feat: expand supported ecosystems to match Dependabot's full list #515
Description
Problem
Evergreen currently detects 14 package ecosystems, but Dependabot supports 30+. Users with repos using ecosystems we don't detect won't get dependabot configuration suggestions for those ecosystems.
Proposal
Add detection support for the remaining Dependabot-supported ecosystems. Most are straightforward - just adding entries to the package_managers dict in dependabot_file.py.
Easy additions (file-based detection)
| Ecosystem | YAML value | Manifest files |
|---|---|---|
| Bazel | bazel |
MODULE.bazel, WORKSPACE, WORKSPACE.bazel |
| Bun | bun |
bun.lock |
| Conda | conda |
environment.yml, conda.yaml |
| Docker Compose | docker-compose |
docker-compose.yml, compose.yaml |
| .NET SDK | dotnet-sdk |
global.json |
| Elm | elm |
elm.json |
| Git submodule | gitsubmodule |
.gitmodules |
| Julia | julia |
Project.toml |
| pre-commit | pre-commit |
.pre-commit-config.yaml |
| Pub (Dart) | pub |
pubspec.yaml |
| Rust toolchain | rust-toolchain |
rust-toolchain.toml |
| Swift | swift |
Package.swift |
| uv | uv |
uv.lock |
| vcpkg | vcpkg |
vcpkg.json |
Medium complexity (directory scanning or special handling)
| Ecosystem | YAML value | Notes |
|---|---|---|
| Helm | helm |
Needs directory scanning for Chart.yaml (similar to terraform) |
| OpenTofu | opentofu |
Shares .tf files with terraform - need to determine how to distinguish or handle overlap |
Already covered under existing ecosystems
These use the same YAML values and are already detected by evergreen:
- pipenv / poetry / uv → detected via
pip(we already checkPipfile,poetry.lock,pyproject.toml) - pnpm / yarn → detected via
npm(we already checkyarn.lock,package-lock.json)
Implementation notes
- Each file-based ecosystem requires ~2 lines in
dependabot_file.py(add topackage_managers_founddict andpackage_managersdict) - Add each new ecosystem to
SUPPORTED_PACKAGE_ECOSYSTEMSinenv.py - Add tests in
test_dependabot_file.py - Update
README.mdEXEMPT_ECOSYSTEMSdocs (which is already missinggradleanddevcontainers) - Could be done incrementally (a few ecosystems per PR) or all at once
Additional context
Discovered while working on #489. The current ecosystem list was established in May 2024 and hasn't been expanded since.