Releases: dependabot/dependabot-core
Releases · dependabot/dependabot-core
Release list
v0.386.0
What's Changed
- Capture offending gem details on bundler registry metadata errors by @kbukum1 in #15512
- Bundler: apply empty-checksum metadata patch to the v2 helper by @kbukum1 in #15513
- [Update graph] Ensure bystander txt files are removed before parsing for Python by @brrygrdn in #15508
- Handle global.json with no SDK version in dotnet_sdk parser by @brettfo in #15510
- Type the cargo ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15492
- Type the conda ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15493
- Type the docker ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15495
- Use shared git-tag cooldown in terraform by @robaiken in #15472
- Retry corepack once on signature metadata error by @thavaahariharangit with @Copilot in #15466
- Type the deno, elm, devcontainers, bazel, and helm ecosystems by @JamieMagee in #15527
- Add word-separator and lowercase formatting for branch name by @AbhishekBhaskar in #15478
- Fix Docker cooldown not respected for multi-arch images missing Last-Modified by @robaiken with @Copilot in #15486
- Reduce redundant git-source probes during npm metadata resolution by @thavaahariharangit with @Copilot in #15480
- Type the maven ecosystem and remove it from the T.untyped burndown by @JamieMagee in #15531
- Add branch name config template format support with validation by @AbhishekBhaskar in #15535
- fix(gradle): prefer local gradlew for lockfile updates by @thavaahariharangit in #15546
- helm: support versioning-strategy (range-preserving updates) by @casey-robertson-paypal in #15218
- Bump gradle from 9.4.1-jdk21-ubi to 9.6.1-jdk21-ubi in /gradle by @dependabot[bot] in #15498
- [Update graph] Add support for requirements.txt 'layering' instead of compressing to a single file by @brrygrdn in #15521
- Allow periods in Helm values file names for Docker ecosystem by @telnet23 in #15557
- Match existing group PRs covering a subset of job directories by @IanButterworth in #15548
- Bump library/golang from 1.26.1-bookworm to 1.26.5-bookworm in /go_modules by @dependabot[bot] in #15562
- Fix npm security updates for transitive dependencies in workspace monorepos by @Swampen in #15514
- Add helm to the smoke-test matrix by @casey-robertson-paypal in #15554
- v0.386.0 by @dependabot-core-action-automation[bot] in #15564
New Contributors
Full Changelog: v0.385.0...v0.386.0
v0.385.0
What's Changed
- Support package-scoped NuGet release notes by @Cjewett in #15211
- Filter null entries from job directories by @brettfo in #15457
- devcontainers: preserve major-only Feature pins when precision-matching tags are absent by @thavaahariharangit with @Copilot in #15445
- Type opaque hashes in common with T.anything by @JamieMagee in #15458
- Type the options passthrough in base classes with T.anything by @JamieMagee in #15459
- Apply git-tag cooldown across ecosystems by @robaiken in #15369
- Type requirement helpers in the update-checker base class by @JamieMagee in #15461
- Select group update handler for multi-ecosystem NuGet jobs by @brettfo in #15460
- Type error-detail payloads across common and the updater by @JamieMagee in #15462
- Type package release details with T.anything by @JamieMagee in #15463
- Type message builder commit options and vulnerabilities-fixed by @JamieMagee in #15465
- Fix multiple --default-index args when multiple replaces-base credentials exist by @thavaahariharangit with @Copilot in #15481
- Fetch
gradle.propertiesand making available lock file generation with in dependabot by @thavaahariharangit with @Copilot in #15467 - Detect cargo registries across hierarchical .cargo/config.toml files by @brettfo in #15474
- fix(bundler): only re-vendor platform gems for updated dependencies by @jurre in #15451
- Fix Sorbet runtime signature violations by @JamieMagee in #15476
- Use shared git-tag cooldown in python by @robaiken in #15470
- Fix multiline HTML version parsing for Python/UV private registries by @thavaahariharangit with @Copilot in #15469
- v0.385.0 by @dependabot-core-action-automation[bot] in #15502
New Contributors
Full Changelog: v0.384.0...v0.385.0
v0.384.0
What's Changed
- Bazel: Fix prerelease filtering with same-release-line scoping by @v-HaripriyaC in #15332
- Respect cooldown for Docker digest updates and suppress multi-arch no-ops by @robaiken in #15354
- Bypass npmrc min-release-age for transitive npm security updates by @robaiken in #15386
- Ratchet the Sorbet T.untyped burndown by @JamieMagee in #15399
- feat(docker): implement single-platform image detection and optimize manifest fetching logic by @jpinz in #15390
- Fix private registry config not found error not being raised issue in npm_and_yarn by @AbhishekBhaskar in #15394
- don't fail if nuget cred is missing url by @brettfo in #15378
- Type commit_message_options with a value object by @JamieMagee in #15400
- Type the Dependabot config file parser by @JamieMagee in #15401
- Fix Terraform registry replacement typing and credential semantics by @thavaahariharangit with @Copilot in #15406
- fix: avoid path collisions for SHA-pinned GitHub Actions by @markhallen in #14806
- Nix: skip flake inputs pinned to a bare commit SHA by @JamieMagee in #15412
- Type the vulnerability version-range renderer by @JamieMagee in #15402
- Add JobCommand enum and Command property to NuGet Job model by @brettfo in #15277
- Upgrade Ruby to 4.0.5 by @Bo98 in #14830
- Bump updater-core image to RubyGems/Bundler 4.0.13 by @JamieMagee in #15256
- Fix issue with
PrivateRegistryConfigNotFounderror incorrectly firing when scope is configured by @AbhishekBhaskar in #15416 - Fake MSBuild SolutionDir during NuGet discovery (#13756) by @brettfo in #15392
- NuGet: Filter all editable files not present prior to discovery by @brettfo in #15358
- Support Central Package Versions updates in XmlFileWriter by @brettfo in #15409
- [Update Graph] Report empty manifests as present but empty instead of omitting them by @brrygrdn in #15427
- Fix vcpkg empty PRs for up-to-date baselines by @JamieMagee in #15420
- Nix: update NixOS channel tarball inputs by @JamieMagee in #15413
- fix(opentofu): accept terraform_registry credentials for OCI registry tags by @thavaahariharangit in #15422
- Commit changes to workspace member TOML files by @crabbit-git in #15142
- Fix COREPACK_NPM_REGISTRY trailing slash causing pnpm HTTP 404 on private registries by @thavaahariharangit with @Copilot in #15444
- Map additional NuGet feed errors to private_source_bad_response by @brettfo in #15426
- Support
versionandsecurityNuGet job commands by @brettfo in #15430 - Show the vcpkg release tag instead of master in PR titles by @JamieMagee in #15433
- Register MSBuild before running the job so early NuGet errors are reported by @brettfo in #15431
- Add a baseline to vcpkg projects missing one by @JamieMagee in #15432
- Fix file updater failed to update for all support files sentry error by @AbhishekBhaskar in #15421
- Skip disabled Maven repositories by @adoroszlai in #15443
- v0.384.0 by @dependabot-core-action-automation[bot] in #15438
New Contributors
- @crabbit-git made their first contribution in #15142
- @adoroszlai made their first contribution in #15443
Full Changelog: v0.383.0...v0.384.0
v0.383.0
What's Changed
- Bump bundled npm from 11.8.0 to 11.17.0 by @kbukum1 in #15335
- Fix composer specs failure due to
block-insecurefeature by @AbhishekBhaskar in #15334 - Add blocked_versions.ignored metric for Security-blocked update checks by @kbukum1 in #15333
- Preserve original bundler checksum on Bundler 4.0.11+ lockfile updates by @lucasmazza in #15249
- Generate
.npmrcfrom scope property when lockfile inference fails by @AbhishekBhaskar in #15264 - Revert disabling block insecure flag in composer by @AbhishekBhaskar in #15339
- Fix no method error during fetching credentials properties by @AbhishekBhaskar in #15340
- Use only uv.lock for uv dependency graphing by @Nishnha in #15217
- Add transitive blocked-version enforcement to updater by @robaiken in #15295
- fix(npm_and_yarn): strip trailing slash from registry URL in Corepack env vars by @ajha-cs in #15324
- Fix pre-commit cooldown bypass and incorrect PR metadata issues with grouped updates by @AbhishekBhaskar in #15346
- Surface blocking parent dependency in npm fix-unavailable message by @thavaahariharangit in #15337
- Skip Gradle cooldown metadata fetch when cooldown is not configured by @yeikel in #15136
- Bundler: surface invalid registry gem metadata as a private source error by @kbukum1 in #15351
- Set default max branch name length to 100 characters by @kbukum1 in #15282
- set temporary token for cargo auth that the proxy will then replace by @brettfo in #15298
- Reject updates for private registries without proper dependabot configuration by @AbhishekBhaskar in #15347
- gradle: bump updater image to 9.4.1 by @thavaahariharangit in #15356
- Bundler: tolerate empty registry checksum metadata in v4 helper by @kbukum1 in #15359
- Preserve custom gradle-wrapper.properties values during wrapper updates by @kbukum1 in #15336
- fix(pre-commit, github-actions): use tag creation date for cooldown instead of commit date by @robaiken in #15350
- Update Sorbet toolchain and regenerate gem RBIs by @JamieMagee in #15304
- Enable six zero-offense Sorbet guardrail cops by @JamieMagee in #15305
- Replace to_hash with to_h and enable ImplicitConversionMethod by @JamieMagee in #15306
- Enforce method signatures via Sorbet/EnforceSignatures by @JamieMagee in #15307
- Image content validation for manifest lists for container image updates by @jpinz in #15352
- Type Version and Requirement internals across ecosystems by @JamieMagee in #15379
- Type RequirementsUpdater base and gradle/maven/sbt with DependencyRequirement by @JamieMagee in #15380
- Type standalone RequirementsUpdaters with DependencyRequirement by @JamieMagee in #15381
- Drop Python 3.9 support by @kbukum1 in #15391
- Stub docker manifest request in helm update_checker spec by @JamieMagee in #15398
- Parse DependencyGroup rules into typed readers by @JamieMagee in #15395
- Type provider_metadata as integer-keyed by @JamieMagee in #15396
- Fix Swift native requirement parser when there are additional arguments in
.package()by @kkebo in #15311 - v0.383.0 by @dependabot-core-action-automation[bot] in #15365
New Contributors
- @lucasmazza made their first contribution in #15249
- @ajha-cs made their first contribution in #15324
- @kkebo made their first contribution in #15311
Full Changelog: v0.382.0...v0.383.0
v0.382.0
What's Changed
- Add support for
scopeproperty innpm_registrycredentials by @AbhishekBhaskar in #15219 - uv: Remove dead add_auth_env_vars code and add credential matching diagnostics by @kbukum1 in #15209
- Fix npm registry credential leak to sibling paths on the same host by @Copilot in #15248
- Fix pnpm lockfileVersion 9.0 parsing error with optional chaining by @markhallen in #13959
- Parse remaining Job collections into typed structs by @JamieMagee in #15262
- Add a typed Hash subclass for requirement entries by @JamieMagee in #15263
- Fix Gradle wrapper jar encoding by @kbukum1 in #15235
- fix(maven): handle
.targetupdates in file updater by @thavaahariharangit in #15270 - Default all Cargo crates to increase-if-necessary by @JamieMagee in #14306
- Improve handling of Python failures when insecure-external-code-execution: deny is set, Tidier summary output by @brrygrdn in #15269
- Type updated_requirements as DependencyRequirement across all ecosystems by @JamieMagee in #15272
- Remove T.untyped from four common files by @JamieMagee in #15278
- Type create_dependency_file with keyword arguments by @JamieMagee in #15279
- Remove T.untyped from three updater files by @JamieMagee in #15281
- fix(npm_and_yarn): prefer replaces-base registry over lockfile source for metadata fetches by @thavaahariharangit in #15273
- Type DependencyFile#to_h and Notice#to_hash serialization hashes by @JamieMagee in #15283
- Type parse_dep_string return in bundler and npm_and_yarn by @JamieMagee in #15284
- Type registry_parser, git_pin_replacer, and drop stale pnpm entry by @JamieMagee in #15286
- Type python requirement_parser and pip_compile_files by @JamieMagee in #15287
- Type parse_dep_string return in cargo and pub by @JamieMagee in #15288
- Remove stale ForbidTUntyped entries for eight update checkers by @JamieMagee in #15297
- Type Prism AST node parameters in bundler finders by @JamieMagee in #15299
- Introduce typed GitTagDetails for GitCommitChecker local-tag shape by @JamieMagee in #15300
- Type requirements parameters as DependencyRequirement in gradle and cargo by @JamieMagee in #15302
- Type go_modules requirement parsing and version comparison by @JamieMagee in #15303
- Clarify npm security update failure messages by @thavaahariharangit in #15294
- Bump the regclient group across 1 directory with 2 updates by @dependabot[bot] in #14769
- Fix CHECKSUMS header being stripped when removing bundler 4.0.x entry (#15193) by @jmgarnier in #15229
- Bump bundled Deno to 2.8.3 for lockfile v5 support by @markhallen in #15319
- Add Deno workspace support by @markhallen in #15322
- Bump golang.org/x/mod from 0.33.0 to 0.37.0 in /go_modules/helpers by @dependabot[bot] in #15314
- v0.382.0 by @dependabot-core-action-automation[bot] in #15317
New Contributors
- @jmgarnier made their first contribution in #15229
Full Changelog: v0.381.0...v0.382.0
v0.381.0
What's Changed
- Disable
npmMinimalAgeGatefor Yarn Berry security updates by @yeikel in #15191 - Add Bundler 4 support by @JamieMagee in #15180
- Bump org.apache.maven.plugins:maven-dependency-plugin from 3.10.0 to 3.11.0 in /maven/lib/dependabot/maven by @dependabot[bot] in #15190
- Add GONOPROXY/GONOSUMDB env vars to go_modules FileParser by @Nishnha in #15159
- fix(go_modules): include advisory pseudo-version boundaries for security fix resolution by @thavaahariharangit in #15213
- Retry Gradle metadata fetch on EOF by @thavaahariharangit in #15204
- Handle npm registry EOFError in latest version finder by @thavaahariharangit in #15205
- fix(python): honor
.pip-tools.tomlunsafe-package in pip-compile updates by @thavaahariharangit in #15202 - Swift: add missing rescue-path test for trailing slash in normalize_name by @Copilot in #15220
- Fix TypeError: String does not have #dig method in PipenvRunner by @Copilot in #14821
- fix(go_modules): run strict go mod tidy and surface real errors by @kbukum1 in #15094
- Gate YARN_NPM_MINIMAL_AGE_GATE on Yarn 4.10+ by @yeikel in #15226
- opentofu: handle OCI source type in MetadataFinder by @diofeher in #14990
- Respect cooldown rules when generating Poetry lockfiles by @thavaahariharangit in #15232
- Fix nuget exception on call to single() by @sebasgomez238 in #15233
- Fix Maven property update previous version metadata by @kbukum1 in #15224
- Detect ICU package error indicating EOL SDK by @brettfo in #15234
- Fix docker_compose parser crash on YAML symbols in lock files by @kbukum1 in #15036
- Handle Berry lockfiles without explicit Yarn config by @Copilot in #14820
- Fix behavioral gap in prerelease detection found with Python and generalized to common by @v-HaripriyaC in #15179
- Fix incorrect cooldown filtering for sha pinned dependencies in pre-commit by @AbhishekBhaskar in #15225
- Harden Helm helper CLI argument handling and fix
helm searchflag ordering by @Copilot in #15247 - Add an experimental GitHub Action summary for graph jobs by @brrygrdn in #15223
- Add RBI shims for API client wrappers, remove ~110 T.unsafe calls by @JamieMagee in #14615
- Bump library/rust from 1.94.0-bookworm to 1.95.0-bookworm in /cargo by @dependabot[bot] in #15188
- Replace Job's untyped hashes with T::ImmutableStruct by @JamieMagee in #14616
- Fix Gradle/Maven prerelease detection gaps by @v-HaripriyaC in #15222
- Fix OCI Helm chart metadata finder to strip oci:// prefix by @Copilot in #13634
- Fix workflow summary experiment name by @brrygrdn in #15250
- Validate dependency versions in GlobalJsonDiscovery by @brettfo in #15255
- Enable two Sorbet cops, ignore bazel/nix specs by @JamieMagee in #15257
- Enable Sorbet/ForbidTUntyped with a todo backlog by @JamieMagee in #15258
- v0.381.0 by @dependabot-core-action-automation[bot] in #15246
Full Changelog: v0.380.0...v0.381.0
v0.380.0
What's Changed
- bundler: avoid adding Bundler checksum for lockfiles using 4.0.0-4.0.10 by @thavaahariharangit in #15164
- Remove beta ecosystem flag handling for Deno by @markhallen in #15173
- [bun] Add lockfile generator for bun by @brrygrdn in #14882
- Pass
--config.minimumReleaseAge=0forpnpmsecurity updates to bypass pnpm-workspace.yaml by @yeikel in #15170 - build(deps): bump terraform to 1.15.3 by @HorizonNet in #15055
- Change cron schedule from Thursday to Monday by @robaiken in #15181
- Add specific error for missing .NET SDK in discovery by @brettfo in #15168
- Throw UnparseableFileException when slnx parsing fails by @brettfo in #15167
- v0.380.0 by @dependabot-core-action-automation[bot] in #15192
Full Changelog: v0.379.0...v0.380.0
v0.379.0
What's Changed
- Fix duplicate updated dependencies in multi-directory group refresh by @markhallen in #15098
- Recategorise lockfile generation errors as known types by @brrygrdn in #15084
- [Graph Job] Do not treat
Dependabot::UnexpectedExternalCodeas a hard failure by @brrygrdn in #15075 - [Graph] Fix handling of multiple version resolution by @brrygrdn in #15099
- Bun: Upgrade to Node JS 24 by @yeikel in #14964
- Add API integration to fetch blocked versions at job construction by @kbukum1 in #14917
- Fix go modules error in package details fetcher due to subpath issue by @AbhishekBhaskar in #15096
- add common pattern for directory specification by @brettfo in #15108
- raise generic error without path information by @brettfo in #15088
- Add HasNoWarnNU1701 merge logic in project discovery by @brettfo in #15090
- NuGet: Auto-patch NuGet.Config to allow insecure HTTP feeds by @brettfo in #15092
- NuGet: Filter out submodule paths during discovery by @brettfo in #15093
- Implement a "dealias_packages" flag for npm file parsing by @brrygrdn in #15070
- fix(docker_compose): support folded scalar and docker.io-prefixed image values by @thavaahariharangit in #15100
- Suppress Docker digest-only updates when tag version is unchanged by @markhallen in #15103
- generate and submit dependency graphs by @brettfo in #14956
- Revert "Add API integration to fetch blocked versions at job construction" by @robaiken in #15120
- change test for file path to account for empty string by @brettfo in #15109
- NuGet: Add circular dependency detection to MSBuildHelper.ThrowOnError by @brettfo in #15116
- Catch FatalProtocolException from source repository initialization by @brettfo in #15117
- NuGet: Remove redundant GetPackageGraphForDependencies and use discovery DependencyGraph by @brettfo in #15122
- Add API integration to fetch blocked versions at job updates by @kbukum1 in #15123
- Fix yarn berry security updates resolving to latest instead of target version by @kbukum1 in #15091
- Fix misleading Terraform registry error when TLS certificate verification fails by @yeikel in #15131
- Fix cooldown ignored in additional_dependencies issue by @AbhishekBhaskar in #15124
- Remove beta ecosystems feature flag for sbt by @AbhishekBhaskar in #15151
- NuGet: Fix binding redirect XML parse error to report unparseable file by @brettfo in #15147
- fix(npm_and_yarn): handle engines OR constraints and split caret-expanded bounds by @thavaahariharangit in #15144
- Pass
--min-release-age=0for npm security updates to bypass.npmrcby @yeikel in #15139 - Add deno lockfile support by @sbs44 in #15153
- NuGet: Fix version range double-wrapping in temp project creation by @brettfo in #15152
- Check ProjectAssetsFile exists before reading by @brettfo in #15160
- fix: use configured github source when checking GitHub Actions pre-release status by @yeikel in #15004
- ERR_PNPM_INVALID_DEPENDENCY_NAME handler in PnpmLockfileUpdater by @Copilot in #15165
- Read npm min-release-age from .npmrc and apply as cooldown by @yeikel in #15132
- v0.379.0 by @dependabot-core-action-automation[bot] in #15162
Special Thanks
Big thanks to @yeikel for driving the min-release-age support for the JavaScript ecosystems!
Full Changelog: v0.378.0...v0.379.0
v0.378.0
What's Changed
- fix(opentofu): strip v prefix in cooldown version comparison by @diofeher in #15044
- Use POM last-modified as Gradle plugin release date fallback by @thavaahariharangit in #15006
- Add blocked versions support to updater job by @kbukum1 in #14915
- Add blocked versions support to dry-run script by @kbukum1 in #14916
- Strip surrounding quotes from go.env values before writing by @yeikel in #15060
- Require dependabot-deno in updater setup by @markhallen in #15064
- fix(docker): use manifests endpoint for manifest-list digests by @devantler in #14691
- Fix NuGet lock file tracking when no lock file exists by @brettfo in #15030
- chore: Remove group_membership_enforcement experiment flag by @markhallen in #14861
- redo recursive directory matching with logging by @brettfo in #15072
- (fix) Handle Poetry group metadata without dependencies table by @julia-thorn in #14689
- Fix cooldown breaking Docker updates when registry API calls fail by @Copilot in #14149
- Upgrade Python versions and deprecate Python 3.9 by @kbukum1 in #15058
- Remove NuGet.Core package dependency by @brettfo in #15037
- NuGet: Add FindRootDirectory experiment to resolve root entry points by @brettfo in #15021
- Sync uv Dockerfile Python versions with python ecosystem by @kbukum1 in #15087
- Detect NoWarn NU1701 in SDK project discovery and warn during report by @brettfo in #15052
- handle errant whitespace in global.json by @brettfo in #15086
- fix(github_actions): align SHA updates with cooldown-filtered latest version by @thavaahariharangit in #15078
- v0.378.0 by @dependabot-core-action-automation[bot] in #15095
New Contributors
- @devantler made their first contribution in #14691
- @julia-thorn made their first contribution in #14689
Full Changelog: v0.377.0...v0.378.0
v0.377.0
What's Changed
- Implement sbt metadata finder by @AbhishekBhaskar in #15011
- Bump NuGet.Client to release/7.6.x and pin dotnet-core to v10.0.8 by @JamieMagee in #14995
- feat(opentofu): resolve locals references in module version constraints by @diofeher in #15009
- simplify line indent detection by @brettfo in #14980
- Fix flaky test: use unique git.store path to avoid parallel race condition by @brettfo in #14944
- Update OpenTelemetry packages to 1.15.3 by @brettfo in #15029
- Add SBT ecosystem to CI, Docker images, and runtime registration by @kbukum1 in #15012
- v0.377.0 by @dependabot-core-action-automation[bot] in #15033
Full Changelog: v0.376.0...v0.377.0