Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge main from dependabot/dependabot-core (#277)
* Update CHANGELOG.md
* v0.148.8
* Check version is correct before filtering ignored
This is yet another patch to handle edge-cases around filtering ignored
versions where the dependency is a git dependency and the version has
been initialised as a sha and therefore can't be used to filter ignored
versions.
* npm: handle latest version requirement
Handle `latest` version requirements which are valid in npm:
```
"dependencies": {
"etag" : "latest"
}
```
* fix: remove duplicate method definition
* test: check if version constraint is fixed
* fix: use nil version for pessimistic constraints
* test: detect resolved version from the lockfile
* fix: parse version from terraform lock file
* refactor: collapse methods
* style: fix linter errors
* style: collapse lines
* test: add spec to parse provider metadata from a custom registry
* fix: remove check for public hostname
* style: remove unused let
* test: fetch providers versions from a custom registry
* fix: remove restriction to use registry.terraform.io
* test: fetch module versions from a custom registry
* style: fix linter errors
* fix: remove restriction to use registry.terraform.io
* refactor: make registry.terraform.io the default
* refactor: forward credentials to the registry client
* fix: inject Authorization header
* test: remove test that has been replaced
* build(deps-dev): bump jest in /npm_and_yarn/helpers
Bumps [jest](https://github.com/facebook/jest) from 26.6.3 to 27.0.1.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v26.6.3...v27.0.1)
Signed-off-by: dependabot[bot] <support@github.com>
* Terraform: Do not set dependency.version for version ranges
When a dependency specifies a version range, we do not want to set the
dependency objects version, as we cannot reliably determine it. Instead,
we need to rely on the _requirement_. For example, `~> 2.0` is not a
valid _version_, so when parsing it, we should set the `version`
attribute to nil.
This was already handled for terraform modules, but not for providers.
* v0.148.9
* Composer: fix git clone error in lockfile updater
Fix error matching for `GitDependenciesNotReachable` in the lockfile
updater.
We're still seeing the error I tried to fix in the version resolver:
dependabot#3779
It looks like we need to match the same error in the lockfile updater as
it might raise for a dependency we're not trying to update.
Sharing the constant doesn't feel ideal. It would be better to extract
the error handling to something we can share between the lockfile
updater and version resolver but wanted to get this fix in to improve
our error rate.
* Yarn: use .yarnrc file if present
Fixes a bug when trying to force yarn to use `registry.npmjs.org`
instead of `registry.yarnpkg.com`.
Previously if a .yarnrc file was present with registry `registry
"https://registry.npmjs.org"` it would be ignored during updates as we
run yarn programtically and didn't instruct it to use the config file.
I've also tested a dry-run without a `.yarnrc` file present.
* v0.148.10
* v0.149.0
* Bundler: Update bundler to 2.2.18
https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2218-may-25-2021
* Bundler: Fix ruby version patch for 2.2.18
Bundler 2.2.18 no longer loads all specs from remote sources when
building the source requirements. This is where we used to hook into to
patch up any required ruby version before building the source
requirements.
This changes the patch to prepend this behavior to the
`source_requirements` method.
* v0.149.1
* Tests: avoid squatted repositories
A few repositories we expect not to exist on npm have been squatted.
Where possible this updates those tests to use a namespace that we own,
and for one fixture we explicitly tested against an unscoped package,
those tests have been removed as we do not expect behavior to differ
between scoped and unscoped packages.
* gomod: UpdateChecker - handle invalid module path error on update
* Bump eslint from 7.26.0 to 7.27.0 in /npm_and_yarn/helpers
Bumps [eslint](https://github.com/eslint/eslint) from 7.26.0 to 7.27.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.26.0...v7.27.0)
Signed-off-by: dependabot[bot] <support@github.com>
* v0.149.2
* bump elixir version from 1.10.4 -> 1.11.4
* Bump to latest ruby versions
This includes:
- 2.5.9
- 2.6.7
- 2.7.3
- 3.0.1
* poetry: support pyproject.toml indentation
* Tests: Rename non-existent go package name to domain we own
To prevent name squatting
* Bundler: handle gemspec req ruby version ranges
Handle `required_ruby_version` ranges in gemspecs:
`required_ruby_version = ">= 2.2, < 4.0"` and
`required_ruby_version = Gem::Requirement.new(">= 2.1.8", "< 4.0.0")`
This would previously raise a `Gem::Requirement::BadRequirementError`.
Note: The `Bundler::Requirement` class splits requirements by `,`.
I've done an audit of other uses of `Gem::Requirement` but these seem ok
as we control the range we create so shouldn't run into similar bugs
there.
* v0.149.3
* test: ensure terraform HTTP API service discovery is performed
* fix: perform service discovery
https://www.terraform.io/docs/internals/remote-service-discovery.html#discovery-process
* chore: update vcr fixtures to include service discovery requests
* fix: perform service discovery for provider API
* fix: use service discovery to find metadata
* style: fix linter errors
* chore: remove unused code
* refactor: delegate to instance method instead of variable
* test: add service discovery to fixtures
* test: stub service discovery lookup
* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers
Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.0 to 2.6.1.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.0...v2.6.1)
---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* build(deps-dev): bump jest in /npm_and_yarn/helpers
Bumps [jest](https://github.com/facebook/jest) from 27.0.1 to 27.0.3.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.1...v27.0.3)
---
updated-dependencies:
- dependency-name: jest
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Bump composer/composer from 2.0.12 to 2.0.14 in /composer/helpers/v2
Bumps [composer/composer](https://github.com/composer/composer) from 2.0.12 to 2.0.14.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](composer/composer@2.0.12...2.0.14)
Signed-off-by: dependabot[bot] <support@github.com>
* refactor: extract method to build url
* refactor: raise a DependabotError instead of RuntimeError
* Update terraform/lib/dependabot/terraform/registry_client.rb
Co-authored-by: Pete Wagner <1559510+thepwagner@users.noreply.github.com>
* fix: expand absolute urls in service discovery
* test: relative and missing service urls
* fix: raise error for unsupported schemes
* refactor: replace usages of RuntimeError with DependabotError
* test: collapse subject and before blocks
* test: metadata endpoint is not found
* test: follow redirect to metadata endpoint
* test: reproduce bug that occurs when updating a module
* fix: update regex to match on optional hostname declaration
* style: fix linter errors
* test: remove non-essential elements from fixture
* fix: match provider source addresses with optional hostname
* style: fix linter errors
* Bundler tests: Use git sources for organizations that we own
Bundler git dependencies have the possibility to execute code during the
installation phase, to ensure this does not happen in our test suite,
this updates any tests that pull in a git dependency to reference an
organization/account that we own.
This has the added benefit of protecting us against those repositories
being renamed, moved or deleted.
* Update terraform/lib/dependabot/terraform/file_updater.rb
Co-authored-by: Jurre <jurre@github.com>
* v0.149.4
* refactor: raise PrivateSourceAuthenticationFailure instead of DependabotError
* chore(deps-dev): update rubocop requirement from ~> 1.15.0 to ~> 1.16.0
Updates the requirements on [rubocop](https://github.com/rubocop/rubocop) to permit the latest version.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.15.0...v1.16.0)
---
updated-dependencies:
- dependency-name: rubocop
dependency-type: direct:development
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump composer/composer in /composer/helpers/v2
Bumps [composer/composer](https://github.com/composer/composer) from 2.0.13 to 2.0.14.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](composer/composer@2.0.13...2.0.14)
---
updated-dependencies:
- dependency-name: composer/composer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Enable automerge on dependabot pull requests
Enable automerge on dependabot pull requests if the PR. This won't actually merge the PR, it will still require an approval from a team member.
* Update .github/workflows/dependabot-automerge.yml
* Update .github/workflows/dependabot-automerge.yml
* Update dependabot-automerge.yml
* Update dependabot-automerge.yml
* Update dependabot-automerge.yml
* Update dependabot-automerge.yml
* Update dependabot-automerge.yml
* Update dependabot-automerge.yml
* Update dependabot-automerge.yml
* Update dependabot-automerge.yml
* build(deps): bump detect-indent in /npm_and_yarn/helpers
Bumps [detect-indent](https://github.com/sindresorhus/detect-indent) from 6.0.0 to 6.1.0.
- [Release notes](https://github.com/sindresorhus/detect-indent/releases)
- [Commits](sindresorhus/detect-indent@v6.0.0...v6.1.0)
---
updated-dependencies:
- dependency-name: detect-indent
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* Hex tests: Use git dependencies of repositories we own
To prevent these repositories from being squatted or from otherwise changing
under our feet in unexpected ways, prefer using repositories that we own
as git dependencies in our tests.
* v0.149.5
* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers
Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.6.1 to 2.6.2.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.6.1...v2.6.2)
---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump dependabot/fetch-metadata from 1.0.2 to 1.0.3
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 1.0.2 to 1.0.3.
- [Release notes](https://github.com/dependabot/fetch-metadata/releases)
- [Commits](dependabot/fetch-metadata@v1.0.2...v1.0.3)
---
updated-dependencies:
- dependency-name: dependabot/fetch-metadata
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Install Terraform in docker shell
Co-authored-by: mo khan <xlgmokha@github.com>
* Ignore .terraform and .terraform.lock.hcl
Co-authored-by: mo khan <xlgmokha@github.com>
* Add file selectors for lockfiles
Co-authored-by: mo khan <xlgmokha@github.com>
* Create lockfile fixture
Co-authored-by: mo khan <xlgmokha@github.com>
* Update all lockfile dependencies with `terraform init -upgrade`
Co-authored-by: mo khan <xlgmokha@github.com>
* Create test for lockfile update
* Update lockfile dependencies one at a time using `terraform providers lock`
* Fix FileUpdater test
* Create versions.tf, remove versioning from main.tf
* Pin lockfile version and constraint, add provider dependency
* Add expected lockfile for hashicorp/random
* Parse provider source strings
* Update lockfiles when provider dependencies are updated
* Add lockfile to the fetched_files array in FileFetcher
* Add lockfile to updated_dependency_files array in FileUpdater
* Add codepath for source type 'lockfile' in FileUpdater
* Add tests for versions.tf dependency updates with and without a lockfile
* fix: support github urls that are not pinned
e.g.
```json
{
"name": "foo",
"version": "0.0.0",
"dependencies": {
"express": "expressjs/express",
"mocha": "mochajs/mocha#4727d357ea",
"module": "user/repo#feature\/branch"
}
}
```
* https://docs.npmjs.com/cli/v7/configuring-npm/package-json#github-urls
* Update hashicorp/aws to a valid version in file_parser_spec test
* Run shell commands with escaped arguments
Co-authored-by: Philip Harrison <philip@mailharrison.com>
* Inline expected values for lockfile tests
* Fix FileUpdater test version and name issues
* Update FileFetcher#lock_file and FileSelector#lock_file to use FileSelector#lock_file?
* Add UpdateChecker#lockfile_dependency?
* Add test for lockfile parsing to FileParser
* Pass filename to update_lockfile_declaration
* Modify FileParser#build_lockfile_dependency to update context in place
* Fix line endings for version.tf test
* Patch invalid registry source FileParser test
* Update FileSelector#terragrunt_file? to use the lock_file? method
Co-authored-by: Jurre <jurre@github.com>
* Modify registry_source_details_from
* Do not include lockfile in directory when updating a lockfile dependency
* Update tests to new provider version, reflect prefer_lockfile_source
* Ensure the lockfile version changes
Co-authored-by: Jurre Stender <jurre@github.com>
* Check lockfile exists before adding to updated_files, fix short-circuit bug
Co-authored-by: Jurre Stender <jurre@github.com>
* Merge get(endpoint:) function from main
* Update tests to reflect latest version
* Rubocop linting
* build(deps-dev): bump prettier in /npm_and_yarn/helpers
Bumps [prettier](https://github.com/prettier/prettier) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@2.3.0...2.3.1)
---
updated-dependencies:
- dependency-name: prettier
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* build(deps-dev): bump eslint in /npm_and_yarn/helpers
Bumps [eslint](https://github.com/eslint/eslint) from 7.27.0 to 7.28.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.27.0...v7.28.0)
---
updated-dependencies:
- dependency-name: eslint
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* build(deps): bump composer/composer in /composer/helpers/v2
Bumps [composer/composer](https://github.com/composer/composer) from 2.0.14 to 2.1.1.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](composer/composer@2.0.14...2.1.1)
---
updated-dependencies:
- dependency-name: composer/composer
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* Delete automerge until PR state issue is fixed
* build(deps-dev): bump jest in /npm_and_yarn/helpers
Bumps [jest](https://github.com/facebook/jest) from 27.0.3 to 27.0.4.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/master/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.3...v27.0.4)
---
updated-dependencies:
- dependency-name: jest
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix error message matches
* v0.150.0
* Fix nuget spec
* build(deps-dev): bump friendsofphp/php-cs-fixer in /composer/helpers/v2
Bumps [friendsofphp/php-cs-fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) from 2.19.0 to 3.0.0.
- [Release notes](https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases)
- [Changelog](https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/3.0/CHANGELOG.md)
- [Commits](PHP-CS-Fixer/PHP-CS-Fixer@v2.19.0...v3.0.0)
---
updated-dependencies:
- dependency-name: friendsofphp/php-cs-fixer
dependency-type: direct:development
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* Rename config file
* Pin erlang to OTP 23 until we can resolve OTP 24 warning issues
* test: pin assertions to the latest HEAD commit
* Remove copy_dir_to_temp_directory, use SharedHelpers inline
* Revert dependabot/FileUpdaters/base changes, reimplement in terraform/FileUpdater
* Revert changes to registry_source_details_from
There is a separate function to get provider source details. This commit removes checks for provider sources from the registry source details function
* v0.151.0
* Memoize update_lockfile_declaration method by dependency
* Rubocop
* v0.151.1
* build(deps): bump composer/composer in /composer/helpers/v2
Bumps [composer/composer](https://github.com/composer/composer) from 2.1.1 to 2.1.2.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](composer/composer@2.1.1...2.1.2)
---
updated-dependencies:
- dependency-name: composer/composer
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Add retry for Azure client POST
* Use double quotes to avoid extra backslashes for escaping.
* Remove lockfile_dependency? from UpdateChecker
* Revert consul/aws invalid module test
* Revert splitting case statement
* Remove dependency argument from update_lockfile_declaration
* Remove checks for lockfile in updated_dependency_files
* Remove lockfile_changed? method
* Remove memoization for update_lockfile_declaration
* Move lock_file.empty? check to update_lockfile_declaration method
* build(deps): bump pipenv from 2018.11.26 to 2021.5.29 in /python/helpers
Bumps [pipenv](https://github.com/pypa/pipenv) from 2018.11.26 to 2021.5.29.
- [Release notes](https://github.com/pypa/pipenv/releases)
- [Changelog](https://github.com/pypa/pipenv/blob/master/CHANGELOG.rst)
- [Commits](pypa/pipenv@v2018.11.26...v2021.5.29)
---
updated-dependencies:
- dependency-name: pipenv
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* Replace FileSelector#lock_file select with find
Co-authored-by: Philip Harrison <feelepxyz@github.com>
* Refactor FileFetcher#lock_file
Co-authored-by: Philip Harrison <feelepxyz@github.com>
* Remove RegistryClient#get
Co-authored-by: Philip Harrison <feelepxyz@github.com>
* Invert updated_content guard
Co-authored-by: Philip Harrison <philip@mailharrison.com>
* Add a test to check updated_dependency_files doesn't return a lockfile if it doesn't change
Co-authored-by: Philip Harrison <feelepxyz@github.com>
* Rubocop, remove commented out code
* Drop python 2.x support and fix pipenv 2021.5.29 tests and
Python 2 has been unsupported for a year and a half now, pip 21 no
longer supports it and we see pretty small usage numbers at GitHub.
Maintaining support for it has become increasingly harder, and this
pipenv upgrade made it even more cumbersome.
It's been a good ride, python 2. See ya!
* Pin Terraform version
* Upgrade pip to 21.1.2 and pip-tools to 6.1.0
https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md#610-2021-04-14
https://pip.pypa.io/en/stable/news/#v21-1-2
* Add lockfile as an array to file_fetcher
* Add lockfile test to FileFetcher
* v0.152.0
* Add instruction to checkout new branch
* DependencyFileNotParseable error with useful message for old terraform provider syntax
* Check if old provider syntax using is_a? instead of respond_to?
* Add test case for hcl1 provider syntax
* Terraform: patch up tests
These tests pull in the latest version of `hashicorp/aws`, which just
updated.
We should look into replacing this to use a provider that we own, so
that we don't end up having to keep up with whatever aws is releasing.
* Tests: Allow profiling tests with stackprof when tagged
This adds the ability to tag a spec with `:profile`:
```ruby
it "profiles with rspec", :profile do
# ..
end
```
And will then generate a stackprof dump in the `tmp` directory.
This is useful when debugging performance issues.
* Modify fixture name
* v0.152.1
Co-authored-by: Philip Harrison <philip@mailharrison.com>
Co-authored-by: Jurre Stender <jurrestender@gmail.com>
Co-authored-by: Jurre <jurre@github.com>
Co-authored-by: mo khan <mo@mokhan.ca>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David McIntosh <804610+mctofu@users.noreply.github.com>
Co-authored-by: Philip Ross <philipr@synopsys.com>
Co-authored-by: Edgar Tinajero <24572406+cetinajero@users.noreply.github.com>
Co-authored-by: Pete Wagner <1559510+thepwagner@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Nish Sinha <nishnha@github.com>
Co-authored-by: mo khan <xlgmokha@github.com>
Co-authored-by: Alekhya Yalla <alekhyayalla@microsoft.com>
Co-authored-by: Philip Harrison <feelepxyz@github.com>- Loading branch information
15 people
authored
Jun 14, 2021
1 parent
6a42e34
commit a7b70ee