v0.213.0

[pavera]

v0.213.0, 31 October 2022

• prevent failing to create a PR due to metadata gathering errors #5980
• Bump Node.js in bug report description field (@HonkingGoose) #5984
• Allow file fetchers to opt into loading git submodules #5982
• Centralize pyenv install logic #5985
• prevent trying to get a commit that can't exist #5981
• Remove Current User From List of Default Reviewer (@Kimor-hello) #5968
• Bump @npmcli/arborist from 5.6.2 to 6.0.0 in /npm_and_yarn/helpers #5955
• Update rubocop requirement from ~> 1.36.0 to ~> 1.37.1 in /common #5959
• Regenerate updater/Gemfile.lock #5858
• Keep updater lockfile in sync with subgem changes #5972
• Add Dependency Review workflow #5973
• Yarn Berry: Fully update cache and include .pnp.cjs in PR #5964
• Actually consider development dependencies (v2) #5971
• Actually consider development dependencies #5969
• Fix crashes on Python libraries using multiple manifests #5965
• Fix rubocop redundant freeze warnings #5468
• Don't repeat dependency names in PR title #5915
• fix race and updating local mounted repositories #5937
• Initial work on standard Python support #5661
• Only call pip compile once (@jerbob92) #5905
• Bump rubocop from 1.36.0 to 1.37.1 in /updater #5960
• Bump licensed from 3.7.4 to 3.7.5 in /updater #5957
• Update octokit requirement from >= 4.6, < 6.0 to >= 4.6, < 7.0 in /common #5954
• Make dry-run script twice as fast #5950
• Bump collection from 1.16.0 to 1.17.0 in /pub/helpers #5898
• Bump eslint from 8.25.0 to 8.26.0 in /npm_and_yarn/helpers #5953
• Update pip requirement from <22.2.3,>=21.3.1 to >=21.3.1,<22.4.0 in /python/helpers #5893
• build(deps): bump terraform from 1.3.2 to 1.3.3 (@HorizonNet) #5952
• No public url call when public registry is disabled #5948
• fix calling npm.org when there's no npmrc with replaces-base #5928
• Never change version precision of actions chosen by users #5891
• Bump nokogiri from 1.13.8 to 1.13.9 in /updater #5936
• Fix crash when updating git dependencies #5934
• Fix error when parsing Gitlab changelogs #5929
• Fix crash when updating Python libraries with multiple manifest types #5932
• Fix updating to tags with a branch with same name #5918
• Batch some PRs updating dependencies #5942
• Maven: fix forgetting repositories seen in earlier POMs #5931
• Yarn Berry: Fixes subdependency security updates #5930
• Bump phpstan/phpstan from 1.8.8 to 1.8.10 in /composer/helpers/v1 #5910
• Bump friendsofphp/php-cs-fixer from 3.11.0 to 3.12.0 in /composer/helpers/v2 #5895
• Install composer in a way that does not use COPY --from #5904
• Fall back to PR title if original PR head commit is missing #5913
• Maven: implement parent snapshot lookup #5924
• Fixed disabledPackageSources for nuget.org #5874
• maven: implement replaces-base to avoid calling central #5908
• Fix commitlint message style detection #5744
• Fixing PR failures if pypi.org unavailable #5876
• Fix dependabot incorrectly downgrading docker versions #5886
• fix version_finder not preferring private registry #5907
• Remove CI hack much less needed now #5906
• add Maven credential metadata to the URLs it searches for POM files #5884
• Revert lockfile-only changes #5901
• Detect dependencies in Gradle included builds (@gabrielfeo) #5028
• Make script/dependabot --help actually work #5881
• Fix lockfile-only versioning strategy not creating some updates that are expected #5581
• Fix Maven inability to overwrite repository urls by ID #5878
• Revert "Bump activesupport from 6.1.4.4 to 7.0.4 in /updater" #5882
• Bump activesupport from 6.1.4.4 to 7.0.4 in /updater #5704
• [npm] Flag indirect transitive updates to be ignored by the FileUpdater #5873
• [npm] Randomize advisory id to avoid cache collisions across tests #5875
• maven: stop querying repositories once one returns a result #5872
• Yarn Berry: Ensure registry config is respected #5863
• raise when a path dependency is absolute #5869
• Update .dockerignore #5585
• Bump phpstan/phpstan from 1.8.6 to 1.8.8 in /composer/helpers/v2 #5860
• Make quotes around Yarn private registry sources optional #5844
• Fix typos #5859
• swap history file from byebug to new debug gem #5855
• [npm] fix to preserve all_versions metadata from the lockfile #5846
• handle path="" correctly in Cargo.toml #5866
• allow interactive debugging in the CLI #5763
• Update faraday requirement from = 2.5.2 to = 2.6.0 in /common #5851
• Add support for Python 3.10.7 and 3.[7-9].14 (@Kurt-von-Laven) #5769
• build(deps): bump terraform from 1.3.0 to 1.3.2 (@HorizonNet) #5857
• Update pip-tools requirement from <6.8.1,>=6.4.0 to >=6.4.0,<6.9.1 in /python/helpers #5850
• Bump http from 4.4.1 to 5.1.0 in /updater #5701
• Bump jest from 28.1.3 to 29.1.2 in /npm_and_yarn/helpers #5821
• Bump semver from 7.3.7 to 7.3.8 in /npm_and_yarn/helpers #5848
• Bump licensed from 3.7.3 to 3.7.4 in /updater #5849
• feat: Add support for workspace.dependencies in cargo 1.64.0+ (@poliorcetics) #5794
• Update debug requirement from ~> 1.0.0 to ~> 1.6.2 in /updater #5853
• Bump eslint from 8.24.0 to 8.25.0 in /npm_and_yarn/helpers #5852
• Bump phpstan/phpstan from 1.8.6 to 1.8.8 in /composer/helpers/v1 #5854
• Fix typo #5847
• Bump Ruby to 3.1 #5447
• [npm] Consider all installed versions when checking if a dependency is still vulnerable #5801
• use configured global registry for library lookup #5840
• allow updating at a commit, for testing #5843
• Fix Dependabot removes double backslashes in maven plugin configurations (@mallowlabs) #5835
• Stop disabling new poetry installer #5838
• Bump Rubygems to 3.3.22 #5823
• Yarn Berry: Private registry support #5831
• Consider all dependency versions in Job.vulnerable? #5837
• Yarn Berry: Ensure multiple requirements are parsed correctly #5839
• Add support for helm files. (@brendandburns) #5738
• Update v1/composer.lock using composer1 update #5717
• Decouple Bundler versions #5513
• Upgrade Bundler to 2.3.22 #5509
• Add support for Python 3.10.6 (@Kurt-von-Laven) #5780
• Yarn Berry: Prevent sub-package dependencies being added to root workspace #5829
• [npm] Preserve requirement source when updating transtive dep parents #5816
• [npm] Allow updates with both top level and sub dependencies #5822
• Yarn Berry: Run commands in update-lockfile mode #5827
• Update parallel_tests requirement from ~> 3.12.0 to ~> 3.13.0 in /common #5791
• [npm] Reject audits which don't have a fix we can apply #5815
• Update all versions of the same private module in single terraform file (@szemek) #5786
• Ensure always_clone is enabled for yarn_berry during file_fetching #5817
• Bump phpstan/phpstan from 1.8.5 to 1.8.6 in /composer/helpers/v2 #5792
• Bump phpstan/phpstan from 1.8.5 to 1.8.6 in /composer/helpers/v1 #5793
• Bump eslint from 8.23.1 to 8.24.0 in /npm_and_yarn/helpers #5790
• add dependabot CLI dev container #5813
• smoke test npm removed dependencies #5808
• Set custom CA file path for yarn berry #5783
• [npm] fix failure to attempt parent update if unfixed transitive update is available #5799
• Fix syntax error in Actions workflow file #5805
• Update smoke test to download CLI from dependabot/cli repo #5803
• Fix typo in README (promted -> prompted) (@szemek) #5802
• remove :npm_transitive_security_updates flag #5788
• [Gradle] Handle plugin version variables without string interpolation (@Flexicon) #5381
• [npm] Only shortcut search when non-vuln version of advisory dep is found #5796
• Terraform 1.3.0 #5782
• Skip cron run of CodeQL in forks #5784
• [npm] Only return a chain if a node matches a vulnerable version #5785
• bundler: optimize gemfile parsing (@skipkayhil) #4059
• Initial yarn berry support #5660
• Fixing issue with nuget devDependency support (@mwaddell) #4774
• Bump commonmarker from 0.23.5 to 0.23.6 in /updater #5773
• Bump @npmcli/arborist from 5.6.1 to 5.6.2 in /npm_and_yarn/helpers #5747
• Update poetry requirement from <=1.2.0,>=1.1.15 to >=1.1.15,<1.3.0 in /python/helpers #5746
• Improve PR message for removed dependencies #5770
• build(deps): bump NPM from 8.18.0 to 8.19.2 (@THETCR) #5754
• prevent forks from trying and failing to deploy to GHCR #5768
• Sanitize metadata links on all platforms #5739
• Fixes for transitive dependency vulnerabilities without a top level dependency update #5762
• Experiments not Experiment #5760
• More descriptive PR message when multiple dependencies are fixed in a security update #5595
• Add new interface to register experiments #5755
• [pub] Log the Dart / Flutter SDK version selected (@sigurdm) #5748
• Run CI and smoke tests on stacked PRs #5752
• Fix multiple Python requirements separated by whitespace #5735
• Allow updating Java images with "update releases" #5734
• Support bump_versions_if_necessary versioning strategy in python #5605
• Sanitize mentions for merge requests in Gitlab (@andrcuns) #3437
• add a date tag to the docker image when merged #5736
• Make script/debug a simple wrapper over the CLI #5733
• Use "latest" for ESLint ecmaVersion #5715
• Fix URIs logged by dry-run #5732
• Bump webmock from 3.17.1 to 3.18.1 in /updater #5700
• Add composer fields to silence PHPStan #5716
• Add max length option to BranchNamer (@TomNaessens) #5338
• Bump jason from 1.3.0 to 1.4.0 in /hex/helpers #5699
• Fix fetching bug for requirements.in files (@stulle123) #5580
• Relax the composer pin to make it less confusing #5714
• Fix PHP-CS-Fixer deprecation warnings #5713
• Revert "disable branch release workflow for forks" #5711
• disable branch release workflow for forks #5709
• Bump rubocop-performance from 1.14.3 to 1.15.0 in /updater #5703
• Bump rubocop from 1.33.0 to 1.36.0 in /updater #5702
• Rename phpstan.neon -> phpstan.dist.neon #5692
• Fix typo #5696
• Fix typo (@HonkingGoose) #5705
• Rename .php_cs -> .php-cs-fixer.dist.php #5691
• Watch the new updater/Gemfile #5697
• Handle removed dependencies in existing PRs #5673
• Bump friendsofphp/php-cs-fixer from 3.9.3 to 3.11.0 in /composer/helpers/v2 #5689
• build(deps-dev): bump phpstan/phpstan from 1.7.15 to 1.8.5 in /composer/helpers/v1 #5651
• build(deps-dev): bump phpstan/phpstan from 1.8.1 to 1.8.5 in /composer/helpers/v2 #5652
• Update debase-ruby_core_source requirement from = 0.10.16 to = 0.10.17 in /common #5677
• fix Poetry not using system git #5688
• build(deps): bump @npmcli/arborist from 5.6.0 to 5.6.1 in /npm_and_yarn/helpers #5629
• Increase docker registry client timeout #5674
• deploy from a fork using a workflow #5668
• Bump eslint from 8.22.0 to 8.23.1 in /npm_and_yarn/helpers #5679
• python/helpers/build: fix a pip warning related to pipfile installation (@SpecLad) #5587
• Update file size to 500 kilobytes (@stulle123) #5596
• build(deps): bump terraform from 1.2.8 to 1.2.9 (@HorizonNet) #5675
• Update rubocop-performance requirement from ~> 1.14.2 to ~> 1.15.0 in /common #5680
• Fix typo: spwans -> spawns #5681
• Reword comment & fix typo #5682
• Test #conficting_dependencies with a locking parent dependabot fixture #5672
• Include removed dependency flag when creating a pull request #5671
• Cleanup updater specs output #5666
• [npm] Add additional logging to VulnerabilityAuditor #5662
• fix smoke tests from forks by using public sources #5665
• Speed up dealing with non-reachable git repos #5658
• Fix incomplete clean up of odd python requirements #5647
• Run rspec with --profile flag by default in Python #5607
• Propagate author details when initializing PullRequestUpdater for Azure. (@JManou) #5604
• Fix updater specs on M1 #5657
• fix tagged push overwriting previous tags #5649
• Add more helpful error messaging when a vulnerable dependency cannot be upgraded #5645
• deploy commits made after approval #5650
• To prevent dependabot-core from failing when the incorrect release tag is created for a release, adding a rescue statement #5615
• Adding code tags around any nwo#number text string #5646
• move devcontainer to allow debugging updater with the default devcontainer #5648
• Revert "Add more helpful error messaging when a vulnerable dependency cannot be upgraded" #5613

[jakecoffman]

Interesting failure in the smoke tests:

#31 [26/29] RUN bundle config set --local path 'vendor' && bundle config set --local frozen 'true' && bundle config set --local without 'development' && bundle install
#31 sha256:f2a048e425f3fa235583e54321a4fbed735f3dde45c5c0cd8b4caec0ebc5cf97
#31 1.088 You are trying to install in deployment mode after changing
#31 1.088 your Gemfile. Run `bundle install` elsewhere and add the
#31 1.088 updated Gemfile.lock to version control.
#31 1.088 
#31 1.088 If this is a development machine, remove the
#31 1.088 /home/dependabot/dependabot-updater/Gemfile freeze
#31 1.088 by running `bundle config unset frozen`.
#31 1.088 
#31 1.088 The gemspecs for path gems changed
#31 ERROR: executor failed running [/bin/bash -o pipefail -c bundle config set --local path 'vendor' && bundle config set --local frozen 'true' && bundle config set --local without 'development' && bundle install]: exit code: 16

[pavera]

All attempts to build the updater appear to fail the same way (CI, push images, and smoke). Looking into it

[jakecoffman]

I wonder if we could use $RUBYLIB to avoid having to update the lockfile? But I think the issue will be that we have dependencies in each ecosystem's gemspec which might make that not work.