From 2f66afb08609a12ecafbf06392724dcdc9b76dd0 Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Fri, 2 Apr 2021 14:54:00 -0400 Subject: [PATCH 01/12] Adding help page for switch to Github-native Dependabot --- .../supply-chain-security/index.md | 1 + ...endabot-com-to-github-native-dependabot.md | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md diff --git a/content/code-security/supply-chain-security/index.md b/content/code-security/supply-chain-security/index.md index 3204a8868414..9c3b5dfea8eb 100644 --- a/content/code-security/supply-chain-security/index.md +++ b/content/code-security/supply-chain-security/index.md @@ -20,6 +20,7 @@ topics: {% link_in_list /exploring-the-dependencies-of-a-repository %} {% topic_link_in_list /keeping-your-dependencies-updated-automatically %} {% link_in_list /about-dependabot-version-updates %} + {% link_in_list /switching-from-dependabot-com-to-github-native-dependabot %} {% link_in_list /enabling-and-disabling-version-updates %} {% link_in_list /listing-dependencies-configured-for-version-updates %} {% link_in_list /managing-pull-requests-for-dependency-updates %} diff --git a/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md b/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md new file mode 100644 index 000000000000..1d050fffe2dc --- /dev/null +++ b/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md @@ -0,0 +1,38 @@ +--- +title: Switching from Dependabot.com to Github-native Dependabot +intro: 'You can quickly upgrade to Github-native Dependabot by merging a pull request, and your packages will keep being updated.' +versions: + free-pro-team: '*' +topics: + - repositories +--- + +### About the switch from Dependabot Preview to GitHub-native {% data variables.product.prodname_dependabot %} + +The majority of Dependabot Preview features have now been built directly into GitHub, so you can use {% data variables.product.prodname_dependabot %} alongside all the other functionality in GitHub without having to go to a separate application. By migrating to GitHub-native {% data variables.product.prodname_dependabot %} and shutting down Dependabot Preview, we can also focus on bringing lots of exciting new features to {% data variables.product.prodname_dependabot %}, including more ecosystem updates, improved notifications, and {% data variables.product.prodname_dependabot %} support for {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_managed %}. + +### Shutdown timeline for Dependabot.com and Dependabot Preview + +**The Dependabot Preview app and Dependabot.com will shut down on July 7th, 2021**. Any open PRs from the dependabot-preview bot will remain open, but the bot itself will no longer work on your GitHub accounts and organizations. You’ll need to upgrade to GitHub-native {% data variables.product.prodname_dependabot %} by that time to keep using {% data variables.product.prodname_dependabot %} functionality. + +As of April 7, 2021, the Dependabot Preview app and Dependabot.com will no longer accept new customers. + +### Differences between Dependabot Preview and GitHub-native {% data variables.product.prodname_dependabot %} + +While most Dependabot Preview features were built into GitHub-native {% data variables.product.prodname_dependabot %}, several aren't available: +- **Live updates:** We hope to bring these back in the future. For now, you can run GitHub {% data variables.product.prodname_dependabot %} daily to catch new packages within one day of release. +- **PHP environment variable and Elixir organization registries:** These features have not been added due to low usage in Dependabot Preview, but we are investigating if there are other solutions. For now, you can use {% data variables.product.prodname_actions %} to fetch dependencies from these registries. +- **Auto-merge:** Auto-merge will not be supported for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but we’re concerned about auto-merge being used to quickly propagate a malicious package across millions of developers. For those of you who have vetted your dependencies, or are only using internal dependencies, you can install third party auto-merge apps, or set up {% data variables.product.prodname_actions %} to merge. We recommend always verifying your dependencies before merging them. + +In GitHub-native {% data variables.product.prodname_dependabot %}, all configuration of version updates is done via the configuration file. This file is very similar to the Dependabot Preview configuration file, but we’ve made a few changes and improvements that will be automatically included in the upgrade pull request. You can see the update logs that used to be on the Dependabot.com dashboard by going to your repository’s **Insights** page, clicking the **Dependency graph** tab on the left, and then clicking **{% data variables.product.prodname_dependabot %}**. + +For more information about version updates with GitHub-native Dependabot, see "[About Dependabot version updates](/code-security/supply-chain-security/about-dependabot-version-updates)." + +### Upgrading to GitHub-native {% data variables.product.prodname_dependabot %} + +Upgrading from Dependabot Preview to GitHub-native {% data variables.product.prodname_dependabot %} requires only one step: enabling version updates. + +To enable {% data variables.product.prodname_dependabot %} version updates, merge the pull request in your repository called *Upgrade to GitHub-native Dependabot by July 7th*. This pull request includes the updated configuration file needed for Github-native {% data variables.product.prodname_dependabot %}. + +If you have any questions or need help migrating, you can view or open issues in [dependabot/dependabot-core/issues](https://github.com/dependabot/dependabot-core/issues). + From 6fe4f14e3b26ca8f6f364311332b9036fb313e0b Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Fri, 2 Apr 2021 15:08:04 -0400 Subject: [PATCH 02/12] updated intro to include more information --- ...switching-from-dependabot-com-to-github-native-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md b/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md index 1d050fffe2dc..ae4318961003 100644 --- a/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md @@ -1,6 +1,6 @@ --- title: Switching from Dependabot.com to Github-native Dependabot -intro: 'You can quickly upgrade to Github-native Dependabot by merging a pull request, and your packages will keep being updated.' +intro: 'Dependabot.com and Dependabot Preview are being shut down on July 7th, 2021. You can easily upgrade to Github-native Dependabot by merging a pull request, and your packages will keep being updated.' versions: free-pro-team: '*' topics: From 3655e0bd9cb7a0da3175f317e7e516117d0550cd Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Fri, 2 Apr 2021 16:22:41 -0400 Subject: [PATCH 03/12] added frontmatter regarding title to fix failing test --- .../switching-from-dependabot-com-to-github-native-dependabot.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md b/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md index ae4318961003..f2ce6f09fb81 100644 --- a/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md @@ -1,6 +1,7 @@ --- title: Switching from Dependabot.com to Github-native Dependabot intro: 'Dependabot.com and Dependabot Preview are being shut down on July 7th, 2021. You can easily upgrade to Github-native Dependabot by merging a pull request, and your packages will keep being updated.' +allowTitleToDifferFromFilename: true versions: free-pro-team: '*' topics: From 99df60bea17703ac680e60838cb7ef7f3a0ffa76 Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Fri, 2 Apr 2021 16:38:31 -0400 Subject: [PATCH 04/12] reconciled filename to url --- ... switching-from-dependabotcom-to-github-native-dependabot.md} | 1 - 1 file changed, 1 deletion(-) rename content/code-security/supply-chain-security/{switching-from-dependabot-com-to-github-native-dependabot.md => switching-from-dependabotcom-to-github-native-dependabot.md} (99%) diff --git a/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md b/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md similarity index 99% rename from content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md rename to content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md index f2ce6f09fb81..ae4318961003 100644 --- a/content/code-security/supply-chain-security/switching-from-dependabot-com-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md @@ -1,7 +1,6 @@ --- title: Switching from Dependabot.com to Github-native Dependabot intro: 'Dependabot.com and Dependabot Preview are being shut down on July 7th, 2021. You can easily upgrade to Github-native Dependabot by merging a pull request, and your packages will keep being updated.' -allowTitleToDifferFromFilename: true versions: free-pro-team: '*' topics: From bfc80e23884cb407230cade18d05fd6417273b56 Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Fri, 2 Apr 2021 16:51:59 -0400 Subject: [PATCH 05/12] fixed wrong url --- content/code-security/supply-chain-security/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/supply-chain-security/index.md b/content/code-security/supply-chain-security/index.md index 9c3b5dfea8eb..7aee7ea21d09 100644 --- a/content/code-security/supply-chain-security/index.md +++ b/content/code-security/supply-chain-security/index.md @@ -20,7 +20,7 @@ topics: {% link_in_list /exploring-the-dependencies-of-a-repository %} {% topic_link_in_list /keeping-your-dependencies-updated-automatically %} {% link_in_list /about-dependabot-version-updates %} - {% link_in_list /switching-from-dependabot-com-to-github-native-dependabot %} + {% link_in_list /switching-from-dependabotcom-to-github-native-dependabot %} {% link_in_list /enabling-and-disabling-version-updates %} {% link_in_list /listing-dependencies-configured-for-version-updates %} {% link_in_list /managing-pull-requests-for-dependency-updates %} From f1833ddfab7a7f27204f6abb2448e702bc888bbf Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Fri, 2 Apr 2021 17:03:24 -0400 Subject: [PATCH 06/12] adding suggestion from PR --- .../switching-from-dependabotcom-to-github-native-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md index ae4318961003..b09d71d8d437 100644 --- a/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md @@ -1,6 +1,6 @@ --- title: Switching from Dependabot.com to Github-native Dependabot -intro: 'Dependabot.com and Dependabot Preview are being shut down on July 7th, 2021. You can easily upgrade to Github-native Dependabot by merging a pull request, and your packages will keep being updated.' +intro: 'Dependabot.com and Dependabot Preview are being shut down on July 7th, 2021. You can easily upgrade to Github-native Dependabot by merging a pull request, and your dependencies will keep being updated.' versions: free-pro-team: '*' topics: From a9c218002e4c9091fa269a4cea62928bb2bd7fa8 Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Mon, 5 Apr 2021 12:18:43 -0400 Subject: [PATCH 07/12] Incorporating review suggestions --- .../supply-chain-security/index.md | 2 +- ...pendabotcom-to-github-native-dependabot.md | 38 ---------------- ...pendabotcom-to-github-native-dependabot.md | 43 +++++++++++++++++++ 3 files changed, 44 insertions(+), 39 deletions(-) delete mode 100644 content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md create mode 100644 content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md diff --git a/content/code-security/supply-chain-security/index.md b/content/code-security/supply-chain-security/index.md index 7aee7ea21d09..e5358daad07a 100644 --- a/content/code-security/supply-chain-security/index.md +++ b/content/code-security/supply-chain-security/index.md @@ -20,7 +20,7 @@ topics: {% link_in_list /exploring-the-dependencies-of-a-repository %} {% topic_link_in_list /keeping-your-dependencies-updated-automatically %} {% link_in_list /about-dependabot-version-updates %} - {% link_in_list /switching-from-dependabotcom-to-github-native-dependabot %} + {% link_in_list /upgrading-from-dependabotcom-to-github-native-dependabot %} {% link_in_list /enabling-and-disabling-version-updates %} {% link_in_list /listing-dependencies-configured-for-version-updates %} {% link_in_list /managing-pull-requests-for-dependency-updates %} diff --git a/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md deleted file mode 100644 index b09d71d8d437..000000000000 --- a/content/code-security/supply-chain-security/switching-from-dependabotcom-to-github-native-dependabot.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Switching from Dependabot.com to Github-native Dependabot -intro: 'Dependabot.com and Dependabot Preview are being shut down on July 7th, 2021. You can easily upgrade to Github-native Dependabot by merging a pull request, and your dependencies will keep being updated.' -versions: - free-pro-team: '*' -topics: - - repositories ---- - -### About the switch from Dependabot Preview to GitHub-native {% data variables.product.prodname_dependabot %} - -The majority of Dependabot Preview features have now been built directly into GitHub, so you can use {% data variables.product.prodname_dependabot %} alongside all the other functionality in GitHub without having to go to a separate application. By migrating to GitHub-native {% data variables.product.prodname_dependabot %} and shutting down Dependabot Preview, we can also focus on bringing lots of exciting new features to {% data variables.product.prodname_dependabot %}, including more ecosystem updates, improved notifications, and {% data variables.product.prodname_dependabot %} support for {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_managed %}. - -### Shutdown timeline for Dependabot.com and Dependabot Preview - -**The Dependabot Preview app and Dependabot.com will shut down on July 7th, 2021**. Any open PRs from the dependabot-preview bot will remain open, but the bot itself will no longer work on your GitHub accounts and organizations. You’ll need to upgrade to GitHub-native {% data variables.product.prodname_dependabot %} by that time to keep using {% data variables.product.prodname_dependabot %} functionality. - -As of April 7, 2021, the Dependabot Preview app and Dependabot.com will no longer accept new customers. - -### Differences between Dependabot Preview and GitHub-native {% data variables.product.prodname_dependabot %} - -While most Dependabot Preview features were built into GitHub-native {% data variables.product.prodname_dependabot %}, several aren't available: -- **Live updates:** We hope to bring these back in the future. For now, you can run GitHub {% data variables.product.prodname_dependabot %} daily to catch new packages within one day of release. -- **PHP environment variable and Elixir organization registries:** These features have not been added due to low usage in Dependabot Preview, but we are investigating if there are other solutions. For now, you can use {% data variables.product.prodname_actions %} to fetch dependencies from these registries. -- **Auto-merge:** Auto-merge will not be supported for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but we’re concerned about auto-merge being used to quickly propagate a malicious package across millions of developers. For those of you who have vetted your dependencies, or are only using internal dependencies, you can install third party auto-merge apps, or set up {% data variables.product.prodname_actions %} to merge. We recommend always verifying your dependencies before merging them. - -In GitHub-native {% data variables.product.prodname_dependabot %}, all configuration of version updates is done via the configuration file. This file is very similar to the Dependabot Preview configuration file, but we’ve made a few changes and improvements that will be automatically included in the upgrade pull request. You can see the update logs that used to be on the Dependabot.com dashboard by going to your repository’s **Insights** page, clicking the **Dependency graph** tab on the left, and then clicking **{% data variables.product.prodname_dependabot %}**. - -For more information about version updates with GitHub-native Dependabot, see "[About Dependabot version updates](/code-security/supply-chain-security/about-dependabot-version-updates)." - -### Upgrading to GitHub-native {% data variables.product.prodname_dependabot %} - -Upgrading from Dependabot Preview to GitHub-native {% data variables.product.prodname_dependabot %} requires only one step: enabling version updates. - -To enable {% data variables.product.prodname_dependabot %} version updates, merge the pull request in your repository called *Upgrade to GitHub-native Dependabot by July 7th*. This pull request includes the updated configuration file needed for Github-native {% data variables.product.prodname_dependabot %}. - -If you have any questions or need help migrating, you can view or open issues in [dependabot/dependabot-core/issues](https://github.com/dependabot/dependabot-core/issues). - diff --git a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md new file mode 100644 index 000000000000..87d225babcd5 --- /dev/null +++ b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md @@ -0,0 +1,43 @@ +--- +title: Upgrading from Dependabot.com to GitHub-native Dependabot +intro: 'Dependabot.com and Dependabot Preview will shut down on July 7th, 2021. You can upgrade to GitHub-native Dependabot by merging a pull request that will allow your dependencies to keep being updated. +versions: + free-pro-team: '*' +topics: + - repositories +--- + +### About upgrading from Dependabot Preview to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} + +The majority of Dependabot Preview features have now been built directly into {% data variables.product.prodname_dotcom %}, so you can use {% data variables.product.prodname_dependabot %} alongside all the other functionality in {% data variables.product.prodname_dotcom %} without having to go to a separate application. By migrating to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} and shutting down Dependabot Preview, we can also focus on bringing lots of exciting new features to {% data variables.product.prodname_dependabot %}, including more ecosystem updates, improved notifications, and {% data variables.product.prodname_dependabot %} support for {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_managed %}. + +### Shutdown timeline for Dependabot.com and Dependabot Preview + +**The Dependabot Preview app and Dependabot.com will shut down on July 7th, 2021**. Any open pull requests from the Dependabot Preview bot will remain open, but the bot itself will no longer work on your {% data variables.product.prodname_dotcom %} accounts and organizations. You’ll need to upgrade to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} by July 7th to keep using {% data variables.product.prodname_dependabot %} functionality. + +Beginning April 7, 2021, the Dependabot Preview app and Dependabot.com will no longer accept new customers. + +### Differences between Dependabot Preview and {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} + +While we built most of the Dependabot Preview features into {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, a few remain unavailable: +- **Live updates:** We hope to bring these back in the future. For now, you can run {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_dependabot %} daily to catch new packages within one day of release. +- **PHP environment variable and Elixir organization registries:** These features have not been added due to low usage in Dependabot Preview, but we are investigating if there are other solutions. For now, you can use {% data variables.product.prodname_actions %} to fetch dependencies from these registries. +- **Auto-merge:** Auto-merge will not be supported for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but we’re concerned about auto-merge being used to quickly propagate a malicious package across millions of developers. For those of you who have vetted your dependencies, or are only using internal dependencies, you can install third party auto-merge apps, or set up {% data variables.product.prodname_actions %} to merge. We recommend always verifying your dependencies before merging them. + +In {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, you can configure all version updates using the configuration file. This file is similar to the Dependabot Preview configuration file with a few changes and improvements that will be automatically included in your upgrade pull request. + +To see update logs for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} that were previously on the Dependabot.com dashboard: +1. Navigate to your repository’s **Insights** page. +2. Click **Dependency graph** to the left. +3. Click **{% data variables.product.prodname_dependabot %}**. + +For more information about version updates with {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, see "[About Dependabot version updates](/code-security/supply-chain-security/about-dependabot-version-updates)." + +### Upgrading to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} + +Upgrading from Dependabot Preview to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} requires only one step: enabling version updates by merging a pull request. + +To enable {% data variables.product.prodname_dependabot %} version updates, merge the pull request you will find in your repository called *Upgrade to GitHub-native Dependabot by July 7th*. This pull request includes the updated configuration file needed for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}. + +If you have any questions or need help migrating, you can view or open issues in the [Dependabot repository](https://github.com/dependabot/dependabot-core/issues). + From c79ef79d1c3bfbacf3c0e3146a9c68f46be5bf53 Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Mon, 5 Apr 2021 13:30:25 -0400 Subject: [PATCH 08/12] Fixing PR name and intro error --- ...pgrading-from-dependabotcom-to-github-native-dependabot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md index 87d225babcd5..c4cc66a71201 100644 --- a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md @@ -1,6 +1,6 @@ --- title: Upgrading from Dependabot.com to GitHub-native Dependabot -intro: 'Dependabot.com and Dependabot Preview will shut down on July 7th, 2021. You can upgrade to GitHub-native Dependabot by merging a pull request that will allow your dependencies to keep being updated. +intro: 'Dependabot.com and Dependabot Preview will shut down on July 7th, 2021. You can upgrade to GitHub-native Dependabot by merging a pull request that will allow your dependencies to keep being updated.' versions: free-pro-team: '*' topics: @@ -37,7 +37,7 @@ For more information about version updates with {% data variables.product.prodna Upgrading from Dependabot Preview to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} requires only one step: enabling version updates by merging a pull request. -To enable {% data variables.product.prodname_dependabot %} version updates, merge the pull request you will find in your repository called *Upgrade to GitHub-native Dependabot by July 7th*. This pull request includes the updated configuration file needed for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}. +To enable {% data variables.product.prodname_dependabot %} version updates, merge the pull request you will find in your repository called *Upgrade to GitHub-native Dependabot*. This pull request includes the updated configuration file needed for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}. If you have any questions or need help migrating, you can view or open issues in the [Dependabot repository](https://github.com/dependabot/dependabot-core/issues). From 3cd22b3cd1ce0a0dc015b339373b4c6ff230367d Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Mon, 5 Apr 2021 13:51:03 -0400 Subject: [PATCH 09/12] Fixed procedure --- ...ading-from-dependabotcom-to-github-native-dependabot.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md index c4cc66a71201..b2d44c801709 100644 --- a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md @@ -27,9 +27,10 @@ While we built most of the Dependabot Preview features into {% data variables.pr In {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, you can configure all version updates using the configuration file. This file is similar to the Dependabot Preview configuration file with a few changes and improvements that will be automatically included in your upgrade pull request. To see update logs for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} that were previously on the Dependabot.com dashboard: -1. Navigate to your repository’s **Insights** page. -2. Click **Dependency graph** to the left. -3. Click **{% data variables.product.prodname_dependabot %}**. + + 1. Navigate to your repository’s **Insights** page. + 2. Click **Dependency graph** to the left. + 3. Click **{% data variables.product.prodname_dependabot %}**. For more information about version updates with {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, see "[About Dependabot version updates](/code-security/supply-chain-security/about-dependabot-version-updates)." From 0406fb749653bb5dedff0de093570f40bec6ba44 Mon Sep 17 00:00:00 2001 From: Sarita Iyer Date: Mon, 5 Apr 2021 16:26:17 -0400 Subject: [PATCH 10/12] Added links to issues on public roadmap --- ...pgrading-from-dependabotcom-to-github-native-dependabot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md index b2d44c801709..2e5e0e19c06e 100644 --- a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md @@ -9,7 +9,7 @@ topics: ### About upgrading from Dependabot Preview to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} -The majority of Dependabot Preview features have now been built directly into {% data variables.product.prodname_dotcom %}, so you can use {% data variables.product.prodname_dependabot %} alongside all the other functionality in {% data variables.product.prodname_dotcom %} without having to go to a separate application. By migrating to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} and shutting down Dependabot Preview, we can also focus on bringing lots of exciting new features to {% data variables.product.prodname_dependabot %}, including more ecosystem updates, improved notifications, and {% data variables.product.prodname_dependabot %} support for {% data variables.product.prodname_ghe_server %} and {% data variables.product.prodname_ghe_managed %}. +The majority of Dependabot Preview features have now been built directly into {% data variables.product.prodname_dotcom %}, so you can use {% data variables.product.prodname_dependabot %} alongside all the other functionality in {% data variables.product.prodname_dotcom %} without having to go to a separate application. By migrating to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} and shutting down Dependabot Preview, we can also focus on bringing lots of exciting new features to {% data variables.product.prodname_dependabot %}, including more [ecosystem updates](https://github.com/github/roadmap/issues/150), [improved notifications](https://github.com/github/roadmap/issues/133), and {% data variables.product.prodname_dependabot %} support for [{% data variables.product.prodname_ghe_server %}](https://github.com/github/roadmap/issues/86) and [{% data variables.product.prodname_ghe_managed %}](https://github.com/github/roadmap/issues/135). ### Shutdown timeline for Dependabot.com and Dependabot Preview @@ -24,7 +24,7 @@ While we built most of the Dependabot Preview features into {% data variables.pr - **PHP environment variable and Elixir organization registries:** These features have not been added due to low usage in Dependabot Preview, but we are investigating if there are other solutions. For now, you can use {% data variables.product.prodname_actions %} to fetch dependencies from these registries. - **Auto-merge:** Auto-merge will not be supported for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but we’re concerned about auto-merge being used to quickly propagate a malicious package across millions of developers. For those of you who have vetted your dependencies, or are only using internal dependencies, you can install third party auto-merge apps, or set up {% data variables.product.prodname_actions %} to merge. We recommend always verifying your dependencies before merging them. -In {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, you can configure all version updates using the configuration file. This file is similar to the Dependabot Preview configuration file with a few changes and improvements that will be automatically included in your upgrade pull request. +In {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, you can configure all version updates using the configuration file. This file is similar to the Dependabot Preview configuration file with a few changes and improvements that will be automatically included in your upgrade pull request. For more information about the upgrade pull request, see "[Upgrading to GitHub-native Dependabot](/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot#upgrading-to-github-native-dependabot)". To see update logs for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} that were previously on the Dependabot.com dashboard: From 6557a305038743babfd93fdb324298d2139b71e9 Mon Sep 17 00:00:00 2001 From: Mike McDonald Date: Thu, 22 Apr 2021 09:20:00 -0600 Subject: [PATCH 11/12] Removing references to shutdown, will add back in when announcing the shutdown --- ...pendabotcom-to-github-native-dependabot.md | 22 ++++++------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md index 2e5e0e19c06e..0a31158358cf 100644 --- a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md @@ -1,6 +1,6 @@ --- title: Upgrading from Dependabot.com to GitHub-native Dependabot -intro: 'Dependabot.com and Dependabot Preview will shut down on July 7th, 2021. You can upgrade to GitHub-native Dependabot by merging a pull request that will allow your dependencies to keep being updated.' +intro: 'You can upgrade to GitHub-native Dependabot by merging a pull request that will allow your dependencies to continue being updated.' versions: free-pro-team: '*' topics: @@ -9,20 +9,14 @@ topics: ### About upgrading from Dependabot Preview to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} -The majority of Dependabot Preview features have now been built directly into {% data variables.product.prodname_dotcom %}, so you can use {% data variables.product.prodname_dependabot %} alongside all the other functionality in {% data variables.product.prodname_dotcom %} without having to go to a separate application. By migrating to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} and shutting down Dependabot Preview, we can also focus on bringing lots of exciting new features to {% data variables.product.prodname_dependabot %}, including more [ecosystem updates](https://github.com/github/roadmap/issues/150), [improved notifications](https://github.com/github/roadmap/issues/133), and {% data variables.product.prodname_dependabot %} support for [{% data variables.product.prodname_ghe_server %}](https://github.com/github/roadmap/issues/86) and [{% data variables.product.prodname_ghe_managed %}](https://github.com/github/roadmap/issues/135). - -### Shutdown timeline for Dependabot.com and Dependabot Preview - -**The Dependabot Preview app and Dependabot.com will shut down on July 7th, 2021**. Any open pull requests from the Dependabot Preview bot will remain open, but the bot itself will no longer work on your {% data variables.product.prodname_dotcom %} accounts and organizations. You’ll need to upgrade to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} by July 7th to keep using {% data variables.product.prodname_dependabot %} functionality. - -Beginning April 7, 2021, the Dependabot Preview app and Dependabot.com will no longer accept new customers. +Dependabot Preview has been built directly into {% data variables.product.prodname_dotcom %}, so you can use {% data variables.product.prodname_dependabot %} alongside all the other functionality in {% data variables.product.prodname_dotcom %} without having to install and use a separate application. By migrating to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, we can also focus on bringing lots of exciting new features to {% data variables.product.prodname_dependabot %}, including more [ecosystem updates](https://github.com/github/roadmap/issues/150), [improved notifications](https://github.com/github/roadmap/issues/133), and {% data variables.product.prodname_dependabot %} support for [{% data variables.product.prodname_ghe_server %}](https://github.com/github/roadmap/issues/86) and [{% data variables.product.prodname_ghe_managed %}](https://github.com/github/roadmap/issues/135). ### Differences between Dependabot Preview and {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} -While we built most of the Dependabot Preview features into {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, a few remain unavailable: +While most of the Dependabot Preview features exist in {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, a few remain unavailable: - **Live updates:** We hope to bring these back in the future. For now, you can run {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_dependabot %} daily to catch new packages within one day of release. -- **PHP environment variable and Elixir organization registries:** These features have not been added due to low usage in Dependabot Preview, but we are investigating if there are other solutions. For now, you can use {% data variables.product.prodname_actions %} to fetch dependencies from these registries. -- **Auto-merge:** Auto-merge will not be supported for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but we’re concerned about auto-merge being used to quickly propagate a malicious package across millions of developers. For those of you who have vetted your dependencies, or are only using internal dependencies, you can install third party auto-merge apps, or set up {% data variables.product.prodname_actions %} to merge. We recommend always verifying your dependencies before merging them. +- **PHP environment variable registries:** For now, you can use {% data variables.product.prodname_actions %} to fetch dependencies from these registries. +- **Auto-merge:** We always recommend verifying your dependencies before merging them; therefore, auto-merge will not be supported for the foreseeable future. For those of you who have vetted your dependencies, or are only using internal dependencies, we recommend adding third-party auto-merge apps, or setting up GitHub Actions to merge.. In {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, you can configure all version updates using the configuration file. This file is similar to the Dependabot Preview configuration file with a few changes and improvements that will be automatically included in your upgrade pull request. For more information about the upgrade pull request, see "[Upgrading to GitHub-native Dependabot](/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot#upgrading-to-github-native-dependabot)". @@ -36,9 +30,7 @@ For more information about version updates with {% data variables.product.prodna ### Upgrading to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} -Upgrading from Dependabot Preview to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} requires only one step: enabling version updates by merging a pull request. - -To enable {% data variables.product.prodname_dependabot %} version updates, merge the pull request you will find in your repository called *Upgrade to GitHub-native Dependabot*. This pull request includes the updated configuration file needed for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}. +Upgrading from Dependabot Preview to {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %} requires only one step: merge the *Upgrade to GitHub-native Dependabot* pull request in your repository. This pull request includes the updated configuration file needed for {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}. -If you have any questions or need help migrating, you can view or open issues in the [Dependabot repository](https://github.com/dependabot/dependabot-core/issues). +If you have any questions or need help migrating, you can view or open issues in the [dependabot/dependabot-core](https://github.com/dependabot/dependabot-core/issues) repository. From 147b1c3c2bf0cbfa0f7217004291f3c9b8ee7445 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 22 Apr 2021 11:34:07 -0400 Subject: [PATCH 12/12] Removed extra period --- .../upgrading-from-dependabotcom-to-github-native-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md index 0a31158358cf..d37315dfd389 100644 --- a/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md +++ b/content/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot.md @@ -16,7 +16,7 @@ Dependabot Preview has been built directly into {% data variables.product.prodna While most of the Dependabot Preview features exist in {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, a few remain unavailable: - **Live updates:** We hope to bring these back in the future. For now, you can run {% data variables.product.prodname_dotcom %} {% data variables.product.prodname_dependabot %} daily to catch new packages within one day of release. - **PHP environment variable registries:** For now, you can use {% data variables.product.prodname_actions %} to fetch dependencies from these registries. -- **Auto-merge:** We always recommend verifying your dependencies before merging them; therefore, auto-merge will not be supported for the foreseeable future. For those of you who have vetted your dependencies, or are only using internal dependencies, we recommend adding third-party auto-merge apps, or setting up GitHub Actions to merge.. +- **Auto-merge:** We always recommend verifying your dependencies before merging them; therefore, auto-merge will not be supported for the foreseeable future. For those of you who have vetted your dependencies, or are only using internal dependencies, we recommend adding third-party auto-merge apps, or setting up GitHub Actions to merge. In {% data variables.product.prodname_dotcom %}-native {% data variables.product.prodname_dependabot %}, you can configure all version updates using the configuration file. This file is similar to the Dependabot Preview configuration file with a few changes and improvements that will be automatically included in your upgrade pull request. For more information about the upgrade pull request, see "[Upgrading to GitHub-native Dependabot](/code-security/supply-chain-security/upgrading-from-dependabotcom-to-github-native-dependabot#upgrading-to-github-native-dependabot)".