Skip to content

Releases: dependabot/dependabot-core

v0.386.0

Choose a tag to compare

@robaiken robaiken released this 13 Jul 16:30
e9c2e95

What's Changed

  • Capture offending gem details on bundler registry metadata errors by @kbukum1 in #15512
  • Bundler: apply empty-checksum metadata patch to the v2 helper by @kbukum1 in #15513
  • [Update graph] Ensure bystander txt files are removed before parsing for Python by @brrygrdn in #15508
  • Handle global.json with no SDK version in dotnet_sdk parser by @brettfo in #15510
  • Type the cargo ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15492
  • Type the conda ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15493
  • Type the docker ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15495
  • Use shared git-tag cooldown in terraform by @robaiken in #15472
  • Retry corepack once on signature metadata error by @thavaahariharangit with @Copilot in #15466
  • Type the deno, elm, devcontainers, bazel, and helm ecosystems by @JamieMagee in #15527
  • Add word-separator and lowercase formatting for branch name by @AbhishekBhaskar in #15478
  • Fix Docker cooldown not respected for multi-arch images missing Last-Modified by @robaiken with @Copilot in #15486
  • Reduce redundant git-source probes during npm metadata resolution by @thavaahariharangit with @Copilot in #15480
  • Type the maven ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15531
  • Add branch name config template format support with validation by @AbhishekBhaskar in #15535
  • fix(gradle): prefer local gradlew for lockfile updates by @thavaahariharangit in #15546
  • helm: support versioning-strategy (range-preserving updates) by @casey-robertson-paypal in #15218
  • Bump gradle from 9.4.1-jdk21-ubi to 9.6.1-jdk21-ubi in /gradle by @dependabot[bot] in #15498
  • [Update graph] Add support for requirements.txt 'layering' instead of compressing to a single file by @brrygrdn in #15521
  • Allow periods in Helm values file names for Docker ecosystem by @telnet23 in #15557
  • Match existing group PRs covering a subset of job directories by @IanButterworth in #15548
  • Bump library/golang from 1.26.1-bookworm to 1.26.5-bookworm in /go_modules by @dependabot[bot] in #15562
  • Fix npm security updates for transitive dependencies in workspace monorepos by @Swampen in #15514
  • Add helm to the smoke-test matrix by @casey-robertson-paypal in #15554
  • v0.386.0 by @dependabot-core-action-automation[bot] in #15564

New Contributors

Full Changelog: v0.385.0...v0.386.0

v0.385.0

Choose a tag to compare

@thavaahariharangit thavaahariharangit released this 06 Jul 18:31
00e8493

What's Changed

  • Support package-scoped NuGet release notes by @Cjewett in #15211
  • Filter null entries from job directories by @brettfo in #15457
  • devcontainers: preserve major-only Feature pins when precision-matching tags are absent by @thavaahariharangit with @Copilot in #15445
  • Type opaque hashes in common with T.anything by @JamieMagee in #15458
  • Type the options passthrough in base classes with T.anything by @JamieMagee in #15459
  • Apply git-tag cooldown across ecosystems by @robaiken in #15369
  • Type requirement helpers in the update-checker base class by @JamieMagee in #15461
  • Select group update handler for multi-ecosystem NuGet jobs by @brettfo in #15460
  • Type error-detail payloads across common and the updater by @JamieMagee in #15462
  • Type package release details with T.anything by @JamieMagee in #15463
  • Type message builder commit options and vulnerabilities-fixed by @JamieMagee in #15465
  • Fix multiple --default-index args when multiple replaces-base credentials exist by @thavaahariharangit with @Copilot in #15481
  • Fetch gradle.properties and making available lock file generation with in dependabot by @thavaahariharangit with @Copilot in #15467
  • Detect cargo registries across hierarchical .cargo/config.toml files by @brettfo in #15474
  • fix(bundler): only re-vendor platform gems for updated dependencies by @jurre in #15451
  • Fix Sorbet runtime signature violations by @JamieMagee in #15476
  • Use shared git-tag cooldown in python by @robaiken in #15470
  • Fix multiline HTML version parsing for Python/UV private registries by @thavaahariharangit with @Copilot in #15469
  • v0.385.0 by @dependabot-core-action-automation[bot] in #15502

New Contributors

Full Changelog: v0.384.0...v0.385.0

v0.384.0

Choose a tag to compare

@sachin-sandhu sachin-sandhu released this 30 Jun 16:05
434965e

What's Changed

New Contributors

Full Changelog: v0.383.0...v0.384.0

v0.383.0

Choose a tag to compare

@v-HaripriyaC v-HaripriyaC released this 24 Jun 02:35
5b941ee

What's Changed

  • Bump bundled npm from 11.8.0 to 11.17.0 by @kbukum1 in #15335
  • Fix composer specs failure due to block-insecure feature by @AbhishekBhaskar in #15334
  • Add blocked_versions.ignored metric for Security-blocked update checks by @kbukum1 in #15333
  • Preserve original bundler checksum on Bundler 4.0.11+ lockfile updates by @lucasmazza in #15249
  • Generate .npmrc from scope property when lockfile inference fails by @AbhishekBhaskar in #15264
  • Revert disabling block insecure flag in composer by @AbhishekBhaskar in #15339
  • Fix no method error during fetching credentials properties by @AbhishekBhaskar in #15340
  • Use only uv.lock for uv dependency graphing by @Nishnha in #15217
  • Add transitive blocked-version enforcement to updater by @robaiken in #15295
  • fix(npm_and_yarn): strip trailing slash from registry URL in Corepack env vars by @ajha-cs in #15324
  • Fix pre-commit cooldown bypass and incorrect PR metadata issues with grouped updates by @AbhishekBhaskar in #15346
  • Surface blocking parent dependency in npm fix-unavailable message by @thavaahariharangit in #15337
  • Skip Gradle cooldown metadata fetch when cooldown is not configured by @yeikel in #15136
  • Bundler: surface invalid registry gem metadata as a private source error by @kbukum1 in #15351
  • Set default max branch name length to 100 characters by @kbukum1 in #15282
  • set temporary token for cargo auth that the proxy will then replace by @brettfo in #15298
  • Reject updates for private registries without proper dependabot configuration by @AbhishekBhaskar in #15347
  • gradle: bump updater image to 9.4.1 by @thavaahariharangit in #15356
  • Bundler: tolerate empty registry checksum metadata in v4 helper by @kbukum1 in #15359
  • Preserve custom gradle-wrapper.properties values during wrapper updates by @kbukum1 in #15336
  • fix(pre-commit, github-actions): use tag creation date for cooldown instead of commit date by @robaiken in #15350
  • Update Sorbet toolchain and regenerate gem RBIs by @JamieMagee in #15304
  • Enable six zero-offense Sorbet guardrail cops by @JamieMagee in #15305
  • Replace to_hash with to_h and enable ImplicitConversionMethod by @JamieMagee in #15306
  • Enforce method signatures via Sorbet/EnforceSignatures by @JamieMagee in #15307
  • Image content validation for manifest lists for container image updates by @jpinz in #15352
  • Type Version and Requirement internals across ecosystems by @JamieMagee in #15379
  • Type RequirementsUpdater base and gradle/maven/sbt with DependencyRequirement by @JamieMagee in #15380
  • Type standalone RequirementsUpdaters with DependencyRequirement by @JamieMagee in #15381
  • Drop Python 3.9 support by @kbukum1 in #15391
  • Stub docker manifest request in helm update_checker spec by @JamieMagee in #15398
  • Parse DependencyGroup rules into typed readers by @JamieMagee in #15395
  • Type provider_metadata as integer-keyed by @JamieMagee in #15396
  • Fix Swift native requirement parser when there are additional arguments in .package() by @kkebo in #15311
  • v0.383.0 by @dependabot-core-action-automation[bot] in #15365

New Contributors

Full Changelog: v0.382.0...v0.383.0

v0.382.0

Choose a tag to compare

@AbhishekBhaskar AbhishekBhaskar released this 15 Jun 22:12
6b62d68

What's Changed

New Contributors

Full Changelog: v0.381.0...v0.382.0

v0.381.0

Choose a tag to compare

@kbukum1 kbukum1 released this 09 Jun 18:01
ed54286

What's Changed

  • Disable npmMinimalAgeGate for Yarn Berry security updates by @yeikel in #15191
  • Add Bundler 4 support by @JamieMagee in #15180
  • Bump org.apache.maven.plugins:maven-dependency-plugin from 3.10.0 to 3.11.0 in /maven/lib/dependabot/maven by @dependabot[bot] in #15190
  • Add GONOPROXY/GONOSUMDB env vars to go_modules FileParser by @Nishnha in #15159
  • fix(go_modules): include advisory pseudo-version boundaries for security fix resolution by @thavaahariharangit in #15213
  • Retry Gradle metadata fetch on EOF by @thavaahariharangit in #15204
  • Handle npm registry EOFError in latest version finder by @thavaahariharangit in #15205
  • fix(python): honor .pip-tools.toml unsafe-package in pip-compile updates by @thavaahariharangit in #15202
  • Swift: add missing rescue-path test for trailing slash in normalize_name by @Copilot in #15220
  • Fix TypeError: String does not have #dig method in PipenvRunner by @Copilot in #14821
  • fix(go_modules): run strict go mod tidy and surface real errors by @kbukum1 in #15094
  • Gate YARN_NPM_MINIMAL_AGE_GATE on Yarn 4.10+ by @yeikel in #15226
  • opentofu: handle OCI source type in MetadataFinder by @diofeher in #14990
  • Respect cooldown rules when generating Poetry lockfiles by @thavaahariharangit in #15232
  • Fix nuget exception on call to single() by @sebasgomez238 in #15233
  • Fix Maven property update previous version metadata by @kbukum1 in #15224
  • Detect ICU package error indicating EOL SDK by @brettfo in #15234
  • Fix docker_compose parser crash on YAML symbols in lock files by @kbukum1 in #15036
  • Handle Berry lockfiles without explicit Yarn config by @Copilot in #14820
  • Fix behavioral gap in prerelease detection found with Python and generalized to common by @v-HaripriyaC in #15179
  • Fix incorrect cooldown filtering for sha pinned dependencies in pre-commit by @AbhishekBhaskar in #15225
  • Harden Helm helper CLI argument handling and fix helm search flag ordering by @Copilot in #15247
  • Add an experimental GitHub Action summary for graph jobs by @brrygrdn in #15223
  • Add RBI shims for API client wrappers, remove ~110 T.unsafe calls by @JamieMagee in #14615
  • Bump library/rust from 1.94.0-bookworm to 1.95.0-bookworm in /cargo by @dependabot[bot] in #15188
  • Replace Job's untyped hashes with T::ImmutableStruct by @JamieMagee in #14616
  • Fix Gradle/Maven prerelease detection gaps by @v-HaripriyaC in #15222
  • Fix OCI Helm chart metadata finder to strip oci:// prefix by @Copilot in #13634
  • Fix workflow summary experiment name by @brrygrdn in #15250
  • Validate dependency versions in GlobalJsonDiscovery by @brettfo in #15255
  • Enable two Sorbet cops, ignore bazel/nix specs by @JamieMagee in #15257
  • Enable Sorbet/ForbidTUntyped with a todo backlog by @JamieMagee in #15258
  • v0.381.0 by @dependabot-core-action-automation[bot] in #15246

Full Changelog: v0.380.0...v0.381.0

v0.380.0

Choose a tag to compare

@markhallen markhallen released this 01 Jun 10:31
2609d37

What's Changed

  • bundler: avoid adding Bundler checksum for lockfiles using 4.0.0-4.0.10 by @thavaahariharangit in #15164
  • Remove beta ecosystem flag handling for Deno by @markhallen in #15173
  • [bun] Add lockfile generator for bun by @brrygrdn in #14882
  • Pass --config.minimumReleaseAge=0 for pnpm security updates to bypass pnpm-workspace.yaml by @yeikel in #15170
  • build(deps): bump terraform to 1.15.3 by @HorizonNet in #15055
  • Change cron schedule from Thursday to Monday by @robaiken in #15181
  • Add specific error for missing .NET SDK in discovery by @brettfo in #15168
  • Throw UnparseableFileException when slnx parsing fails by @brettfo in #15167
  • v0.380.0 by @dependabot-core-action-automation[bot] in #15192

Full Changelog: v0.379.0...v0.380.0

v0.379.0

Choose a tag to compare

@robaiken robaiken released this 28 May 17:11
7253b58

What's Changed

  • Fix duplicate updated dependencies in multi-directory group refresh by @markhallen in #15098
  • Recategorise lockfile generation errors as known types by @brrygrdn in #15084
  • [Graph Job] Do not treat Dependabot::UnexpectedExternalCode as a hard failure by @brrygrdn in #15075
  • [Graph] Fix handling of multiple version resolution by @brrygrdn in #15099
  • Bun: Upgrade to Node JS 24 by @yeikel in #14964
  • Add API integration to fetch blocked versions at job construction by @kbukum1 in #14917
  • Fix go modules error in package details fetcher due to subpath issue by @AbhishekBhaskar in #15096
  • add common pattern for directory specification by @brettfo in #15108
  • raise generic error without path information by @brettfo in #15088
  • Add HasNoWarnNU1701 merge logic in project discovery by @brettfo in #15090
  • NuGet: Auto-patch NuGet.Config to allow insecure HTTP feeds by @brettfo in #15092
  • NuGet: Filter out submodule paths during discovery by @brettfo in #15093
  • Implement a "dealias_packages" flag for npm file parsing by @brrygrdn in #15070
  • fix(docker_compose): support folded scalar and docker.io-prefixed image values by @thavaahariharangit in #15100
  • Suppress Docker digest-only updates when tag version is unchanged by @markhallen in #15103
  • generate and submit dependency graphs by @brettfo in #14956
  • Revert "Add API integration to fetch blocked versions at job construction" by @robaiken in #15120
  • change test for file path to account for empty string by @brettfo in #15109
  • NuGet: Add circular dependency detection to MSBuildHelper.ThrowOnError by @brettfo in #15116
  • Catch FatalProtocolException from source repository initialization by @brettfo in #15117
  • NuGet: Remove redundant GetPackageGraphForDependencies and use discovery DependencyGraph by @brettfo in #15122
  • Add API integration to fetch blocked versions at job updates by @kbukum1 in #15123
  • Fix yarn berry security updates resolving to latest instead of target version by @kbukum1 in #15091
  • Fix misleading Terraform registry error when TLS certificate verification fails by @yeikel in #15131
  • Fix cooldown ignored in additional_dependencies issue by @AbhishekBhaskar in #15124
  • Remove beta ecosystems feature flag for sbt by @AbhishekBhaskar in #15151
  • NuGet: Fix binding redirect XML parse error to report unparseable file by @brettfo in #15147
  • fix(npm_and_yarn): handle engines OR constraints and split caret-expanded bounds by @thavaahariharangit in #15144
  • Pass --min-release-age=0 for npm security updates to bypass .npmrc by @yeikel in #15139
  • Add deno lockfile support by @sbs44 in #15153
  • NuGet: Fix version range double-wrapping in temp project creation by @brettfo in #15152
  • Check ProjectAssetsFile exists before reading by @brettfo in #15160
  • fix: use configured github source when checking GitHub Actions pre-release status by @yeikel in #15004
  • ERR_PNPM_INVALID_DEPENDENCY_NAME handler in PnpmLockfileUpdater by @Copilot in #15165
  • Read npm min-release-age from .npmrc and apply as cooldown by @yeikel in #15132
  • v0.379.0 by @dependabot-core-action-automation[bot] in #15162

Special Thanks

Big thanks to @yeikel for driving the min-release-age support for the JavaScript ecosystems!

Full Changelog: v0.378.0...v0.379.0

v0.378.0

Choose a tag to compare

@thavaahariharangit thavaahariharangit released this 21 May 08:48
3f68e11

What's Changed

  • fix(opentofu): strip v prefix in cooldown version comparison by @diofeher in #15044
  • Use POM last-modified as Gradle plugin release date fallback by @thavaahariharangit in #15006
  • Add blocked versions support to updater job by @kbukum1 in #14915
  • Add blocked versions support to dry-run script by @kbukum1 in #14916
  • Strip surrounding quotes from go.env values before writing by @yeikel in #15060
  • Require dependabot-deno in updater setup by @markhallen in #15064
  • fix(docker): use manifests endpoint for manifest-list digests by @devantler in #14691
  • Fix NuGet lock file tracking when no lock file exists by @brettfo in #15030
  • chore: Remove group_membership_enforcement experiment flag by @markhallen in #14861
  • redo recursive directory matching with logging by @brettfo in #15072
  • (fix) Handle Poetry group metadata without dependencies table by @julia-thorn in #14689
  • Fix cooldown breaking Docker updates when registry API calls fail by @Copilot in #14149
  • Upgrade Python versions and deprecate Python 3.9 by @kbukum1 in #15058
  • Remove NuGet.Core package dependency by @brettfo in #15037
  • NuGet: Add FindRootDirectory experiment to resolve root entry points by @brettfo in #15021
  • Sync uv Dockerfile Python versions with python ecosystem by @kbukum1 in #15087
  • Detect NoWarn NU1701 in SDK project discovery and warn during report by @brettfo in #15052
  • handle errant whitespace in global.json by @brettfo in #15086
  • fix(github_actions): align SHA updates with cooldown-filtered latest version by @thavaahariharangit in #15078
  • v0.378.0 by @dependabot-core-action-automation[bot] in #15095

New Contributors

Full Changelog: v0.377.0...v0.378.0

v0.377.0

Choose a tag to compare

@kbukum1 kbukum1 released this 15 May 22:07
a79d531

What's Changed

  • Implement sbt metadata finder by @AbhishekBhaskar in #15011
  • Bump NuGet.Client to release/7.6.x and pin dotnet-core to v10.0.8 by @JamieMagee in #14995
  • feat(opentofu): resolve locals references in module version constraints by @diofeher in #15009
  • simplify line indent detection by @brettfo in #14980
  • Fix flaky test: use unique git.store path to avoid parallel race condition by @brettfo in #14944
  • Update OpenTelemetry packages to 1.15.3 by @brettfo in #15029
  • Add SBT ecosystem to CI, Docker images, and runtime registration by @kbukum1 in #15012
  • v0.377.0 by @dependabot-core-action-automation[bot] in #15033

Full Changelog: v0.376.0...v0.377.0