Releases: dependabot/dependabot-core
Releases · dependabot/dependabot-core
v0.238.0
What's Changed
- Update error message matching by @pavera in #8408
- yarn:update add a handled error for missing tags by @pavera in #8389
- Contribute changes to NuGet updater from Azure team by @brettfo in #8179
- Strictly type
GitMetadataFetcher
by @JamieMagee in #8441 - Strictly type
Dependabot::Dependency
by @JamieMagee in #8418 - Bump
nuget
files type strictness by @JamieMagee in #8468 - Sanitize
.yanrc.yml
when missing environment variables prevent yarn from running by @deivid-rodriguez in #8446 - Remove unused licensed gem and artifacts by @deivid-rodriguez in #8466
- Capture dependencies groups with inline comments in pyproject files by @dsuleimenov in #8423
- build(deps): bump pNPM to 8.11.0 by @yeikel in #8471
- Bump the dev-dependencies group in /npm_and_yarn/helpers with 2 updates by @dependabot in #8438
- Bump the npm-dependencies group in /npm_and_yarn/helpers with 2 updates by @dependabot in #8336
- Fix pipenv upgrades when star requirement is used by @deivid-rodriguez in #8452
- Bump cython from 3.0.4 to 3.0.5 in /python/helpers by @dependabot in #8337
- fix #8414 follow poetry source constraint by @lucemia in #8422
- Handle 403 Forbidden errors from PNPM by @deivid-rodriguez in #8447
- Bump poetry from 1.6.1 to 1.7.1 in /python/helpers by @dependabot in #8437
- Fix type issues detected in GitHub Actions ecosystem by @deivid-rodriguez in #8472
- Bump pipenv from 2023.8.28 to 2023.11.15 in /python/helpers by @dependabot in #8087
- fix individual PRs being created that should be in the group by @jakecoffman in #8264
- Bump the dev-dependencies group in /composer/helpers/v2 with 2 updates by @dependabot in #8462
- Bump the dev-dependencies group in /composer/helpers/v1 with 1 update by @dependabot in #8459
- Fix encoding changes when truncating PR descriptions by @mburumaxwell in #8077
- fix grouped update PRs are missing current -> updated version message by @jakecoffman in #8478
- Bump opentelemetry-sdk from 1.3.0 to 1.3.1 in /updater by @dependabot in #8342
- Bump the dev-dependencies group in /updater with 1 update by @dependabot in #8340
- Use a pipenv fork for now to fix tomlkit issues in pipenv by @deivid-rodriguez in #8477
- Bump sorbet-runtime from 0.5.11094 to 0.5.11142 in /updater by @dependabot in #8461
- Ignore repo access issues while parsing actions dependencies by @deivid-rodriguez in #8454
- Fix missing codecommit require by @deivid-rodriguez in #8479
- Handle 401 Unauthorized errors from PNPM by @deivid-rodriguez in #8476
- Bump type strictness by @JamieMagee in #8482
- Refactor error handling by @deivid-rodriguez in #8486
- Enforce LF line endings on checkout by @JamieMagee in #8487
- Raise user error when Yarn is misconfigured by @deivid-rodriguez in #8326
- Fix NPM yanked package detection by @deivid-rodriguez in #8489
- Fix private registry authentication for NPM 8 or higher by @deivid-rodriguez in #8453
- add support for refreshing a grouped security update by @jakecoffman in #8497
- Honor NuGet.config sources and search all build files for properties by @brettfo in #8498
- port Docker updater improvements from Azure DevOps by @brettfo in #8192
- Teach Dependabot how to present multi-directory PRs by @Nishnha in #8494
- fix regression in json gem by using an older version by @jakecoffman in #8509
- Choose closest Nuget.Config by @ryanbrandenburg in #8501
- Update contribution information by @carogalvin in #8507
- fix NuGet smoke test by properly locating
Directory.Packages.props
by @brettfo in #8511 - clean up smoke.yml by @jakecoffman in #8525
- Fix issue with parsing docker images with a tag in the _. format by @jpinz in #8500
- require correct FileFetcher by @jakecoffman in #8527
- Skip Maven snapshots repositories from versions checking by @slawekjaranowski in #8514
- don't attempt to update a package if no versions could be found by @brettfo in #8502
- Include the directory name in multi-directory PR summaries by @Nishnha in #8528
- Create feature flag for Grouped security updates by @ryanbrandenburg in #8529
- fix group update creation failure when a dependency is ignored by @jakecoffman in #8535
- properly resolve nuget search query when the api is versioned by @brettfo in #8534
- only run suites that have changes by @jakecoffman in #8536
- Skip Maven snapshots repositories from versions checking - fix 2 by @slawekjaranowski in #8542
- Bump golang from 1.21.4-bookworm to 1.21.5-bookworm in /go_modules by @TomSellers in #8548
- Use upstream pipenv again by @deivid-rodriguez in #8547
- Don't escape dependency names in tarball URLs since it doesn't always work by @deivid-rodriguez in #8546
- dynamically discover smoke tests by @jakecoffman in #8551
- improvements to querying nuget apis for versions by @brettfo in #8538
- Prioritize detection of sha suffixed tags over date tags by @mctofu in #8553
- Fix docker updates for tags with a v prefix by @mctofu in #8561
- v0.238.0 by @dependabot-core-action-automation in #8448
New Contributors
- @dsuleimenov made their first contribution in #8423
- @ryanbrandenburg made their first contribution in #8501
- @jpinz made their first contribution in #8500
- @slawekjaranowski made their first contribution in #8514
- @TomSellers made their first contribution in #8548
Full Changelog: v0.237.0...v0.238.0
v0.237.0
What's Changed
- Pass user info to Sentry by @deivid-rodriguez in #8188
- Bump the dev-dependencies group in /updater with 1 update by @dependabot in #8282
- Bump psych from 5.1.0 to 5.1.1.1 in /updater by @dependabot in #8236
- Detect Python version from pip-compile generated files by @deivid-rodriguez in #8280
- Bump the pnpm-dependencies group in /npm_and_yarn/helpers with 1 update by @dependabot in #8268
- Bump the npm-dependencies group in /npm_and_yarn/helpers with 2 updates by @dependabot in #8255
- Bump @babel/traverse from 7.23.0 to 7.23.2 in /npm_and_yarn/helpers by @dependabot in #8235
- Handle null dependencies in package.json by @deivid-rodriguez in #8212
- Set Python to always clone by @deivid-rodriguez in #8266
- Add types to git workspace by @JamieMagee in #8285
- Add sigs for errors by @JamieMagee in #8097
- Explicitly add
# typed: false
for bin files by @JamieMagee in #8287 - Bump the dev-dependencies group in /composer/helpers/v2 with 2 updates by @dependabot in #8294
- Bump the dev-dependencies group in /updater with 1 update by @dependabot in #8291
- Bump the dev-dependencies group in /npm_and_yarn/helpers with 1 update by @dependabot in #8290
- Bump the dev-dependencies group in /composer/helpers/v1 with 1 update by @dependabot in #8256
- Revert python always clone registration by @deivid-rodriguez in #8288
- Fixes for v234 release bugs by @LakSenanayaka in #8218
- Bump cython from 3.0.3 to 3.0.4 in /python/helpers by @dependabot in #8252
- Bump pip from 23.2.1 to 23.3.1 in /python/helpers by @dependabot in #8251
- Enable always clone for Python (take 2) by @deivid-rodriguez in #8301
- Some more types for
common
by @JamieMagee in #8304 - Type
LinkAndMentionSanitizer
by @JamieMagee in #8298 - Sorbet types for
source
by @JamieMagee in #8272 - Type
SharedHelpers
by @JamieMagee in #8302 - Bump composer/composer from 2.5.8 to 2.6.5 in /composer/helpers/v2 by @dependabot in #8159
- Fix tests broken by racc release by @deivid-rodriguez in #8313
- Raise expected errors when unsupported PNPM versions are used by @deivid-rodriguez in #8147
- Fix illformed requirement error on "workspace:" dependencies by @deivid-rodriguez in #8099
- Fix error when parsing version of some PNPM lockfiles by @deivid-rodriguez in #8315
- Bump excon from 0.102.0 to 0.104.0 in /updater by @dependabot in #8292
- Bump faraday from 2.7.10 to 2.7.11 in /updater by @dependabot in #8059
- Replace
pipenv lock
withpipenv upgrade
by @deivid-rodriguez in #8312 - Type
SharedHelpers
more thoroughly by @JamieMagee in #8310 - Properly aggregate
pipenv upgrade
errors in Sentry by @deivid-rodriguez in #8323 - Bump composer/composer from 1.10.26 to 1.10.27 in /composer/helpers/v1 by @dependabot in #8114
- build(deps): bump pNPM to 8.10.2 by @yeikel in #8289
- Add types for
setup.rb
by @JamieMagee in #8317 - Redact SCP-style git URIs in Sentry by @deivid-rodriguez in #8306
- Catch more 404 PNPM fetch errors and raise them as user errors by @deivid-rodriguez in #8324
- Simplify group updates by dep type test to fix CI by @deivid-rodriguez in #8344
- Fix broken composer CI by @deivid-rodriguez in #8345
- Bump the dev-dependencies group in /composer/helpers/v2 with 2 updates by @dependabot in #8343
- Add types for
ExceptionSanitizer
by @JamieMagee in #8314 - Fix common CI by @deivid-rodriguez in #8347
- Fix more test failures by @deivid-rodriguez in #8361
- add Dependabot config for Docker at /go_modules by @jakecoffman in #8373
- Bump golang from 1.21.3-bookworm to 1.21.4-bookworm in /go_modules by @dependabot in #8374
- Teach Updater to Invoke fetch files Based on Multi-Dir by @honeyankit in #8309
- Types for
FileFetchers::Base
by @JamieMagee in #8327 - Remove feature flag gating dependency removal by @mctofu in #8359
- Fix incorrect casing in some Dependabot PR titles by @deivid-rodriguez in #8355
- handle updating manifests across multiple directories by @jakecoffman in #8331
- Fix one more
and_call_original
-related flaky spec by @deivid-rodriguez in #8392 - Fix more Sorbet +
and_call_original
issues by @deivid-rodriguez in #8394 - Enforce
# typed: true
where possible by @JamieMagee in #8385 - Strictly type
file
by @JamieMagee in #8384 - fix broken updates due to incorrect directory filtering by @jakecoffman in #8405
- Building python is fast now by @deivid-rodriguez in #8407
- Strictly type
UpdateConfig
by @JamieMagee in #8403 - Strictly type
DependencyGroup
by @JamieMagee in #8404 - Fix PNPM issues with private registries by @deivid-rodriguez in #8330
- Support updating Package.swift files without a lockfile by @deivid-rodriguez in #8352
- Bump Bundler to 2.4.22 by @deivid-rodriguez in #8224
- Refactor composer error handling and better handle potential errors by @deivid-rodriguez in #8305
- Raise user errors about being unable to reach private git PNPM dependencies by @deivid-rodriguez in #8332
- build(deps): bump Yarn to 3.7.0 by @yeikel in #8399
- build(deps): bump pNPM to 8.10.5 by @yeikel in #8370
- Respect poetry explicit source by @lucemia in #8371
- Update README.md by @sungam3r in #8387
- Strongly type
PullRequestCreator::Message
by @JamieMagee in #8410 - Strongly type
SimpleInstrumentor
by @JamieMagee in #8421 - Strongly type
VersionFilters
by @JamieMagee in #8409 - Clone submodules in CI workflows by @deivid-rodriguez in #8429
- Clone submodules when building images manually by @deivid-rodriguez in #8430
- Fix windows servercore Docker updates by @deivid-rodriguez in #8442
- Fix the new alpine image versions for docker by @honeyankit in #8432
- Bundler native helpers should not run in a frozen context by @deivid-rodriguez in #8419
- Properly capture and re-raise PublicSourceTimedOut errors in Bundler by @deivid-rodriguez in #8420
- v0.237.0 by @dependabot-core-action-automation in #8316
New Contributors
- @LakSenanayaka made their first contribution in https://github....
v0.236.0
What's Changed
- check types in the updater too by @jakecoffman in #8238
- Type
ArtifactUpdater
andVendorUpdater
by @JamieMagee in #8215 - fix markdown header formatting by @brettfo in #8194
- Ignore specs when running Sorbet by @JamieMagee in #8240
- add types to the ApiClient by @jakecoffman in #8239
- Removed unignore command feature flag by @honeyankit in #8241
- add types to service by @jakecoffman in #8246
- report extra information if a repo can't be found by @brettfo in #8191
- Correct handling of
updater
directory in sorbet by @JamieMagee in #8247 - Clarify docker logs about ignoring a normally expected update candidate by @deivid-rodriguez in #8262
- Add OpenTelemetry SDK by @JamieMagee in #8210
- Fix poetry regression by @deivid-rodriguez in #8263
- stop processing if updated_deps is empty by @brettfo in #8193
- add types to some of the Dependabot::Config classes by @jakecoffman in #8261
- Recurse submodules when cloning npm and yarn repos by @deivid-rodriguez in #6718
- Unlock related Gemfile dependencies, but not everything that changed by @deivid-rodriguez in #8267
- Add subdirectory value while preparing pyproject.toml if subdirectory key exists by @VictoryKon in #8067
- Avoid incorrectly downgrading top level deps by @deivid-rodriguez in #8279
- Bump sorbet-runtime from 0.5.11026 to 0.5.11094 in /updater by @dependabot in #8281
- temporary fix for flaky test by @jakecoffman in #8284
- Sorbet types for
logger
andcommit_signer
by @JamieMagee in #8269 - Update autogenerated RBIs by @JamieMagee in #8271
- v0.236.0 by @dependabot-core-action-automation in #8276
New Contributors
- @brettfo made their first contribution in #8194
- @VictoryKon made their first contribution in #8067
Full Changelog: v0.235.0...v0.236.0
v0.235.0
What's Changed
- Improve detection of unsupported cargo toolchains by @deivid-rodriguez in #8181
- build(deps): bump PNpm from 8.8.0 to 8.9.0 by @yeikel in #8175
- Expose a new directory_not_found user error by @deivid-rodriguez in #8174
- Refactor shelling out in Python by @deivid-rodriguez in #8167
- Fix false positive auth redaction by @deivid-rodriguez in #8185
- remove unused code by @jakecoffman in #8171
- Fix multiple pip compile errors by @deivid-rodriguez in #8189
- Fix poetry multiple requirement replacement in pyproject.toml by @deivid-rodriguez in #8190
- Improve running updater tests by @deivid-rodriguez in #8206
- build(deps): bump PNpm from 8.9.0 to 8.9.2 by @yeikel in #8202
- build(deps): bump yarn to 3.6.4 by @yeikel in #8151
- Mark
.rbi
aslinguist-generated
by @JamieMagee in #8209 - Fix version comments after quoted strings by @kurtmckee in #8127
- Get better info on an unknown error by @deivid-rodriguez in #8211
- Raise user errors on invalid poetry manifest by @deivid-rodriguez in #8207
- Fix sentry redaction issues by @deivid-rodriguez in #8219
- Avoid trying to parse poetry.lock if pyproject.toml is invalid for Poetry by @deivid-rodriguez in #8223
- Ignore dependencies from remote constraint files by @deivid-rodriguez in #8222
- Go: pull from the official Docker image so that Dependabot bumps it by @jakecoffman in #8225
- Make composer CI pass consistently by @deivid-rodriguez in #8226
- Ensure Grouped Security Updates are rebased correctly by @jurre in #8204
- Raise user error when not finding path dependencies in Python by @deivid-rodriguez in #8172
- Support Python requirements with preceding "v" by @deivid-rodriguez in #8229
- Add types to
FileUpdaters::Base
by @JamieMagee in #8214 - v0.235.0 by @dependabot-core-action-automation in #8231
New Contributors
- @kurtmckee made their first contribution in #8127
Full Changelog: v0.234.0...v0.235.0
v0.234.0
What's Changed
- build(deps): bump PNpm from 8.7.6 to 8.8.0 by @yeikel in #8101
- fix refreshing a grouped PR causes dependency duplication by @jakecoffman in #8150
- Bump the dev-dependencies group in /npm_and_yarn/helpers with 2 updates by @dependabot in #8157
- Bump the dev-dependencies group in /composer/helpers/v2 with 2 updates by @dependabot in #8158
- Bump the dev-dependencies group in /composer/helpers/v1 with 1 update by @dependabot in #8155
- Bump cython from 3.0.2 to 3.0.3 in /python/helpers by @dependabot in #8153
- Suppress for
Layout/MultilineMethodCallIndentation
offense by @ydah in #8134 - Bump the dev-dependencies group in /updater with 1 update by @dependabot in #8163
- Bump the aws-sdk group in /updater with 2 updates by @dependabot in #8109
- Remove the leading v from Docker versions by @Nishnha in #8165
- grouped security updates by @jakecoffman in #8128
- Small
dry-run.rb
improvement to also handle file fetching errors by @deivid-rodriguez in #8173 - include more info in grouped security update group name by @jakecoffman in #8178
- build(deps): bump Terraform from 1.5.6 to 1.6.1 by @yeikel in #7985
- Ignore file dependencies when parsing requirement files by @deivid-rodriguez in #8170
- v0.234.0 by @dependabot-core-action-automation in #8180
Full Changelog: v0.233.0...v0.234.0
v0.233.0
What's Changed
- Bump the dev-dependencies group in /updater with 2 updates by @dependabot in #8009
- Bump friendsofphp/php-cs-fixer from 3.23.0 to 3.26.1 in /composer/helpers/v2 by @dependabot in #7996
- Bump the npm-dependencies group in /npm_and_yarn/helpers with 2 updates by @dependabot in #7999
- Bump phpstan/phpstan from 1.10.30 to 1.10.34 in /composer/helpers/v2 by @dependabot in #8035
- Add sig to dependency injection containers by @JamieMagee in #8032
- Add types to clients by @JamieMagee in #8038
- fix: call 'split' on string-type object, not on version-type object by @fredrikaverpil in #8037
- Bump RUBY_VERSIONS to include 3.1.4 and 3.2.2 by @kjeldahl in #8041
- Bump phpstan/phpstan from 1.10.32 to 1.10.34 in /composer/helpers/v1 by @dependabot in #8036
- Upload spoom coverage report data by @JamieMagee in #8046
- Generate and upload spoom coverage report on main by @JamieMagee in #8047
- fix go1.21 not a toolchain by @jakecoffman in #8044
- build(deps): bump go from 1.21.0 to 1.21.1 by @yeikel in #7986
- Update Sorbet from
0.5.11011
to0.5.11026
by @JamieMagee in #8064 - raise if the reference already exists by @jakecoffman in #8043
- 💅 Use defaults instead of comments for documentation by @landongrindheim in #8069
- Bump actions/checkout from 3 to 4 by @dependabot in #7997
- Track unknown errors by @Nishnha in #7534
- Bump pipenv from 2022.4.8 to 2023.8.28 in /python/helpers by @dependabot in #7922
- Removed logging of commands from Subprocess failure by @honeyankit in #8082
- Use new blessed method for installing NodeJS by @deivid-rodriguez in #8093
- Respect style of each action when mixed styles are used by @deivid-rodriguez in #8068
- fix comment typo by @mburumaxwell in #8076
- Fix Swift 5.9 package manifest analyze error by @soumyamahunt in #8073
- Dockerfile - Add infrequently layers earlier by @tvalenta in #8031
- Fix warnings when running tests in common by @deivid-rodriguez in #8100
- Fix some github actions version comments not getting updated by @deivid-rodriguez in #8098
- build(deps): bump PNpm from 8.6.12 to 8.7.6 by @yeikel in #7899
- Add
sig
s forutils
by @JamieMagee in #8096 - Properly infer
.npmrc
for PNPM by @deivid-rodriguez in #8094 - Fix CI by @deivid-rodriguez in #8105
- Improve running specs by @deivid-rodriguez in #8092
- Remove another git warning during specs by @deivid-rodriguez in #8113
- fix dependency duplication across multiple groups by @jakecoffman in #8106
- fix semver segments errors due to invalid Versions by @jakecoffman in #8124
- Add sigs for some
version.rb
by @JamieMagee in #8049 - Remove grouped updates feature flags by @jurre in #8123
- Raise unsupported Python version error as an expected error by @deivid-rodriguez in #8104
- Fix a typo by @ydah in #8133
- Fix some flaky test failures by @deivid-rodriguez in #8140
- Catch up test lockfile with parser 3.2.2.4 release by @deivid-rodriguez in #8142
- Parallelize tests on all ecosystems, except for Pub by @deivid-rodriguez in #8139
- fix completely ignored dependencies querying for updates by @jakecoffman in #8143
- Added record update job error api back to capture unknown errors by @honeyankit in #8144
- v0.233.0 by @dependabot-core-action-automation in #8034
New Contributors
- @fredrikaverpil made their first contribution in #8037
- @kjeldahl made their first contribution in #8041
- @soumyamahunt made their first contribution in #8073
- @ydah made their first contribution in #8133
Full Changelog: v0.232.0...v0.233.0
v0.232.0
What's Changed
- Autobump to
typed: true
usingspoom
by @JamieMagee in #8021 - fix helpful error message to have PR number by @jakecoffman in #8024
- Actions: skip unsupported uses strings by @jakecoffman in #8026
- fix docker-dev-shell on ARM by @jakecoffman in #8029
- Add back the Docker::Version.correct? method by @Nishnha in #8030
Full Changelog: v0.231.0...v0.232.0
v0.231.0
What's Changed
- Ensure Docker versions are valid Dependabot::Versions by @Nishnha in #7984
- Use
rstrip
to trim trailing newlines by @JamieMagee in #7991 - Set
Layout/DotPosition
toleading
by @JamieMagee in #7789 - Add
.git-blame-ignore-revs-file
and ignore style change by @JamieMagee in #7992 - Bump the dev-dependencies group in /npm_and_yarn/helpers with 3 updates by @dependabot in #8000
- Add sorbet dependencies by @JamieMagee in #8007
- Update semver by @jurre in #8005
- Make sorbet and tapioca optional by @JamieMagee in #8014
- Initialize sorbet by @JamieMagee in #8012
- Add
typed: false
sigil by @JamieMagee in #8015 - Add
rubocop-sorbet
by @JamieMagee in #8016 - Add sorbet workflow by @JamieMagee in #8017
- raise exceptions when PR creation fails by @jakecoffman in #8013
- Add Sorbet VSCode extension by @JamieMagee in #8018
- v0.231.0 by @dependabot-core-action-automation in #8019
Full Changelog: v0.230.0...v0.231.0
v0.230.0
What's Changed
- Bump the aws-sdk group in /updater with 1 update by @dependabot in #7852
- Use
python3
/pip3
so we don't have to havepython
/pip
symlinks by @jeffwidman in #7927 - Bump cython from 3.0.0 to 3.0.2 in /python/helpers by @dependabot in #7905
- Use pre-compiled Python from official Docker image by @jeffwidman in #7934
- build(deps): bump Yarn to 3.6.3 by @yeikel in #7908
- build(deps): bump npm from 9.5.1 to 9.6.5 by @yeikel in #7811
- Bump excon from 0.100.0 to 0.102.0 in /updater by @dependabot in #7904
- Move copying the other pythons to the end of the Dockerfile by @jeffwidman in #7941
- Python helper removes bytecode files by @tvalenta in #7944
- Stop installing apt packages for compiling Python by @jeffwidman in #7943
- Make building the default python concurrent rather than sequential by @jeffwidman in #7949
- Bump RUBY_VERSIONS to include 3.0.6 by @jade-aronson in #7948
- Replace
gzip
withzstd
for speed + size benefits by @jeffwidman in #7950 - Gradle: fix comparison of the prefix version range by @jakecoffman in #7975
- Bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in #7957
- go: fix ambiguous import when using a module without a dot by @vincentbernat in #7979
- Maven: fix classifier being part of the dependency name by @jakecoffman in #7980
- v0.230.0 by @dependabot-core-action-automation in #7982
New Contributors
- @jade-aronson made their first contribution in #7948
- @vincentbernat made their first contribution in #7979
Full Changelog: v0.229.0...v0.230.0
v0.229.0
What's Changed
- Target latest Python versions - 3.11.5, 3.10.13, 3.9.18, 3.8.18 by @phillipuniverse in #7914
- Bump phpstan/phpstan from 1.10.30 to 1.10.32 in /composer/helpers/v1 by @dependabot in #7901
- build(deps): bump terraform from 1.5.5 to 1.5.6 by @yeikel in #7892
- fix: duplicate response body before mutating it by @yeikel in #7926
- v0.229.0 by @dependabot-core-action-automation in #7929
Full Changelog: v0.228.0...v0.229.0