Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v0.155.2 #3979

Merged
merged 2 commits into from
Jun 23, 2021
Merged

v0.155.2 #3979

merged 2 commits into from
Jun 23, 2021

Conversation

feelepxyz
Copy link
Contributor

@feelepxyz feelepxyz commented Jun 23, 2021

v0.155.2, 23 June 2021

  • Create changelog from merge commits #3642
  • Terraform: always clone repository contents #3978
  • build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers #3974
  • Hex: Adds support for sub-projects without the need for umbrella applications (@gjsduarte) #3944

@feelepxyz feelepxyz requested a review from a team as a code owner June 23, 2021 17:00
@feelepxyz
Copy link
Contributor Author

Unrelated flaky bundler specs, going to yank these out from bundler 1 as they are also covered in native helper specs now

CHANGELOG.md Outdated Show resolved Hide resolved
@feelepxyz feelepxyz merged commit 63c8ac7 into main Jun 23, 2021
@feelepxyz feelepxyz deleted the v0.155.2-release-notes branch June 23, 2021 17:22
feelepxyz added a commit that referenced this pull request Jun 23, 2021
Merged too quickly #3979
Makes sense to bump minor for the terraform cloning change.
milind009 added a commit to GiriB/dependabot-core that referenced this pull request Oct 6, 2021
* Raise on ruby 2.7 deprecation warnings

Break tests if we introduce any ruby 2.7 deprecation warnings.

* Fix ruby 2.7 deprecations

* Add `--no-install-recommends` to all `apt-get install` in Dockerfile

This option will prevent not needed package being installed, make the
image smaller.

* Double quote variables in shellscript

This will help prevent globbing and word splitting. Most of them are
already quoted, just few of them are missed.

* v0.154.1

* Double quote variables in Dockerfile's shellscript, cc dependabot#3917

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.2...v2.6.3)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bundler: attempt to isolate flaky test

Seeing a bunch of CI failures from this force updater spec:
`NoMethodError with message: undefined method `name' for "Gemfile":String`

Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846

I haven't managed to reproduce this locally yet.

* Add more failing specs

* Fix ruby 2.7 deprecations in python

* Add more flaky test candidates

* Github actions: Handle no latest version found

When no latest version can be found return nil to prevent the update
checker from comparing the version with the current version:

```
ArgumentError: comparison of String with Dependabot::GithubActions::Version failed
```

* Strip auth headers from VCR cassettes

* Fix spec

* Remove nil guard

* Fix cops

* Terraform: Handle 401 registry responses

Raise a `PrivateSourceAuthenticationFailure` with the provided hostname
if the registry responds with a `401`.

* v0.154.2

* Terraform: handle dependencies without a namespace

Default providers without a namespace to `hashicorp`.

* chore: add lint job to check shell scripts

* fix shellcheck errors in shellcheck linter script

* chore: break out files to each line

* chore: use sudo to install apt packages

* chore: allow passing args to shellscript. e.g ./bin/lint -f diff

* chore: fix SC2006

```plaintext
In ./hex/helpers/build line 18:
case `uname` in
     ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`.

Did you mean:
case $(uname) in
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: fix SC2086 in docker-dev-shell

```plaintext
In ./bin/docker-dev-shell line 61:
echo $RUNNING
     ^------^ SC2086: Double quote to prevent globbing and word splitting.
```

https://github.com/koalaman/shellcheck/wiki/SC2086

* chore: fix SC2006

```plaintext
In ./bin/docker-dev-shell line 14:
OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"`
^--^ SC2034: OPTS appears unused. Verify use (or export if used externally).
     ^-- SC2006: Use $(...) notation instead of legacy backticked `...`.
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: ignore existing shellcheck issues

* chore: add ecosystem specific script files to linter list

* chore: remove unnecessary headers

* rake rubocop:sort

* enable Style/* and autofix

* enable Lint/* and autoformat

* final rubocop warnings

* Replace wget with curl for minimized dependency

Use single tool for the same purpose, simplify the tool dependency, and
also make the Docker image a little bit more smaller.

* Fetches upload-pack using git if http fails

* test: pin constraint to ensure deterministic test results

* test: update declared constraints in expectation

* test: tweak assertion to match new constraint

* test: update fixture constraint to ensure resolution falls within a deterministic range

* chore: install shellcheck in the dev container

* Updates existing error handling tests to mock capture3 call

* Adds tests for fallback where HTTP fails but git ls-remote succeeds

* fix url in test

* Reformats lines to accomodate line-length lint finding

* Streamlines git ls-remote fallback logic to remove unused response values

* Updates github pull request tests to mock-fail git ls-remote fallback

* Updates metadata commits finder tests to mock-fail git ls-remote fallback

* Updates git commit checker tests to mock-fail git ls-remote fallback

* Returns basename and relative path in CodeCommit file fetcher

Previously, the `name` and `path` attributes were both the absolute
path for all files retrieved from CodeCommit sources. This caused
problems in `fetch_file_from_host`, which joins the `directory`
from the config with the `filename`. When `filename` is the absolute
path, this essentially duplicated the directory in the result, e.g.
`directory/directory/relative path`.

This change returns the basename and relative path instead, matching
the implemenation for azure devops, and allowing the join in `fetch_file_from_host`
to return `directory/relative path`

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.28.0...v7.29.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0

Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version.
- [Release notes](https://github.com/gjtorikian/commonmarker/releases)
- [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2)

---
updated-dependencies:
- dependency-name: commonmarker
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Clarify support policies in README and Issue template

We tend to get a lot of questions here about the Dependabot service that
we operate at GitHub. Many of those questions are much easier to resolve
when going through Support, as they have much better tooling and
processes to follow up on those sorts of questions.

This attempts to clarify that in the README and issue template.

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Terraform: handle unreachable private module proxy

Raise a `PrivateSourceAuthenticationFailure` when a private module proxy
can't be reached.

* Terraform: handle missing source

Silently ignore failing source requests to not block PR creation.
Returning nil here will cause the PR creator to not include any
changelogs/release notes.

* v0.154.3

* expected credentials

* bin/ci-test

* Add version_filter module to common, remove from ecosystem update_checker

* Check if the version is a Gem::Version, not the advisory

* Run rubocop

* Run rubocop

* Move include up in class hierarchy

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Make filter_vulnerable_versions stateless

* Rubocop

* Remove VersionFilters include

Co-authored-by: Jurre <jurre@github.com>

* Reorder #lowest_security_fix_version filters

* Rubocop

* ci-test: shellcheck yourself

before you shellwreck yourself

* docker-dev-shell: do not rename gemspec

* devcontainer: do not rename gemspec

* Add fetch_lowest_security_fix_version and test

* Working security advisory test

* Add lowest_resolvable_security_fix_version

* Update LatestVersionFinder tests to use new fixture tags

* Update test suite, add lowest_security_fix_version tests

* Rubocop

* temp commit

* Initialize :security_advsiories as an empty array, remove pending test

* Add latest_version_checker to UpdateChecker, add tests for security advisories

* Use stateless filter_vulnerable_versions

* Add missing assignment

* Clarifying external contribution guidelines

See dependabot#3943

* Move `#filter_vulnerable_version` to come before `#filter_ignored_version`

* Terraform: handle nested module sources

Relax the regex that matches module sources to include nested modules.

* v0.154.4

* Create changelog from merge commits

* Add link to pr

* Check out branch before committing changes

* Update bin/bump-version.rb

* Swap version filters

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Terraform: install modules when updating lockfile

Terraform requires modules to be installed with `terraform init` when
updating the lockfile. Opted to only run `terraform init` if the call to
`terraform providers lock` bails out and retry.

We could opt to always run `terraform init` if there are any modules
defined but would mean parsing the dependency files and checking if any
of the dependencies are modules as we only have access to the current
dependency, which in this case is provider.

* Update test to reflect dependency version after update

* v0.154.5

* Add test for indirect dependencies to `#lowest_resolvable_security_fix`

* v0.155.0

* GemspecSanitizer replace interpolated strings

The previous impl only replaced the components of the interpolated
string that looked like versions.

When this is called with a `replacement_version` read from
`Gemfile.lock`, the replacement value based on the interpolated string.

* nuget: RepositoryFinder might not find PackageBaseAddress

* nuget: handle RepositoryDetails without BaseAddress

* autoformat fixture

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.4...v27.0.5)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers

Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md)
- [Commits](jazzband/pip-tools@6.1.0...6.2.0)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Terraform: fix module updates with a lockfile

This is the other side of dependabot#3968

This fixes module updates when there's a lockfile present. Modules are
not included in the lockfile so adding a guard to only attempt lockfile
updates for providers.

Fixed some test setup to match what the parsed files would look like.

* v0.155.1

* feature: Add support for Hex sub-projects

* clean: Refactor tests to use new pattern

* Terraform: clone repository contents for update

Terraform projects can include local path modules that are currently not
fetched in the file fetching step so any lockfile update will fail
because these files are missing.

The easiest fix seemed to be to always start cloning terraform projects
as this is what we want to end up doing for all ecosystems.

The file fetcher will still hit the gh api when getting the reo contents
but this would require changes in common so keen to make that change
separately as it currently works.

* Stop double writing dependecy files

* v0.155.2

* Update CHANGELOG.md

* Bump minor for change to cloning

Merged too quickly dependabot#3979
Makes sense to bump minor for the terraform cloning change.

* Exclude release note merges in changelog

Exclude release note merges in generated changelog.

For example: dependabot#3977

* build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.16.0...v1.17.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* Enable new cops

* Fix cops

* Terraform: Configure git for `terraform init` and capture errors

When attempting to `terraform init` when there are private module
sources present, currently we raise a `HelperSubprocessFailed`.

Terraform will attempt to use any git credentials that are configured,
so passing these along should help in some cases when Dependabot is
configured to access these, and when it isn't we should raise a
PrivateSourceAuthenticationFailure to communicate more clearly that we
cannot reach a certain source.

It's a little unfortunate that we even need to do this, because this
happens when we attempt to update a lockfile, and these don't support
modules. However, `terraform providers lock` will still complain about
modules needing to be installed, and this should do a better job of
that.

* v0.156.1

* Terraform: Prevent `terraform init` from initializing backends

* remove `strip_terminal_colors`

as its not needed anymore

* pin azurerm versions in test fixtures

prevents new versions from breaking the tests

* prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES

* poetry_files_parser ignore paths

* poetry ignore url dependencies too

* linter

* outdated test

* v0.156.2

* build(deps-dev): bump prettier in /npm_and_yarn/helpers

Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers

Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md)
- [Commits](python-poetry/poetry@1.1.6...1.1.7)

---
updated-dependencies:
- dependency-name: poetry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers

Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3.
- [Release notes](https://github.com/pypa/pip/releases)
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@21.1.2...21.1.3)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* PR Updater: Handle required status checks

As per [the docs][docs] when branch protection rules are enabled, force
pushing to them is disabled.

This handles errors when this happens and raises a `BranchProtected`
error, which will allow us to handle this gracefully and inform the user
of this.

[docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.5...v27.0.6)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add support for fetching extensions.xml files

These files contain dependency coordinates for Maven extensions that
want to receive the Maven afterSessionStart event. The file is always
located in the .mvn folder in the project root and is optional.

See also
  - https://maven.apache.org/guides/mini/guide-using-extensions.html
  - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html

* Add support for extensions.xml to parser

extensions.xml files can only contain an extensions block specifying one
or more extension dependency. The extension nodes only have groupId,
artifactId and version.

* Add update support for extension.xml files

Adjusts the maven file_updater to also process extensions.xml files.
Methods and variables that are now used for either file type have been
renamed accordingly.

* Fix rubocop violations

* Use `if` instead `unless nil`

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Simplify using `fetch_file_if_present`

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Simplify updated files check

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Make sure code works even if `.mvn` directory is missing

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Always require a pom.xml file

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Remove empty line

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Remove empty line

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Fix linter error

Co-authored-by: mo khan <mo@mokhan.ca>

* Fix linter error

* v0.156.3

* Fix spec stubs

* add Unauthorized exception to azure.rb

* add tests for azure client

* v0.156.4

* fix trailing whitespace

* fix trailing whitespace

* test: place upper bound on version constraint

* Gomod: Handle unrecognized import path error

When referencing a go proxy that 404s, we see this error. Previously
this would not be handled, but it should result in a
DependencyFileNotResolvable error, so users have a sense of what's
wrong.

* test: reproduce a defect with relative paths using poetry

* test: ensure both the pyproject and lock file are updated

* fix(poetry): copy all project files when generating lockfile hash

* style: fix linter errors

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.29.0...v7.30.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* add response 200 context block for #create_commit test

* add 403 test for Azure.create_commit

* add test for fetch_commit

* fix trailing whitespace

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* v0.156.5

* syntax error

Co-authored-by: Philip Harrison <philip@mailharrison.com>
Co-authored-by: Peter Dave Hello <hsu@peterdavehello.org>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mo khan <mo@mokhan.ca>
Co-authored-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>
Co-authored-by: Loren Gordon <lorengordon@users.noreply.github.com>
Co-authored-by: Jurre Stender <jurrestender@gmail.com>
Co-authored-by: Jurre <jurre@github.com>
Co-authored-by: Nish Sinha <nishnha@github.com>
Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>
Co-authored-by: Guilherme Duarte <gjsduarte@gmail.com>
Co-authored-by: Heine Furubotten <hfurubotten@users.noreply.github.com>
Co-authored-by: Benedikt Ritter <beneritter@gmail.com>
Co-authored-by: wolf-cola <86134169+wolf-cola@users.noreply.github.com>
Co-authored-by: wolf-cola <wolf.cola.official@protonmail.com>
AlekhyaYalla pushed a commit to GiriB/dependabot-core that referenced this pull request Nov 9, 2021
* Raise on ruby 2.7 deprecation warnings

Break tests if we introduce any ruby 2.7 deprecation warnings.

* Fix ruby 2.7 deprecations

* Add `--no-install-recommends` to all `apt-get install` in Dockerfile

This option will prevent not needed package being installed, make the
image smaller.

* Double quote variables in shellscript

This will help prevent globbing and word splitting. Most of them are
already quoted, just few of them are missed.

* v0.154.1

* Double quote variables in Dockerfile's shellscript, cc dependabot#3917

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.2 to 2.6.3.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.2...v2.6.3)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bundler: attempt to isolate flaky test

Seeing a bunch of CI failures from this force updater spec:
`NoMethodError with message: undefined method `name' for "Gemfile":String`

Ref: https://github.com/dependabot/dependabot-core/pull/3923/checks?check_run_id=2842564846

I haven't managed to reproduce this locally yet.

* Add more failing specs

* Fix ruby 2.7 deprecations in python

* Add more flaky test candidates

* Github actions: Handle no latest version found

When no latest version can be found return nil to prevent the update
checker from comparing the version with the current version:

```
ArgumentError: comparison of String with Dependabot::GithubActions::Version failed
```

* Strip auth headers from VCR cassettes

* Fix spec

* Remove nil guard

* Fix cops

* Terraform: Handle 401 registry responses

Raise a `PrivateSourceAuthenticationFailure` with the provided hostname
if the registry responds with a `401`.

* v0.154.2

* Terraform: handle dependencies without a namespace

Default providers without a namespace to `hashicorp`.

* chore: add lint job to check shell scripts

* fix shellcheck errors in shellcheck linter script

* chore: break out files to each line

* chore: use sudo to install apt packages

* chore: allow passing args to shellscript. e.g ./bin/lint -f diff

* chore: fix SC2006

```plaintext
In ./hex/helpers/build line 18:
case `uname` in
     ^-----^ SC2006: Use $(...) notation instead of legacy backticked `...`.

Did you mean:
case $(uname) in
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: fix SC2086 in docker-dev-shell

```plaintext
In ./bin/docker-dev-shell line 61:
echo $RUNNING
     ^------^ SC2086: Double quote to prevent globbing and word splitting.
```

https://github.com/koalaman/shellcheck/wiki/SC2086

* chore: fix SC2006

```plaintext
In ./bin/docker-dev-shell line 14:
OPTS=`getopt -o hr --long help,rebuild -n 'parse-options' -- "$@"`
^--^ SC2034: OPTS appears unused. Verify use (or export if used externally).
     ^-- SC2006: Use $(...) notation instead of legacy backticked `...`.
```

https://github.com/koalaman/shellcheck/wiki/SC2006

* chore: ignore existing shellcheck issues

* chore: add ecosystem specific script files to linter list

* chore: remove unnecessary headers

* rake rubocop:sort

* enable Style/* and autofix

* enable Lint/* and autoformat

* final rubocop warnings

* Replace wget with curl for minimized dependency

Use single tool for the same purpose, simplify the tool dependency, and
also make the Docker image a little bit more smaller.

* Fetches upload-pack using git if http fails

* test: pin constraint to ensure deterministic test results

* test: update declared constraints in expectation

* test: tweak assertion to match new constraint

* test: update fixture constraint to ensure resolution falls within a deterministic range

* chore: install shellcheck in the dev container

* Updates existing error handling tests to mock capture3 call

* Adds tests for fallback where HTTP fails but git ls-remote succeeds

* fix url in test

* Reformats lines to accomodate line-length lint finding

* Streamlines git ls-remote fallback logic to remove unused response values

* Updates github pull request tests to mock-fail git ls-remote fallback

* Updates metadata commits finder tests to mock-fail git ls-remote fallback

* Updates git commit checker tests to mock-fail git ls-remote fallback

* Returns basename and relative path in CodeCommit file fetcher

Previously, the `name` and `path` attributes were both the absolute
path for all files retrieved from CodeCommit sources. This caused
problems in `fetch_file_from_host`, which joins the `directory`
from the config with the `filename`. When `filename` is the absolute
path, this essentially duplicated the directory in the result, e.g.
`directory/directory/relative path`.

This change returns the basename and relative path instead, matching
the implemenation for azure devops, and allowing the join in `fetch_file_from_host`
to return `directory/relative path`

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.28.0 to 7.29.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.28.0...v7.29.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): update commonmarker requirement from >= 0.20.1, < 0.22.0 to >= 0.20.1, < 0.23.0

Updates the requirements on [commonmarker](https://github.com/gjtorikian/commonmarker) to permit the latest version.
- [Release notes](https://github.com/gjtorikian/commonmarker/releases)
- [Commits](gjtorikian/commonmarker@v0.20.1...v0.21.2)

---
updated-dependencies:
- dependency-name: commonmarker
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Clarify support policies in README and Issue template

We tend to get a lot of questions here about the Dependabot service that
we operate at GitHub. Many of those questions are much easier to resolve
when going through Support, as they have much better tooling and
processes to follow up on those sorts of questions.

This attempts to clarify that in the README and issue template.

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.89 to 0.12.90.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.89...0.12.90)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Terraform: handle unreachable private module proxy

Raise a `PrivateSourceAuthenticationFailure` when a private module proxy
can't be reached.

* Terraform: handle missing source

Silently ignore failing source requests to not block PR creation.
Returning nil here will cause the PR creator to not include any
changelogs/release notes.

* v0.154.3

* expected credentials

* bin/ci-test

* Add version_filter module to common, remove from ecosystem update_checker

* Check if the version is a Gem::Version, not the advisory

* Run rubocop

* Run rubocop

* Move include up in class hierarchy

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Make filter_vulnerable_versions stateless

* Rubocop

* Remove VersionFilters include

Co-authored-by: Jurre <jurre@github.com>

* Reorder #lowest_security_fix_version filters

* Rubocop

* ci-test: shellcheck yourself

before you shellwreck yourself

* docker-dev-shell: do not rename gemspec

* devcontainer: do not rename gemspec

* Add fetch_lowest_security_fix_version and test

* Working security advisory test

* Add lowest_resolvable_security_fix_version

* Update LatestVersionFinder tests to use new fixture tags

* Update test suite, add lowest_security_fix_version tests

* Rubocop

* temp commit

* Initialize :security_advsiories as an empty array, remove pending test

* Add latest_version_checker to UpdateChecker, add tests for security advisories

* Use stateless filter_vulnerable_versions

* Add missing assignment

* Clarifying external contribution guidelines

See dependabot#3943

* Move `#filter_vulnerable_version` to come before `#filter_ignored_version`

* Terraform: handle nested module sources

Relax the regex that matches module sources to include nested modules.

* v0.154.4

* Create changelog from merge commits

* Add link to pr

* Check out branch before committing changes

* Update bin/bump-version.rb

* Swap version filters

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Terraform: install modules when updating lockfile

Terraform requires modules to be installed with `terraform init` when
updating the lockfile. Opted to only run `terraform init` if the call to
`terraform providers lock` bails out and retry.

We could opt to always run `terraform init` if there are any modules
defined but would mean parsing the dependency files and checking if any
of the dependencies are modules as we only have access to the current
dependency, which in this case is provider.

* Update test to reflect dependency version after update

* v0.154.5

* Add test for indirect dependencies to `#lowest_resolvable_security_fix`

* v0.155.0

* GemspecSanitizer replace interpolated strings

The previous impl only replaced the components of the interpolated
string that looked like versions.

When this is called with a `replacement_version` read from
`Gemfile.lock`, the replacement value based on the interpolated string.

* nuget: RepositoryFinder might not find PackageBaseAddress

* nuget: handle RepositoryDetails without BaseAddress

* autoformat fixture

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.4 to 27.0.5.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.4...v27.0.5)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump pip-tools from 6.1.0 to 6.2.0 in /python/helpers

Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md)
- [Commits](jazzband/pip-tools@6.1.0...6.2.0)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Terraform: fix module updates with a lockfile

This is the other side of dependabot#3968

This fixes module updates when there's a lockfile present. Modules are
not included in the lockfile so adding a guard to only attempt lockfile
updates for providers.

Fixed some test setup to match what the parsed files would look like.

* v0.155.1

* feature: Add support for Hex sub-projects

* clean: Refactor tests to use new pattern

* Terraform: clone repository contents for update

Terraform projects can include local path modules that are currently not
fetched in the file fetching step so any lockfile update will fail
because these files are missing.

The easiest fix seemed to be to always start cloning terraform projects
as this is what we want to end up doing for all ecosystems.

The file fetcher will still hit the gh api when getting the reo contents
but this would require changes in common so keen to make that change
separately as it currently works.

* Stop double writing dependecy files

* v0.155.2

* Update CHANGELOG.md

* Bump minor for change to cloning

Merged too quickly dependabot#3979
Makes sense to bump minor for the terraform cloning change.

* Exclude release note merges in changelog

Exclude release note merges in generated changelog.

For example: dependabot#3977

* build(deps-dev): update rubocop requirement from ~> 1.16.0 to ~> 1.17.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.16.0...v1.17.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* Enable new cops

* Fix cops

* Terraform: Configure git for `terraform init` and capture errors

When attempting to `terraform init` when there are private module
sources present, currently we raise a `HelperSubprocessFailed`.

Terraform will attempt to use any git credentials that are configured,
so passing these along should help in some cases when Dependabot is
configured to access these, and when it isn't we should raise a
PrivateSourceAuthenticationFailure to communicate more clearly that we
cannot reach a certain source.

It's a little unfortunate that we even need to do this, because this
happens when we attempt to update a lockfile, and these don't support
modules. However, `terraform providers lock` will still complain about
modules needing to be installed, and this should do a better job of
that.

* v0.156.1

* Terraform: Prevent `terraform init` from initializing backends

* remove `strip_terminal_colors`

as its not needed anymore

* pin azurerm versions in test fixtures

prevents new versions from breaking the tests

* prefer Dependabot::Python::FileParser::PoetryFilesParser::POETRY_DEPENDENCY_TYPES

* poetry_files_parser ignore paths

* poetry ignore url dependencies too

* linter

* outdated test

* v0.156.2

* build(deps-dev): bump prettier in /npm_and_yarn/helpers

Bumps [prettier](https://github.com/prettier/prettier) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@2.3.1...2.3.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump poetry from 1.1.6 to 1.1.7 in /python/helpers

Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.6 to 1.1.7.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/1.1.7/CHANGELOG.md)
- [Commits](python-poetry/poetry@1.1.6...1.1.7)

---
updated-dependencies:
- dependency-name: poetry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump pip from 21.1.2 to 21.1.3 in /python/helpers

Bumps [pip](https://github.com/pypa/pip) from 21.1.2 to 21.1.3.
- [Release notes](https://github.com/pypa/pip/releases)
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@21.1.2...21.1.3)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* PR Updater: Handle required status checks

As per [the docs][docs] when branch protection rules are enabled, force
pushing to them is disabled.

This handles errors when this happens and raises a `BranchProtected`
error, which will allow us to handle this gracefully and inform the user
of this.

[docs]: https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-rules

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.3 to 2.6.4.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.5 to 27.0.6.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.5...v27.0.6)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): update rubocop requirement from ~> 1.17.0 to ~> 1.18.0

Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add support for fetching extensions.xml files

These files contain dependency coordinates for Maven extensions that
want to receive the Maven afterSessionStart event. The file is always
located in the .mvn folder in the project root and is optional.

See also
  - https://maven.apache.org/guides/mini/guide-using-extensions.html
  - https://maven.apache.org/examples/maven-3-lifecycle-extensions.html

* Add support for extensions.xml to parser

extensions.xml files can only contain an extensions block specifying one
or more extension dependency. The extension nodes only have groupId,
artifactId and version.

* Add update support for extension.xml files

Adjusts the maven file_updater to also process extensions.xml files.
Methods and variables that are now used for either file type have been
renamed accordingly.

* Fix rubocop violations

* Use `if` instead `unless nil`

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Simplify using `fetch_file_if_present`

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Simplify updated files check

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Make sure code works even if `.mvn` directory is missing

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Always require a pom.xml file

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Remove empty line

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Remove empty line

Co-authored-by: Philip Harrison <philip@mailharrison.com>

* Fix linter error

Co-authored-by: mo khan <mo@mokhan.ca>

* Fix linter error

* v0.156.3

* Fix spec stubs

* add Unauthorized exception to azure.rb

* add tests for azure client

* v0.156.4

* fix trailing whitespace

* fix trailing whitespace

* test: place upper bound on version constraint

* Gomod: Handle unrecognized import path error

When referencing a go proxy that 404s, we see this error. Previously
this would not be handled, but it should result in a
DependencyFileNotResolvable error, so users have a sense of what's
wrong.

* test: reproduce a defect with relative paths using poetry

* test: ensure both the pyproject and lock file are updated

* fix(poetry): copy all project files when generating lockfile hash

* style: fix linter errors

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.29.0 to 7.30.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.29.0...v7.30.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* add response 200 context block for #create_commit test

* add 403 test for Azure.create_commit

* add test for fetch_commit

* fix trailing whitespace

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.90 to 0.12.92.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.90...0.12.92)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* v0.156.5

* syntax error

Co-authored-by: Philip Harrison <philip@mailharrison.com>
Co-authored-by: Peter Dave Hello <hsu@peterdavehello.org>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: mo khan <mo@mokhan.ca>
Co-authored-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>
Co-authored-by: Loren Gordon <lorengordon@users.noreply.github.com>
Co-authored-by: Jurre Stender <jurrestender@gmail.com>
Co-authored-by: Jurre <jurre@github.com>
Co-authored-by: Nish Sinha <nishnha@github.com>
Co-authored-by: Mike McDonald <2575327+asciimike@users.noreply.github.com>
Co-authored-by: Guilherme Duarte <gjsduarte@gmail.com>
Co-authored-by: Heine Furubotten <hfurubotten@users.noreply.github.com>
Co-authored-by: Benedikt Ritter <beneritter@gmail.com>
Co-authored-by: wolf-cola <86134169+wolf-cola@users.noreply.github.com>
Co-authored-by: wolf-cola <wolf.cola.official@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant