jonasfj @jurre @Stargator @mattt It helped a lot and I finally got a first end-to-end test up and running 💪 There are a few things still missing, but overall I think it would now be super helpful to have some more real-world tests with various projects :)
Under the hood, the integration uses the Dart/Pub CLI ( For an example usage see the README: Or look at the this workflow file: |
|
Hey, awesome PR and so much looking forward to using this :D I am using this as suggested inside a github action (dependabot-pub-runner) Failing action: https://github.com/hpi-studyu/studyu/runs/2731183166?check_suite_focus=true Sorry if it would've been more appropriate to open a Issue on dependabot-pub-runner. |
|
@nstrelow no, it's fine here I think :) If you could quickly retry if it works now that would be awesome! |
|
@IchordeDionysos Thanks a lot. Sadly I have a mono repo with multiple packages. Some dependencies are defined using Is there a way to support this (and just skip those packages). Or support mono repos in general? Failing action: https://github.com/hpi-studyu/studyu/runs/2738644494?check_suite_focus=true |
|
FYI, I tried this on my flutter project and am getting a ParserError, probably because of the analytics message? Here is the failed run: https://github.com/wger-project/flutter/runs/2889222807?check_suite_focus=true |
|
Getting the same error as @rolandgeider (changed my mono repo to use pub.dev hosted to make it work this far). https://github.com/hpi-studyu/studyu/runs/3059975772?check_suite_focus=true EDIT: Adding flutter config --no-analytics or --analytics doesn't remove the message somehow. |
|
Hi is there any updates after months? This is very helpful. Thanks! |
|
Hi @fzyzcjy, yep! 😄 The Dependabot team is not currently able to take on the maintainer role for new ecosystems, as we outlined in our readme. That said, we are working with the Dart team on adding Pub support to Dependabot! 🎉 The way this will be implemented will look different from how Dependabot currently interfaces with other ecosystems. Our goal is to de-duplicate the version-update and security-update logic from Dependabot and have that logic be maintained in the package managers themselves. That way, we can onboard new ecosystems without the additional burden of maintaining versioning and update logic in Dependabot! While this is currently a work in progress and we don't have a definite timeline, we are aiming to land this sometime in the first quarter of next year. I hope this answers the questions around Pub/Dart support in Dependabot. |
This PR adds support for Dart's package manager pub.
Various examples for Dart projects can be found here: https://github.com/IchordeDionysos/pub_examples
Help in form of PRs to simpleclub-extended:project/pub-dart are welcome 😍 .
Fixes #2166
Status of the PR
All required parts are already implemented, I am currently working on properly adding all boilerplate used for the project setup and CI/CD. 🚀
The implementation is in parts still a bit rough and I want to improve this. For that, I am already in contact with the Dart team to find better solutions or to get the current implementation officially supported and finalized.
I'll try to get instructions ready on how we can properly end-to-end test the Dependabot pub implementation and how we can use it until it finally gets merged into the Dependabot repo.
The following parts are already implemented and unit tested:
Can use the pub-semver project from Dart here: https://github.com/dart-lang/pub_semver
Implemented a requirement updater already in the official Add method to update a version constraint dart-lang/pub_semver#56 package that we can use for the
requirements_updater.Opened an issue with the Dart team if we can use the official code to generate lock files somehow, see Question: Using this project for automated pubspec.lock file updates dart-lang/pub#2947.
Opened an issue with the Dart team to expose the package repo URLs for this: Expose package repository URL via API dart-lang/pub-dev#4696
P.S. I am aware that currently, the PR will not land in the official repo. I just wanted to make the work more visible to potential contributors and the dependabot team.