v0.155.2 #3979
Merged
v0.155.2 #3979
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Unrelated flaky bundler specs, going to yank these out from bundler 1 as they are also covered in native helper specs now |
feelepxyz
commented
Jun 23, 2021
feelepxyz
added a commit
that referenced
this pull request
Jun 23, 2021
Merged too quickly #3979 Makes sense to bump minor for the terraform cloning change.
milind009
added a commit
to GiriB/dependabot-core
that referenced
this pull request
Oct 6, 2021
* Raise on ruby 2.7 deprecation warnings Break tests if we introduce any ruby 2.7 deprecation warnings. * Fix ruby 2.7 deprecations * Add `--no-install-recommends` to all `apt-get install` in Dockerfile This option will prevent not needed package being installed, make the image smaller. * Double quote variables in shellscript This will help prevent globbing and word splitting. Most of them are already quoted, just few of them are missed. * v0.154.1 * Double quote variables in Dockerfile's shellscript, cc dependabot#3917 * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.2...v2.6.3) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Bundler: attempt to isolate flaky test Seeing a bunch of CI failures from this force updater spec: `NoMethodError with message: undefined method `name' for "Gemfile":String` Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846 I haven't managed to reproduce this locally yet. * Add more failing specs * Fix ruby 2.7 deprecations in python * Add more flaky test candidates * Github actions: Handle no latest version found When no latest version can be found return nil to prevent the update checker from comparing the version with the current version: ``` ArgumentError: comparison of String with Dependabot::GithubActions::Version failed ``` * Strip auth headers from VCR cassettes * Fix spec * Remove nil guard * Fix cops * Terraform: Handle 401 registry responses Raise a `PrivateSourceAuthenticationFailure` with the provided hostname if the registry responds with a `401`. * v0.154.2 * Terraform: handle dependencies without a namespace Default providers without a namespace to `hashicorp`. * chore: add lint job to check shell scripts * fix shellcheck errors in shellcheck linter script * chore: break out files to each line * chore: use sudo to install apt packages * chore: allow passing args to shellscript. e.g ./bin/lint -f diff * chore: fix SC2006 ```plaintext In ./hex/helpers/build line 18: case `uname` in ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`. Did you mean: case $(uname) in ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: fix SC2086 in docker-dev-shell ```plaintext In ./bin/docker-dev-shell line 61: echo $RUNNING ^------^ SC2086: Double quote to prevent globbing and word splitting. ``` https://github.com/koalaman/shellcheck/wiki/SC2086 * chore: fix SC2006 ```plaintext In ./bin/docker-dev-shell line 14: OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"` ^--^ SC2034: OPTS appears unused. Verify use (or export if used externally). ^-- SC2006: Use $(...) notation instead of legacy backticked `...`. ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: ignore existing shellcheck issues * chore: add ecosystem specific script files to linter list * chore: remove unnecessary headers * rake rubocop:sort * enable Style/* and autofix * enable Lint/* and autoformat * final rubocop warnings * Replace wget with curl for minimized dependency Use single tool for the same purpose, simplify the tool dependency, and also make the Docker image a little bit more smaller. * Fetches upload-pack using git if http fails * test: pin constraint to ensure deterministic test results * test: update declared constraints in expectation * test: tweak assertion to match new constraint * test: update fixture constraint to ensure resolution falls within a deterministic range * chore: install shellcheck in the dev container * Updates existing error handling tests to mock capture3 call * Adds tests for fallback where HTTP fails but git ls-remote succeeds * fix url in test * Reformats lines to accomodate line-length lint finding * Streamlines git ls-remote fallback logic to remove unused response values * Updates github pull request tests to mock-fail git ls-remote fallback * Updates metadata commits finder tests to mock-fail git ls-remote fallback * Updates git commit checker tests to mock-fail git ls-remote fallback * Returns basename and relative path in CodeCommit file fetcher Previously, the `name` and `path` attributes were both the absolute path for all files retrieved from CodeCommit sources. This caused problems in `fetch_file_from_host`, which joins the `directory` from the config with the `filename`. When `filename` is the absolute path, this essentially duplicated the directory in the result, e.g. `directory/directory/relative path`. This change returns the basename and relative path instead, matching the implemenation for azure devops, and allowing the join in `fetch_file_from_host` to return `directory/relative path` * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.28.0...v7.29.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0 Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version. - [Release notes](https://github.com/gjtorikian/commonmarker/releases) - [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2) --- updated-dependencies: - dependency-name: commonmarker dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Clarify support policies in README and Issue template We tend to get a lot of questions here about the Dependabot service that we operate at GitHub. Many of those questions are much easier to resolve when going through Support, as they have much better tooling and processes to follow up on those sorts of questions. This attempts to clarify that in the README and issue template. * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Terraform: handle unreachable private module proxy Raise a `PrivateSourceAuthenticationFailure` when a private module proxy can't be reached. * Terraform: handle missing source Silently ignore failing source requests to not block PR creation. Returning nil here will cause the PR creator to not include any changelogs/release notes. * v0.154.3 * expected credentials * bin/ci-test * Add version_filter module to common, remove from ecosystem update_checker * Check if the version is a Gem::Version, not the advisory * Run rubocop * Run rubocop * Move include up in class hierarchy Co-authored-by: Philip Harrison <philip@mailharrison.com> * Make filter_vulnerable_versions stateless * Rubocop * Remove VersionFilters include Co-authored-by: Jurre <jurre@github.com> * Reorder #lowest_security_fix_version filters * Rubocop * ci-test: shellcheck yourself before you shellwreck yourself * docker-dev-shell: do not rename gemspec * devcontainer: do not rename gemspec * Add fetch_lowest_security_fix_version and test * Working security advisory test * Add lowest_resolvable_security_fix_version * Update LatestVersionFinder tests to use new fixture tags * Update test suite, add lowest_security_fix_version tests * Rubocop * temp commit * Initialize :security_advsiories as an empty array, remove pending test * Add latest_version_checker to UpdateChecker, add tests for security advisories * Use stateless filter_vulnerable_versions * Add missing assignment * Clarifying external contribution guidelines See dependabot#3943 * Move `#filter_vulnerable_version` to come before `#filter_ignored_version` * Terraform: handle nested module sources Relax the regex that matches module sources to include nested modules. * v0.154.4 * Create changelog from merge commits * Add link to pr * Check out branch before committing changes * Update bin/bump-version.rb * Swap version filters Co-authored-by: Philip Harrison <philip@mailharrison.com> * Terraform: install modules when updating lockfile Terraform requires modules to be installed with `terraform init` when updating the lockfile. Opted to only run `terraform init` if the call to `terraform providers lock` bails out and retry. We could opt to always run `terraform init` if there are any modules defined but would mean parsing the dependency files and checking if any of the dependencies are modules as we only have access to the current dependency, which in this case is provider. * Update test to reflect dependency version after update * v0.154.5 * Add test for indirect dependencies to `#lowest_resolvable_security_fix` * v0.155.0 * GemspecSanitizer replace interpolated strings The previous impl only replaced the components of the interpolated string that looked like versions. When this is called with a `replacement_version` read from `Gemfile.lock`, the replacement value based on the interpolated string. * nuget: RepositoryFinder might not find PackageBaseAddress * nuget: handle RepositoryDetails without BaseAddress * autoformat fixture * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.4...v27.0.5) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0. - [Release notes](https://github.com/jazzband/pip-tools/releases) - [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md) - [Commits](jazzband/pip-tools@6.1.0...6.2.0) --- updated-dependencies: - dependency-name: pip-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Terraform: fix module updates with a lockfile This is the other side of dependabot#3968 This fixes module updates when there's a lockfile present. Modules are not included in the lockfile so adding a guard to only attempt lockfile updates for providers. Fixed some test setup to match what the parsed files would look like. * v0.155.1 * feature: Add support for Hex sub-projects * clean: Refactor tests to use new pattern * Terraform: clone repository contents for update Terraform projects can include local path modules that are currently not fetched in the file fetching step so any lockfile update will fail because these files are missing. The easiest fix seemed to be to always start cloning terraform projects as this is what we want to end up doing for all ecosystems. The file fetcher will still hit the gh api when getting the reo contents but this would require changes in common so keen to make that change separately as it currently works. * Stop double writing dependecy files * v0.155.2 * Update CHANGELOG.md * Bump minor for change to cloning Merged too quickly dependabot#3979 Makes sense to bump minor for the terraform cloning change. * Exclude release note merges in changelog Exclude release note merges in generated changelog. For example: dependabot#3977 * build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> * Enable new cops * Fix cops * Terraform: Configure git for `terraform init` and capture errors When attempting to `terraform init` when there are private module sources present, currently we raise a `HelperSubprocessFailed`. Terraform will attempt to use any git credentials that are configured, so passing these along should help in some cases when Dependabot is configured to access these, and when it isn't we should raise a PrivateSourceAuthenticationFailure to communicate more clearly that we cannot reach a certain source. It's a little unfortunate that we even need to do this, because this happens when we attempt to update a lockfile, and these don't support modules. However, `terraform providers lock` will still complain about modules needing to be installed, and this should do a better job of that. * v0.156.1 * Terraform: Prevent `terraform init` from initializing backends * remove `strip_terminal_colors` as its not needed anymore * pin azurerm versions in test fixtures prevents new versions from breaking the tests * prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES * poetry_files_parser ignore paths * poetry ignore url dependencies too * linter * outdated test * v0.156.2 * build(deps-dev): bump prettier in /npm_and_yarn/helpers Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7. - [Release notes](https://github.com/python-poetry/poetry/releases) - [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md) - [Commits](python-poetry/poetry@1.1.6...1.1.7) --- updated-dependencies: - dependency-name: poetry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3. - [Release notes](https://github.com/pypa/pip/releases) - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@21.1.2...21.1.3) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * PR Updater: Handle required status checks As per [the docs][docs] when branch protection rules are enabled, force pushing to them is disabled. This handles errors when this happens and raises a `BranchProtected` error, which will allow us to handle this gracefully and inform the user of this. [docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.3...v2.6.4) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.5...v27.0.6) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> * Add support for fetching extensions.xml files These files contain dependency coordinates for Maven extensions that want to receive the Maven afterSessionStart event. The file is always located in the .mvn folder in the project root and is optional. See also - https://maven.apache.org/guides/mini/guide-using-extensions.html - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html * Add support for extensions.xml to parser extensions.xml files can only contain an extensions block specifying one or more extension dependency. The extension nodes only have groupId, artifactId and version. * Add update support for extension.xml files Adjusts the maven file_updater to also process extensions.xml files. Methods and variables that are now used for either file type have been renamed accordingly. * Fix rubocop violations * Use `if` instead `unless nil` Co-authored-by: Philip Harrison <philip@mailharrison.com> * Simplify using `fetch_file_if_present` Co-authored-by: Philip Harrison <philip@mailharrison.com> * Simplify updated files check Co-authored-by: Philip Harrison <philip@mailharrison.com> * Make sure code works even if `.mvn` directory is missing Co-authored-by: Philip Harrison <philip@mailharrison.com> * Always require a pom.xml file Co-authored-by: Philip Harrison <philip@mailharrison.com> * Remove empty line Co-authored-by: Philip Harrison <philip@mailharrison.com> * Remove empty line Co-authored-by: Philip Harrison <philip@mailharrison.com> * Fix linter error Co-authored-by: mo khan <mo@mokhan.ca> * Fix linter error * v0.156.3 * Fix spec stubs * add Unauthorized exception to azure.rb * add tests for azure client * v0.156.4 * fix trailing whitespace * fix trailing whitespace * test: place upper bound on version constraint * Gomod: Handle unrecognized import path error When referencing a go proxy that 404s, we see this error. Previously this would not be handled, but it should result in a DependencyFileNotResolvable error, so users have a sense of what's wrong. * test: reproduce a defect with relative paths using poetry * test: ensure both the pyproject and lock file are updated * fix(poetry): copy all project files when generating lockfile hash * style: fix linter errors * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.29.0...v7.30.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * add response 200 context block for #create_commit test * add 403 test for Azure.create_commit * add test for fetch_commit * fix trailing whitespace * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * v0.156.5 * syntax error Co-authored-by: Philip Harrison <philip@mailharrison.com> Co-authored-by: Peter Dave Hello <hsu@peterdavehello.org> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mo khan <mo@mokhan.ca> Co-authored-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> Co-authored-by: Loren Gordon <lorengordon@users.noreply.github.com> Co-authored-by: Jurre Stender <jurrestender@gmail.com> Co-authored-by: Jurre <jurre@github.com> Co-authored-by: Nish Sinha <nishnha@github.com> Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com> Co-authored-by: Guilherme Duarte <gjsduarte@gmail.com> Co-authored-by: Heine Furubotten <hfurubotten@users.noreply.github.com> Co-authored-by: Benedikt Ritter <beneritter@gmail.com> Co-authored-by: wolf-cola <86134169+wolf-cola@users.noreply.github.com> Co-authored-by: wolf-cola <wolf.cola.official@protonmail.com>
AlekhyaYalla
pushed a commit
to GiriB/dependabot-core
that referenced
this pull request
Nov 9, 2021
* Raise on ruby 2.7 deprecation warnings Break tests if we introduce any ruby 2.7 deprecation warnings. * Fix ruby 2.7 deprecations * Add `--no-install-recommends` to all `apt-get install` in Dockerfile This option will prevent not needed package being installed, make the image smaller. * Double quote variables in shellscript This will help prevent globbing and word splitting. Most of them are already quoted, just few of them are missed. * v0.154.1 * Double quote variables in Dockerfile's shellscript, cc dependabot#3917 * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.2...v2.6.3) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Bundler: attempt to isolate flaky test Seeing a bunch of CI failures from this force updater spec: `NoMethodError with message: undefined method `name' for "Gemfile":String` Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846 I haven't managed to reproduce this locally yet. * Add more failing specs * Fix ruby 2.7 deprecations in python * Add more flaky test candidates * Github actions: Handle no latest version found When no latest version can be found return nil to prevent the update checker from comparing the version with the current version: ``` ArgumentError: comparison of String with Dependabot::GithubActions::Version failed ``` * Strip auth headers from VCR cassettes * Fix spec * Remove nil guard * Fix cops * Terraform: Handle 401 registry responses Raise a `PrivateSourceAuthenticationFailure` with the provided hostname if the registry responds with a `401`. * v0.154.2 * Terraform: handle dependencies without a namespace Default providers without a namespace to `hashicorp`. * chore: add lint job to check shell scripts * fix shellcheck errors in shellcheck linter script * chore: break out files to each line * chore: use sudo to install apt packages * chore: allow passing args to shellscript. e.g ./bin/lint -f diff * chore: fix SC2006 ```plaintext In ./hex/helpers/build line 18: case `uname` in ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`. Did you mean: case $(uname) in ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: fix SC2086 in docker-dev-shell ```plaintext In ./bin/docker-dev-shell line 61: echo $RUNNING ^------^ SC2086: Double quote to prevent globbing and word splitting. ``` https://github.com/koalaman/shellcheck/wiki/SC2086 * chore: fix SC2006 ```plaintext In ./bin/docker-dev-shell line 14: OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"` ^--^ SC2034: OPTS appears unused. Verify use (or export if used externally). ^-- SC2006: Use $(...) notation instead of legacy backticked `...`. ``` https://github.com/koalaman/shellcheck/wiki/SC2006 * chore: ignore existing shellcheck issues * chore: add ecosystem specific script files to linter list * chore: remove unnecessary headers * rake rubocop:sort * enable Style/* and autofix * enable Lint/* and autoformat * final rubocop warnings * Replace wget with curl for minimized dependency Use single tool for the same purpose, simplify the tool dependency, and also make the Docker image a little bit more smaller. * Fetches upload-pack using git if http fails * test: pin constraint to ensure deterministic test results * test: update declared constraints in expectation * test: tweak assertion to match new constraint * test: update fixture constraint to ensure resolution falls within a deterministic range * chore: install shellcheck in the dev container * Updates existing error handling tests to mock capture3 call * Adds tests for fallback where HTTP fails but git ls-remote succeeds * fix url in test * Reformats lines to accomodate line-length lint finding * Streamlines git ls-remote fallback logic to remove unused response values * Updates github pull request tests to mock-fail git ls-remote fallback * Updates metadata commits finder tests to mock-fail git ls-remote fallback * Updates git commit checker tests to mock-fail git ls-remote fallback * Returns basename and relative path in CodeCommit file fetcher Previously, the `name` and `path` attributes were both the absolute path for all files retrieved from CodeCommit sources. This caused problems in `fetch_file_from_host`, which joins the `directory` from the config with the `filename`. When `filename` is the absolute path, this essentially duplicated the directory in the result, e.g. `directory/directory/relative path`. This change returns the basename and relative path instead, matching the implemenation for azure devops, and allowing the join in `fetch_file_from_host` to return `directory/relative path` * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.28.0...v7.29.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0 Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version. - [Release notes](https://github.com/gjtorikian/commonmarker/releases) - [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2) --- updated-dependencies: - dependency-name: commonmarker dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Clarify support policies in README and Issue template We tend to get a lot of questions here about the Dependabot service that we operate at GitHub. Many of those questions are much easier to resolve when going through Support, as they have much better tooling and processes to follow up on those sorts of questions. This attempts to clarify that in the README and issue template. * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.89...0.12.90) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Terraform: handle unreachable private module proxy Raise a `PrivateSourceAuthenticationFailure` when a private module proxy can't be reached. * Terraform: handle missing source Silently ignore failing source requests to not block PR creation. Returning nil here will cause the PR creator to not include any changelogs/release notes. * v0.154.3 * expected credentials * bin/ci-test * Add version_filter module to common, remove from ecosystem update_checker * Check if the version is a Gem::Version, not the advisory * Run rubocop * Run rubocop * Move include up in class hierarchy Co-authored-by: Philip Harrison <philip@mailharrison.com> * Make filter_vulnerable_versions stateless * Rubocop * Remove VersionFilters include Co-authored-by: Jurre <jurre@github.com> * Reorder #lowest_security_fix_version filters * Rubocop * ci-test: shellcheck yourself before you shellwreck yourself * docker-dev-shell: do not rename gemspec * devcontainer: do not rename gemspec * Add fetch_lowest_security_fix_version and test * Working security advisory test * Add lowest_resolvable_security_fix_version * Update LatestVersionFinder tests to use new fixture tags * Update test suite, add lowest_security_fix_version tests * Rubocop * temp commit * Initialize :security_advsiories as an empty array, remove pending test * Add latest_version_checker to UpdateChecker, add tests for security advisories * Use stateless filter_vulnerable_versions * Add missing assignment * Clarifying external contribution guidelines See dependabot#3943 * Move `#filter_vulnerable_version` to come before `#filter_ignored_version` * Terraform: handle nested module sources Relax the regex that matches module sources to include nested modules. * v0.154.4 * Create changelog from merge commits * Add link to pr * Check out branch before committing changes * Update bin/bump-version.rb * Swap version filters Co-authored-by: Philip Harrison <philip@mailharrison.com> * Terraform: install modules when updating lockfile Terraform requires modules to be installed with `terraform init` when updating the lockfile. Opted to only run `terraform init` if the call to `terraform providers lock` bails out and retry. We could opt to always run `terraform init` if there are any modules defined but would mean parsing the dependency files and checking if any of the dependencies are modules as we only have access to the current dependency, which in this case is provider. * Update test to reflect dependency version after update * v0.154.5 * Add test for indirect dependencies to `#lowest_resolvable_security_fix` * v0.155.0 * GemspecSanitizer replace interpolated strings The previous impl only replaced the components of the interpolated string that looked like versions. When this is called with a `replacement_version` read from `Gemfile.lock`, the replacement value based on the interpolated string. * nuget: RepositoryFinder might not find PackageBaseAddress * nuget: handle RepositoryDetails without BaseAddress * autoformat fixture * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.4...v27.0.5) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0. - [Release notes](https://github.com/jazzband/pip-tools/releases) - [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md) - [Commits](jazzband/pip-tools@6.1.0...6.2.0) --- updated-dependencies: - dependency-name: pip-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Terraform: fix module updates with a lockfile This is the other side of dependabot#3968 This fixes module updates when there's a lockfile present. Modules are not included in the lockfile so adding a guard to only attempt lockfile updates for providers. Fixed some test setup to match what the parsed files would look like. * v0.155.1 * feature: Add support for Hex sub-projects * clean: Refactor tests to use new pattern * Terraform: clone repository contents for update Terraform projects can include local path modules that are currently not fetched in the file fetching step so any lockfile update will fail because these files are missing. The easiest fix seemed to be to always start cloning terraform projects as this is what we want to end up doing for all ecosystems. The file fetcher will still hit the gh api when getting the reo contents but this would require changes in common so keen to make that change separately as it currently works. * Stop double writing dependecy files * v0.155.2 * Update CHANGELOG.md * Bump minor for change to cloning Merged too quickly dependabot#3979 Makes sense to bump minor for the terraform cloning change. * Exclude release note merges in changelog Exclude release note merges in generated changelog. For example: dependabot#3977 * build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.16.0...v1.17.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> * Enable new cops * Fix cops * Terraform: Configure git for `terraform init` and capture errors When attempting to `terraform init` when there are private module sources present, currently we raise a `HelperSubprocessFailed`. Terraform will attempt to use any git credentials that are configured, so passing these along should help in some cases when Dependabot is configured to access these, and when it isn't we should raise a PrivateSourceAuthenticationFailure to communicate more clearly that we cannot reach a certain source. It's a little unfortunate that we even need to do this, because this happens when we attempt to update a lockfile, and these don't support modules. However, `terraform providers lock` will still complain about modules needing to be installed, and this should do a better job of that. * v0.156.1 * Terraform: Prevent `terraform init` from initializing backends * remove `strip_terminal_colors` as its not needed anymore * pin azurerm versions in test fixtures prevents new versions from breaking the tests * prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES * poetry_files_parser ignore paths * poetry ignore url dependencies too * linter * outdated test * v0.156.2 * build(deps-dev): bump prettier in /npm_and_yarn/helpers Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7. - [Release notes](https://github.com/python-poetry/poetry/releases) - [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md) - [Commits](python-poetry/poetry@1.1.6...1.1.7) --- updated-dependencies: - dependency-name: poetry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3. - [Release notes](https://github.com/pypa/pip/releases) - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@21.1.2...21.1.3) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * PR Updater: Handle required status checks As per [the docs][docs] when branch protection rules are enabled, force pushing to them is disabled. This handles errors when this happens and raises a `BranchProtected` error, which will allow us to handle this gracefully and inform the user of this. [docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](npm/arborist@v2.6.3...v2.6.4) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md) - [Commits](jestjs/jest@v27.0.5...v27.0.6) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0 Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> * Add support for fetching extensions.xml files These files contain dependency coordinates for Maven extensions that want to receive the Maven afterSessionStart event. The file is always located in the .mvn folder in the project root and is optional. See also - https://maven.apache.org/guides/mini/guide-using-extensions.html - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html * Add support for extensions.xml to parser extensions.xml files can only contain an extensions block specifying one or more extension dependency. The extension nodes only have groupId, artifactId and version. * Add update support for extension.xml files Adjusts the maven file_updater to also process extensions.xml files. Methods and variables that are now used for either file type have been renamed accordingly. * Fix rubocop violations * Use `if` instead `unless nil` Co-authored-by: Philip Harrison <philip@mailharrison.com> * Simplify using `fetch_file_if_present` Co-authored-by: Philip Harrison <philip@mailharrison.com> * Simplify updated files check Co-authored-by: Philip Harrison <philip@mailharrison.com> * Make sure code works even if `.mvn` directory is missing Co-authored-by: Philip Harrison <philip@mailharrison.com> * Always require a pom.xml file Co-authored-by: Philip Harrison <philip@mailharrison.com> * Remove empty line Co-authored-by: Philip Harrison <philip@mailharrison.com> * Remove empty line Co-authored-by: Philip Harrison <philip@mailharrison.com> * Fix linter error Co-authored-by: mo khan <mo@mokhan.ca> * Fix linter error * v0.156.3 * Fix spec stubs * add Unauthorized exception to azure.rb * add tests for azure client * v0.156.4 * fix trailing whitespace * fix trailing whitespace * test: place upper bound on version constraint * Gomod: Handle unrecognized import path error When referencing a go proxy that 404s, we see this error. Previously this would not be handled, but it should result in a DependencyFileNotResolvable error, so users have a sense of what's wrong. * test: reproduce a defect with relative paths using poetry * test: ensure both the pyproject and lock file are updated * fix(poetry): copy all project files when generating lockfile hash * style: fix linter errors * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md) - [Commits](eslint/eslint@v7.29.0...v7.30.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * add response 200 context block for #create_commit test * add 403 test for Azure.create_commit * add test for fetch_commit * fix trailing whitespace * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Commits](phpstan/phpstan@0.12.90...0.12.92) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * v0.156.5 * syntax error Co-authored-by: Philip Harrison <philip@mailharrison.com> Co-authored-by: Peter Dave Hello <hsu@peterdavehello.org> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mo khan <mo@mokhan.ca> Co-authored-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> Co-authored-by: Loren Gordon <lorengordon@users.noreply.github.com> Co-authored-by: Jurre Stender <jurrestender@gmail.com> Co-authored-by: Jurre <jurre@github.com> Co-authored-by: Nish Sinha <nishnha@github.com> Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com> Co-authored-by: Guilherme Duarte <gjsduarte@gmail.com> Co-authored-by: Heine Furubotten <hfurubotten@users.noreply.github.com> Co-authored-by: Benedikt Ritter <beneritter@gmail.com> Co-authored-by: wolf-cola <86134169+wolf-cola@users.noreply.github.com> Co-authored-by: wolf-cola <wolf.cola.official@protonmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
v0.155.2, 23 June 2021