dependabot / cli Goto Github PK
View Code? Open in Web Editor NEWA tool for testing and debugging Dependabot update jobs.
License: MIT License
cli's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
hartl3y94 victor-gp xiehengjian markdorison im0rtality brbayes-msft jmarolf samkenxstream 00mjk syohex rickstaa centaurioun abissens ava-jeevayovane ava-bhagya eifrach lilsunny243 nitrocode tfiedlerdejanze denopendabot meslubi2021 juanitosvq jamiemagee 5l1v3r1 hhhhhhoo kevinobruno sudeepparameswaran jenshenny roller9067 fr12k joshjohanning-orgcli's Issues
Provide installation options on Linux and BSD
We should provide a convenient way to install the dependabot on Linux platforms.
Incorrect package manager documentation: `unknown package manager: python`
I receive a failed to run updater: unknown package manager: python when I try to use the python package manager argument given in the documentation. By inspecting the codebase, I noticed that the CLI works with pip. I initially created #139 to fix this but since https://github.com/dependabot/dependabot-core also uses pip I think it is better to update the documentation.
Credential issues when using custom source provider for bitbucket server
I made changes to dependabot-core to support the bitbucket server source.
Everything is working fine. I started using cli verify certain things a few days back and everything was working fine even without specifying the credentials, for example input
input:
job:
package-manager: maven
allowed-updates:
- update-type: all
existing-pull-requests:
- - dependency-name: com.arangodb:arangodb-java-driver
dependency-version: 7.1.0
source:
provider: bitbucket_server
repo: proj/test-repo
directory: /
commit: 0103c642c39289b0e0bece5494a485e5d859d5c8
ignore-conditions:
- dependency-name: com.arangodb:arangodb-java-driver
version-requirement: "7.0.0"
credentials:
- type: maven_repository
url: https://xxxx.jfrog.io/xxxx/libs-release-local
username: $JFROG_USERNAME
password: $JFROG_PASSWORD
- type: maven_repository
url: https://xxxx.jfrog.io/xxxx/libs-snapshot-local
username: $JFROG_USERNAME
password: $JFROG_PASSWORD
But all of a sudden it stopped working. Now I get the following error:
cli | 2023/08/03 05:52:23 Inserting $LOCAL_GITHUB_ACCESS_TOKEN into credentials
cli | 2023/08/03 05:52:23 Adding missing credentials-metadata into job definition
cli | 2023/08/03 05:52:23 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:64a9250977fc206582758ae46861428e144abf6daf74448bd2b195706bc301a0
cli | 2023/08/03 05:52:23 using image ghcr.io/dependabot/dependabot-updater-maven at sha256:ba5ede6cfda51f3b2c06875644bf990d461c42e4204266066f8ea119b4fa370b
proxy | 2023/08/03 05:52:24 proxy starting, commit: 7a5d8c20c9a94f571abb6857bf47b26103757412
proxy | 2023/08/03 05:52:24 initializing metrics client: No address passed and autodetection from environment failed
proxy | 2023/08/03 05:52:24 Listening (:1080)
updater | Updating certificates in /etc/ssl/certs...
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2023/08/03 05:52:26 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/08/03 05:52:27 INFO Starting job processing
proxy | 2023/08/03 05:52:27 [002] GET https://example.com:443/rest/api/1.0/projects/proj/repos/test-repo/raw/pom.xml?at=0103c642c39289b0e0bece5494a485e5d859d5c8
proxy | 2023/08/03 05:52:28 [002] 401 https://example.com:443/rest/api/1.0/projects/proj/repos/test-repo/raw/pom.xml?at=0103c642c39289b0e0bece5494a485e5d859d5c8
updater | 2023/08/03 05:52:28 ERROR Error during file fetching; aborting
updater | 2023/08/03 05:52:28 ERROR Dependabot::Clients::BitbucketServer::Unauthorized
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/common/lib/dependabot/clients/bitbucket_server.rb:261:in `get'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/common/lib/dependabot/clients/bitbucket_server.rb:73:in `fetch_file_contents'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/common/lib/dependabot/file_fetchers/base.rb:550:in `_fetch_file_content_fully_specified'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/common/lib/dependabot/file_fetchers/base.rb:525:in `_fetch_file_content'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/common/lib/dependabot/file_fetchers/base.rb:163:in `fetch_file_from_host'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/maven/lib/dependabot/maven/file_fetcher.rb:33:in `pom'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/maven/lib/dependabot/maven/file_fetcher.rb:25:in `fetch_files'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/common/lib/dependabot/file_fetchers/base.rb:77:in `files'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/dependabot-updater/lib/dependabot/file_fetcher_command.rb:67:in `dependency_files'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/dependabot-updater/lib/dependabot/file_fetcher_command.rb:30:in `perform_job'
updater | 2023/08/03 05:52:28 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:52:in `run'
updater | 2023/08/03 05:52:28 ERROR bin/fetch_files.rb:23:in `<main>'
proxy | 2023/08/03 05:52:28 [003] POST http://host.docker.internal:53131/update_jobs/cli/record_update_job_error
cli | 2023/08/03 05:52:28 type was unexpected: expected create_pull_request got record_update_job_error
proxy | 2023/08/03 05:52:28 [003] 200 http://host.docker.internal:53131/update_jobs/cli/record_update_job_error
proxy | 2023/08/03 05:52:28 [004] PATCH http://host.docker.internal:53131/update_jobs/cli/mark_as_processed
cli | 2023/08/03 05:52:28 missing expectation
proxy | 2023/08/03 05:52:28 [004] 200 http://host.docker.internal:53131/update_jobs/cli/mark_as_processed
updater | 2023/08/03 05:52:28 INFO Finished job processing
updater | 2023/08/03 05:52:28 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------+
updater | | Errors |
updater | +---------------+
updater | | unknown_error |
updater | +---------------+
proxy | 2023/08/03 05:52:29 0/1 calls cached (0%)
I tried several combination of setting credentials for the type git_source but not helping, for example
input:
job:
package-manager: maven
allowed-updates:
- update-type: all
existing-pull-requests:
- - dependency-name: com.arangodb:arangodb-java-driver
dependency-version: 7.1.0
source:
provider: bitbucket_server
repo: proj/test-repo
directory: /
commit: 0103c642c39289b0e0bece5494a485e5d859d5c8
ignore-conditions:
- dependency-name: com.arangodb:arangodb-java-driver
version-requirement: "7.0.0"
credentials:
- type: git_source
host: example.com
token: $BITBUCKET_TOKEN
- type: maven_repository
url: https://xxxx.jfrog.io/xxxx/libs-release-local
username: $JFROG_USERNAME
password: $JFROG_PASSWORD
- type: maven_repository
url: https://xxxx.jfrog.io/xxxx/libs-snapshot-local
username: $JFROG_USERNAME
password: $JFROG_PASSWORD
I think the proxy is not passing credentials as bearer tokens.
Is the code available in public for ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest ?
failed to update deps from auth failures results in failed build in javascript
Command used:
/opt/dependabot update -f job.yaml --local ./ -o dependabot-results.yaml
Config used:
job:
package-manager: npm_and_yarn
allowed-updates:
- update-type: all
source:
provider: github
repo: local/scan
directory: /
credentials:
- type: npm_registry
registry: https://nexus.redacted.org/npm-all/
username: redacted
password: redacted
Logs:
08:54:39 dependabot: CLI: /opt/dependabot update -f job.yaml --local ./ -o ${_RESULTS}
08:54:39 [Pipeline] sh
08:54:39 + /opt/dependabot update -f job.yaml --local ./ -o dependabot-results.yaml
08:54:39 cli | 2024/01/22 15:47:04 Inserting $LOCAL_GITHUB_ACCESS_TOKEN into credentials
08:54:39 cli | 2024/01/22 15:47:04 pulling image: ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest
08:54:41 cli | 2024/01/22 15:47:06 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:0407f9d3061fe12170111e36b0298d0beac847c5accdd221f17d3d1c28364ddf
08:54:41 cli | 2024/01/22 15:47:06 pulling image: ghcr.io/dependabot/dependabot-updater-npm
08:54:53 cli | 2024/01/22 15:47:18 using image ghcr.io/dependabot/dependabot-updater-npm at sha256:c8c84c8e7323311347af43e92cdfb990bbbcf17560bf5b87f4a955751dba9f50
08:55:05 proxy | 2024/01/22 15:47:29 proxy starting, commit: ce669fe3098a0bddfad98850916eaecfa799dfde
08:55:05 proxy | 2024/01/22 15:47:29 initializing metrics client: No address passed and autodetection from environment failed
08:55:05 proxy | 2024/01/22 15:47:29 Listening (:1080)
08:55:15 updater | Reinitialized existing Git repository in /home/dependabot/dependabot-updater/repo/.git/
08:55:27 updater | ๐ Finding changed files since git revision c8abcc439.
08:55:35 updater | ๐ฏ Found 1973 changed files.
08:55:35 updater | โ๏ธ Fixing up codeql/.codeqlmanifest.json.
08:55:35 updater | โ๏ธ Fixing up codeql/LICENSE.md.
...
08:56:10 updater | โ๏ธ Fixing up codeql/qlpacks/codeql/javascript-queries/0.8.6/.codeql/libraries/codeql/dataflow/0.1.6/CHANGELOG.md.
...
08:56:15 updater | /home/dependabot/dependabot-updater/repo/node_modules/prettier/index.js:7348
08:56:15 updater | throw error;
08:56:15 updater | ^
08:56:15 updater |
08:56:15 updater | SyntaxError: All collection items must start at the same column (5:5)
08:56:15 updater | 3 | jobs:
08:56:15 updater | 4 | echo-body:
08:56:15 updater | > 5 | runs-on: ubuntu-latest
08:56:15 updater | | ^^^^^^^^^^^^^^^^^^^^^^
08:56:15 updater | > 6 | steps:
08:56:15 updater | | ^^^^^^^^^^
08:56:15 updater | > 7 | - env:
08:56:15 updater | | ^^^^^^^^^^
08:56:15 updater | > 8 | BODY: ${{ github.event.issue.body }}
08:56:15 updater | | ^^^^^^^^^^
08:56:15 updater | > 9 | run: |
08:56:15 updater | | ^^^^^^^^^^
08:56:15 updater | > 10 | echo '${{ env.BODY }}'
08:56:15 updater | | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
08:56:15 updater | at n (/home/dependabot/dependabot-updater/repo/node_modules/prettier/parser-yaml.js:1:1125)
08:56:15 updater | at Object.lr [as parse] (/home/dependabot/dependabot-updater/repo/node_modules/prettier/parser-yaml.js:150:3774)
08:56:15 updater | at Object.parse (/home/dependabot/dependabot-updater/repo/node_modules/prettier/index.js:7334:23)
08:56:15 updater | at coreFormat (/home/dependabot/dependabot-updater/repo/node_modules/prettier/index.js:8645:18)
08:56:15 updater | at formatWithCursor2 (/home/dependabot/dependabot-updater/repo/node_modules/prettier/index.js:8837:18)
08:56:15 updater | at /home/dependabot/dependabot-updater/repo/node_modules/prettier/index.js:37229:12
08:56:15 updater | at Object.format (/home/dependabot/dependabot-updater/repo/node_modules/prettier/index.js:37243:12)
08:56:15 updater | at _default (/home/dependabot/dependabot-updater/repo/node_modules/pretty-quick/dist/processFiles.js:42:29)
08:56:15 updater | at _default (/home/dependabot/dependabot-updater/repo/node_modules/pretty-quick/dist/index.js:60:29)
08:56:15 updater | at Object.<anonymous> (/home/dependabot/dependabot-updater/repo/node_modules/pretty-quick/bin/pretty-quick.js:17:27) {
08:56:15 updater | loc: {
08:56:15 updater | start: { offset: 42, line: 5, column: 5 },
08:56:15 updater | end: { offset: 176, line: 10, column: 31 }
08:56:15 updater | },
08:56:15 updater | codeFrame: ' 3 | jobs:\n' +
08:56:15 updater | ' 4 | echo-body:\n' +
08:56:15 updater | '> 5 | runs-on: ubuntu-latest\n' +
08:56:15 updater | ' | ^^^^^^^^^^^^^^^^^^^^^^\n' +
08:56:15 updater | '> 6 | steps:\n' +
08:56:15 updater | ' | ^^^^^^^^^^\n' +
08:56:15 updater | '> 7 | - env:\n' +
08:56:15 updater | ' | ^^^^^^^^^^\n' +
08:56:15 updater | '> 8 | BODY: ${{ github.event.issue.body }}\n' +
08:56:15 updater | ' | ^^^^^^^^^^\n' +
08:56:15 updater | '> 9 | run: |\n' +
08:56:15 updater | ' | ^^^^^^^^^^\n' +
08:56:15 updater | "> 10 | echo '${{ env.BODY }}'\n" +
08:56:15 updater | ' | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
08:56:15 updater | }
08:56:15 updater |
08:56:15 updater | Node.js v18.19.0
08:56:15 updater | husky - pre-commit hook exited with code 1 (error)
08:56:15 updater | Updating certificates in /etc/ssl/certs...
08:56:16 updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
08:56:16 updater | 1 added, 0 removed; done.
08:56:16 updater | Running hooks in /etc/ca-certificates/update.d...
08:56:16 updater | done.
08:56:16 updater | 2024/01/22 15:48:41 INFO Raven 3.1.2 configured not to capture errors: DSN not set
08:56:17 updater | 2024/01/22 15:48:42 INFO Starting job processing
08:56:17 updater | 2024/01/22 15:48:42 INFO Finished job processing
08:56:18 updater | 2024/01/22 15:48:43 INFO Raven 3.1.2 configured not to capture errors: DSN not set
08:56:18 updater | 2024/01/22 15:48:43 INFO Starting job processing
08:56:19 proxy | 2024/01/22 15:48:44 [001] POST http://host.docker.internal:8088/update_jobs/cli/update_dependency_list
08:56:19 {"data":{"dependencies":[{"name":"@angular/animations","requirements":[{"file":"package.json","groups":["dependencies"],"requirement":"^16.2.11","source":{"type":"registry","url":"https://nexus.redacted.com/repository/npm-all"}}],"version":"16.2.11"},{"name":"@angular/common","requirements":[{"file":"package.json","groups":["dependencies"],"requirement":"^16.2.11","source":{"type":"registry","url":"https://nexus.redacted.com/repository/npm-all"}}],"version":"16.2.11"}...
08:56:19 proxy | 2024/01/22 15:48:44 [001] 200 http://host.docker.internal:8088/update_jobs/cli/update_dependency_list
08:56:19 proxy | 2024/01/22 15:48:44 [002] POST http://host.docker.internal:8088/update_jobs/cli/increment_metric
08:56:19 {"data":{"metric":"updater.started","tags":{"operation":"update_all_versions"}},"type":"increment_metric"}
08:56:19 proxy | 2024/01/22 15:48:44 [002] 200 http://host.docker.internal:8088/update_jobs/cli/increment_metric
08:56:19 updater | 2024/01/22 15:48:44 INFO Starting update job for local/scan
08:56:19 updater | 2024/01/22 15:48:44 INFO Checking all dependencies for version updates...
08:56:19 updater | 2024/01/22 15:48:44 INFO Checking if @angular/animations 16.2.11 needs updating
08:56:19 proxy | 2024/01/22 15:48:44 [004] GET https://nexus.redacted.com:443/repository/npm-all/@angular%2Fanimations
08:56:19 proxy | 2024/01/22 15:48:44 [004] * authenticating npm registry request (host: nexus.redacted.com, token auth)
08:56:20 proxy | 2024/01/22 15:48:45 [004] 401 https://nexus.redacted.com:443/repository/npm-all/@angular%2Fanimations
08:56:20 proxy | 2024/01/22 15:48:45 [005] POST http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
08:56:20 {"data":{"error-type":"private_source_authentication_failure","error-details":{"source":"https://nexus.redacted.com/repository/npm-all/"}},"type":"record_update_job_error"}
08:56:20 proxy | 2024/01/22 15:48:45 [005] 200 http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
08:56:20 updater | 2024/01/22 15:48:45 INFO Handled error whilst updating @angular/animations: private_source_authentication_failure {:source=>"https://nexus.redacted.com/repository/npm-all/"}
08:56:20 updater | 2024/01/22 15:48:45 INFO Checking if @angular/common 16.2.11 needs updating
08:56:20 proxy | 2024/01/22 15:48:45 [007] GET https://nexus.redacted.com:443/repository/npm-all/@angular%2Fcommon
08:56:20 proxy | 2024/01/22 15:48:45 [007] * authenticating npm registry request (host: nexus.redacted.com, token auth)
08:56:21 proxy | 2024/01/22 15:48:46 [007] 401 https://nexus.redacted.com:443/repository/npm-all/@angular%2Fcommon
08:56:21 proxy | 2024/01/22 15:48:46 [008] POST http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
08:56:21 {"data":{"error-type":"private_source_authentication_failure","error-details":{"source":"https://nexus.redacted.com/repository/npm-all/"}},"type":"record_update_job_error"}
08:56:21 proxy | 2024/01/22 15:48:46 [008] 200 http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
08:56:21 updater | 2024/01/22 15:48:46 INFO Handled error whilst updating @angular/common: private_source_authentication_failure {:source=>"https://nexus.redacted.com/repository/npm-all/"}
08:56:21 updater | 2024/01/22 15:48:46 INFO Checking if @angular/compiler 16.2.11 needs updating
08:56:21 proxy | 2024/01/22 15:48:46 [010] GET https://nexus.redacted.com:443/repository/npm-all/@angular%2Fcompiler
08:56:21 proxy | 2024/01/22 15:48:46 [010] * authenticating npm registry request (host: nexus.redacted.com, token auth)
08:56:21 proxy | 2024/01/22 15:48:46 [010] 401 https://nexus.redacted.com:443/repository/npm-all/@angular%2Fcompiler
08:56:21 proxy | 2024/01/22 15:48:47 [011] POST http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
08:56:21 {"data":{"error-type":"private_source_authentication_failure","error-details":{"source":"https://nexus.redacted.com/repository/npm-all/"}},"type":"record_update_job_error"}
08:56:21 proxy | 2024/01/22 15:48:47 [011] 200 http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
...
09:03:10 updater | 2024/01/22 15:55:35 INFO Finished job processing
09:03:10 updater | 2024/01/22 15:55:35 INFO Results:
09:03:10 updater | Dependabot encountered '1119' error(s) during execution, please check the logs for more details.
09:03:10 updater | +-----------------------------------------------------------------------------------------------------------------------+
09:03:10 updater | | Dependencies failed to update |
09:03:10 updater | +-------------------------------------------------------------------------------+---------------------------------------+
09:03:10 updater | | @angular/animations | private_source_authentication_failure |
09:03:10 updater | | @angular/common | private_source_authentication_failure |
09:03:10 updater | | @angular/compiler | private_source_authentication_failure |
09:03:10 updater | | @angular/core | private_source_authentication_failure |
09:03:10 updater | | @angular/forms | private_source_authentication_failure |
...
09:03:10 updater | | y18n | private_source_authentication_failure |
09:03:10 updater | | yauzl | private_source_authentication_failure |
09:03:10 updater | | yn | private_source_authentication_failure |
09:03:10 updater | +-------------------------------------------------------------------------------+---------------------------------------+
09:03:12 proxy | 2024/01/22 15:55:37 0/1119 calls cached (0%)
09:03:13 cli | 2024/01/22 15:55:38 updater failure: updater exited with code 1
09:03:13 [Pipeline] }
09:03:13 [Pipeline] // withDockerRegistry
09:03:13 [Pipeline] }
09:03:13 [Pipeline] // withEnv
09:03:13 [Pipeline] }
09:03:13 [Pipeline] // script
09:03:13 [Pipeline] }
09:03:13 [Pipeline] // container
09:03:13 [Pipeline] echo
...
09:03:14 [Pipeline] // podTemplate
09:03:14 [Pipeline] End of Pipeline
09:03:14 ERROR: Stopping pipeline
09:03:14 [Bitbucket] Notifying pull request build result
09:03:15 [Bitbucket] Build result notified
09:03:15 Finished: FAILURE
I did notice from the logs the url passed in yaml is different than the one in the logs, by having "repository" at the top level.
See also #230 as potentially related.
Provide a `dependabot new-ecosystem` command
We're recently trying to be more agile at providing support for new ecosystems in dependabot-core, and I thought it would be nice for people to be able to bootstrap a new ecosystem more easily and let them get all the boilerplate code needed to implement a new by running a command.
And I thought maybe that could be added to the CLI.
One potential problem is that it would couple the CLI with the particular structure of the dependabot-core repo, which is not ideal.
Opening this issue to hear thoughts & opinions about this!
Feature request: use config from dependabot.yml
Use case: my dependabot.yml config isn't doing quite what I expected, so I'd love to be able to run that locally against my local branch to test out the effect of different config options.
I suspect that the job.yaml file can do everything that you can do in dependabot.yml, however the two are different. This prevents you using this CLI to build your dependabot.yml file. If we could support fetching config from dependabot.yml, then you'd be able to use the same file both locally and on github.
To illustrate this, I'm imagining running the following command:
dependabot update <ecosystem> dummy/repo --local . --config .github/dependabot.yml
Even better if it could pick up that file automatically, but I realise this might be challenging from a backwards compatibility perspective.
Note that I don't have a good understanding of the differences of the capabilities of job.yaml vs dependabot.yml, so this suggestion might essentially be impossible.
Note also that this is related to, but not the same as: #59. Would also potentially satisfy dependabot/dependabot-core#4605.
Support podman as an alternative for docker
Problem
Some of the companies restrict usage of docker desktop for macOS and Windows because it is not free (reference). In such cases companies use alternatives such as podman, one of the popular container engine after docker. dependabot requires docker to be installed which makes podman users impossible to use dependabot.
Solution
Add support for podman to enable users use dependabot.
dependabot update command fails for private repo
I've installed the dependabot CLI and run dependabot update -f job.yml based on the provided example.
However, the job fails with unknown_error.
Job Spec
The job.yml, based on the provided example:
job:
package-manager: npm_and_yarn
allowed-updates:
- update-type: all
source:
provider: github
repo: <my-org>/<my-private-repo>
directory: /
credentials:
- type: npm_registry
registry: https://npm.pkg.github.com
token: $LOCAL_GITHUB_ACCESS_TOKEN
Result Output
This is the output of LOCAL_GITHUB_ACCESS_TOKEN=<my_local_gh_access_token> dependabot update -f job.yml (org and repo have been masked):
cli | 2023/05/23 04:48:12 Inserting $LOCAL_GITHUB_ACCESS_TOKEN into credentials
cli | 2023/05/23 04:48:12 Adding missing credentials-metadata into job definition
cli | 2023/05/23 04:48:12 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:3810d68f41de0398ed2280c5e27f7ae4fd6a9495cddf18535e0058a1ab628201
cli | 2023/05/23 04:48:12 using image ghcr.io/dependabot/dependabot-updater-npm at sha256:a660ae0c85f126e2ec5cf127b64ebc4ae0cbfd6f525555569eb91cfecaac9b25
proxy | 2023/05/23 04:48:13 proxy starting, commit: 1a083db3c26dfa9c07829145a6949d6e525c7ab1
proxy | 2023/05/23 04:48:13 initializing metrics client: No address passed and autodetection from environment failed
proxy | 2023/05/23 04:48:13 Listening (:1080)
updater | Updating certificates in /etc/ssl/certs...
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2023/05/23 04:48:15 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/05/23 04:48:16 INFO Starting job processing
proxy | 2023/05/23 04:48:16 [002] GET https://github.com:443/<my-org>/<my-private-repo>/info/refs?service=git-upload-pack
proxy | 2023/05/23 04:48:16 [002] * authenticating git server request (host: github.com)
proxy | 2023/05/23 04:48:16 [002] 200 https://github.com:443/<my-org>/<my-private-repo>/info/refs?service=git-upload-pack
proxy | 2023/05/23 04:48:16 [004] POST https://github.com:443/<my-org>/<my-private-repo>/git-upload-pack
proxy | 2023/05/23 04:48:16 [004] * authenticating git server request (host: github.com)
proxy | 2023/05/23 04:48:16 [004] 200 https://github.com:443/<my-org>/<my-private-repo>/git-upload-pack
proxy | 2023/05/23 04:48:16 [006] POST https://github.com:443/<my-org>/<my-private-repo>/git-upload-pack
proxy | 2023/05/23 04:48:16 [006] * authenticating git server request (host: github.com)
proxy | 2023/05/23 04:48:17 [006] 200 https://github.com:443/<my-org>/<my-private-repo>/git-upload-pack
proxy | 2023/05/23 04:48:17 [007] POST http://host.docker.internal:53194/update_jobs/cli/record_package_manager_version
{"data":{"ecosystem":"npm","package-managers":{"yarn":"3.5.1"}},"type":"record_package_manager_version"}
proxy | 2023/05/23 04:48:17 [007] 200 http://host.docker.internal:53194/update_jobs/cli/record_package_manager_version
updater | 2023/05/23 04:48:17 INFO Finished job processing
updater | 2023/05/23 04:48:18 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/05/23 04:48:18 INFO Starting job processing
updater | 2023/05/23 04:48:18 ERROR undefined method `length' for nil:NilClass
updater |
updater | sort_by { |cred| cred["registry"].length }.
updater | ^^^^^^^
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:297:in `block in url_for_relevant_cred'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:297:in `each'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:297:in `sort_by'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:297:in `url_for_relevant_cred'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:283:in `registry_source_for'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:236:in `source_for'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:119:in `build_dependency'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:71:in `block (3 levels) in manifest_dependencies'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:67:in `each'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:67:in `block (2 levels) in manifest_dependencies'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:65:in `each'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:65:in `block in manifest_dependencies'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:59:in `each'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:59:in `manifest_dependencies'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb:37:in `parse'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/dependabot-updater/lib/dependabot/dependency_snapshot.rb:97:in `parse_files!'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/dependabot-updater/lib/dependabot/dependency_snapshot.rb:91:in `initialize'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/dependabot-updater/lib/dependabot/dependency_snapshot.rb:21:in `new'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/dependabot-updater/lib/dependabot/dependency_snapshot.rb:21:in `create_from_job_definition'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:16:in `perform_job'
updater | 2023/05/23 04:48:18 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:52:in `run'
updater | 2023/05/23 04:48:18 ERROR bin/update_files.rb:23:in `<main>'
proxy | 2023/05/23 04:48:18 [008] POST http://host.docker.internal:53194/update_jobs/cli/record_update_job_error
{"data":{"error-type":"unknown_error","error-details":null},"type":"record_update_job_error"}
proxy | 2023/05/23 04:48:18 [008] 200 http://host.docker.internal:53194/update_jobs/cli/record_update_job_error
proxy | 2023/05/23 04:48:18 [009] PATCH http://host.docker.internal:53194/update_jobs/cli/mark_as_processed
{"data":{"base-commit-sha":"ce90be394d6c90e19cdc5237e60ff738152c14cd"},"type":"mark_as_processed"}
updater | 2023/05/23 04:48:18 INFO Finished job processing
proxy | 2023/05/23 04:48:18 [009] 200 http://host.docker.internal:53194/update_jobs/cli/mark_as_processed
updater | 2023/05/23 04:48:18 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------+
updater | | Errors |
updater | +---------------+
updater | | unknown_error |
updater | +---------------+
proxy | 2023/05/23 04:48:19 0/3 calls cached (0%)
Docker data
docker version:
Client:
Cloud integration: v1.0.31
Version: 20.10.23
API version: 1.41
Go version: go1.18.10
Git commit: 7155243
Built: Thu Jan 19 17:35:19 2023
OS/Arch: darwin/amd64
Context: default
Experimental: true
Server: Docker Desktop 4.17.0 (99724)
Engine:
Version: 20.10.23
API version: 1.41 (minimum version 1.12)
Go version: go1.18.10
Git commit: 6051f14
Built: Thu Jan 19 17:32:04 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.18
GitCommit: 2456e983eb9e37e47538f59ea18f2043c9a73640
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Can you please help me understand the issue?
v1.46.1 failing with updater failure
This is potentially related to #229
From another project:
13:45:39 proxy | 2024/01/09 20:38:49 0/1119 calls cached (0%)
13:45:40 cli | 2024/01/09 20:38:50 updater failure: updater exited with code 1
From our test project reported in 229:
12:24:04 updater | Dependabot encountered '3' error(s) during execution, please check the logs for more details.
12:24:04 updater | +-----------------------------------------------------+
12:24:04 updater | | Dependencies failed to update |
12:24:04 updater | +-------------------------------------+---------------+
12:24:04 updater | | javax.servlet:javax.servlet-api | unknown_error |
12:24:04 updater | | org.apache.logging.log4j:log4j-core | unknown_error |
12:24:04 updater | | org.apache.commons:commons-text | unknown_error |
12:24:04 updater | +-------------------------------------+---------------+
12:24:07 proxy | 2024/01/09 19:17:18 0/0 calls cached (0%)
12:24:08 cli | 2024/01/09 19:17:19 updater failure: updater exited with code 1
v1.46.0 failing on ERROR key not found: "password"
Log based on v1.46.1 which is also failing but for an additional reason I'll report shortly.
12:24:04 updater | 2024/01/09 19:17:15 INFO Checking if javax.servlet:javax.servlet-api 4.0.1 needs updating
12:24:04 proxy | 2024/01/09 19:17:15 [003] POST http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
12:24:04 {"data":{"error-type":"unknown_error","error-details":null},"type":"record_update_job_error"}
12:24:04 proxy | 2024/01/09 19:17:15 [003] 200 http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
12:24:04 updater | 2024/01/09 19:17:15 ERROR Error processing javax.servlet:javax.servlet-api (KeyError)
12:24:04 updater | 2024/01/09 19:17:15 ERROR key not found: "password"
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/utils/auth_headers_finder.rb:24:in `fetch'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/utils/auth_headers_finder.rb:24:in `auth_headers'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:291:in `auth_headers'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:224:in `block in credentials_repository_details'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:221:in `map'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:221:in `credentials_repository_details'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:193:in `repositories'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:59:in `versions'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:33:in `latest_version_details'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker.rb:107:in `latest_version_details'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker.rb:16:in `latest_version'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:177:in `all_versions_ignored?'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:80:in `check_and_create_pull_request'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:60:in `check_and_create_pr_with_error_handling'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `block in perform'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `each'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:35:in `perform'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:64:in `run'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:43:in `perform_job'
12:24:04 updater | 2024/01/09 19:17:15 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
12:24:04 updater | 2024/01/09 19:17:15 ERROR bin/update_files.rb:24:in `<main>'
Help: no update possible npm
Sorry to open another issue but now after being able to integrate with github enterprise and a private npm registry, i have the following problem and this time i cant figure out through the code what might be happening
updater | 2023/07/21 12:30:30 INFO Checking all dependencies for version updates...
updater | 2023/07/21 12:30:30 INFO Checking if stylelint 14.16.1 needs updating
updater | 2023/07/21 12:30:46 INFO Latest version is
updater | 2023/07/21 12:31:02 INFO Requirements to unlock update_not_possible
updater | 2023/07/21 12:31:18 INFO Requirements update strategy bump_versions
updater | 2023/07/21 12:31:18 INFO No update possible for stylelint 14.16.1
For every dependency of the package.json the log message never has the latest version info. And for every dependency these are the log messages that i receive.
Any ideas of what might be happening?
Also another question, all my depedencies are locked. can I configure the cli to only update minors for example? or ignore majors in this case.
[Question] Error during file fetching; aborting: Failed to open TCP connection
I'm trying to use the dependabot cli but it is failing with a network error:
$ dependabot update maven apache/camel
0 apache
1 camel
cli | 2024/01/03 15:20:03 Adding missing credentials-metadata into job definition
cli | 2024/01/03 15:20:03 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:2f6d77226d2436c80cbdcd059307e2f60116e51cc9998710d75fea5c0c5b6560
cli | 2024/01/03 15:20:03 using image ghcr.io/dependabot/dependabot-updater-maven at sha256:5b87ce52168ff255ff1d8084bb5a644a4f1a63fec85a2e06df23302c19a87c05
proxy | 2024/01/03 15:20:05 proxy starting, commit: 02a8910b917eff32ef3fe812e35a131d6286bc20
proxy | 2024/01/03 15:20:05 initializing metrics client: No address passed and autodetection from environment failed
proxy | 2024/01/03 15:20:05 GitHubAPIHandler has no app access tokens
proxy | 2024/01/03 15:20:05 Listening (:1080)
updater | Updating certificates in /etc/ssl/certs...
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2024/01/03 15:20:07 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2024/01/03 15:20:09 INFO Starting job processing
updater | 2024/01/03 15:20:09 ERROR Error during file fetching; aborting: Failed to open TCP connection to 172.20.0.2:1080 (No route to host - connect(2) for "172.20.0.2" port 1080)
updater | 2024/01/03 15:20:09 ERROR Failed to open TCP connection to 172.20.0.2:1080 (No route to host - connect(2) for "172.20.0.2" port 1080)
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/net/http.rb:1018:in `initialize'
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/net/http.rb:1018:in `open'
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/net/http.rb:1018:in `block in connect'
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/timeout.rb:107:in `block in timeout'
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/timeout.rb:117:in `timeout'
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/net/http.rb:1016:in `connect'
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/net/http.rb:995:in `do_start'
updater | 2024/01/03 15:20:09 ERROR /usr/local/lib/ruby/3.1.0/net/http.rb:984:in `start'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-net_http-3.0.2/lib/faraday/adapter/net_http.rb:112:in `request_with_wrapped_block'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-net_http-3.0.2/lib/faraday/adapter/net_http.rb:102:in `perform_request'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-net_http-3.0.2/lib/faraday/adapter/net_http.rb:66:in `block in call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-2.7.11/lib/faraday/adapter.rb:45:in `connection'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-net_http-3.0.2/lib/faraday/adapter/net_http.rb:65:in `call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-2.7.11/lib/faraday/middleware.rb:17:in `call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-2.7.11/lib/faraday/middleware.rb:17:in `call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/octokit-6.1.1/lib/octokit/middleware/follow_redirects.rb:73:in `perform_with_redirection'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/octokit-6.1.1/lib/octokit/middleware/follow_redirects.rb:61:in `call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-retry-2.2.0/lib/faraday/retry/middleware.rb:153:in `call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-2.7.11/lib/faraday/rack_builder.rb:153:in `build_response'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-2.7.11/lib/faraday/connection.rb:444:in `run_request'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/faraday-2.7.11/lib/faraday/connection.rb:200:in `get'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sawyer-0.9.2/lib/sawyer/agent.rb:99:in `call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/octokit-6.1.1/lib/octokit/connection.rb:156:in `request'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/octokit-6.1.1/lib/octokit/connection.rb:19:in `get'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/octokit-6.1.1/lib/octokit/client/repositories.rb:27:in `repository'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/common/lib/dependabot/clients/github_with_retries.rb:121:in `public_send'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/common/lib/dependabot/clients/github_with_retries.rb:121:in `method_missing'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/common/lib/dependabot/clients/github_with_retries.rb:78:in `fetch_default_branch'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/common/lib/dependabot/file_fetchers/base.rb:289:in `default_branch_for_repo'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/common/lib/dependabot/file_fetchers/base.rb:121:in `commit'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/lib/dependabot/file_fetcher_command.rb:26:in `perform_job'
updater | 2024/01/03 15:20:09 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
updater | 2024/01/03 15:20:09 ERROR bin/fetch_files.rb:24:in `<main>'
updater | 2024/01/03 15:20:26 ERROR failed to connect: No route to host - connect(2) for "172.20.0.2" port 1080
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/timeout/null.rb:21:in `initialize'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/timeout/null.rb:21:in `open'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/timeout/null.rb:21:in `connect'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/connection.rb:42:in `initialize'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/client.rb:70:in `new'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/client.rb:70:in `perform'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/client.rb:31:in `request'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/http-5.1.1/lib/http/chainable.rb:27:in `post'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/lib/dependabot/api_client.rb:117:in `record_update_job_error'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/lib/dependabot/service.rb:64:in `record_update_job_error'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11142/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/lib/dependabot/file_fetcher_command.rb:208:in `record_error'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/lib/dependabot/file_fetcher_command.rb:192:in `handle_file_fetcher_error'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/lib/dependabot/file_fetcher_command.rb:45:in `rescue in perform_job'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/lib/dependabot/file_fetcher_command.rb:23:in `perform_job'
updater | 2024/01/03 15:20:26 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
updater | 2024/01/03 15:20:26 ERROR bin/fetch_files.rb:24:in `<main>'
updater | 2024/01/03 15:20:51 INFO Results:
updater | Dependabot encountered '2' error(s) during execution, please check the logs for more details.
updater | +--------------------+
updater | | Errors |
updater | +--------------------+
updater | | file_fetcher_error |
updater | | unknown_error |
updater | +--------------------+
proxy | 2024/01/03 15:20:51 0/0 calls cached (0%)
Any ideas what could be going wrong and how to investigate it?
Discrepancies in cli vs GitHub Actions
Discrepancies with Dependabot running in Github Actions vs running dependabot/cli have been a pain point in our integrating dependabot consistently for scanning our projects.
For example, dependabot/cli uses a job.yaml that differs from the format of .github/dependabot.yml
This is a feature request to make the formats of these yaml configs match, and any other ways we could get the scans to be more similar.
Feature request: Run updates locally
I'd like to have an easy command to run updates locally, such that the local files are updated as if all resulting dependabot PRs were merged.
This might look like
dependabot local-update github_actions .
resulting in
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 233d7dd..36d9200 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,7 +8,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- uses: cachix/install-nix-action@v26It's currently possible to do that, but it requires some extra machinery that I'd rather avoid, see this script.
How to use output.yaml to create PR?
I ran the following command and got a output.yaml.
dependabot update pip dummy --local . -o output.yaml
output.yaml contains some type: create_pull_request, so I want to use it to create PRs on AWS CodeCommit.
Is there any way to use this output file to create PRs?
Thank you.
job.yaml and gradle support
We are using this as a job.yaml to pass to dependabot/cli:
job:
package-manager: gradle
allowed-updates:
- update-type: all
source:
provider: github
repo: local/scan
directory: /
credentials:
- type: maven_repository
url: nexus.redacted.com/maven-central
username: redacted
password: redacted
We see this error about missing the pom.xml:
ERROR Error during file fetching; aborting: /pom.xml not found
Am I doing something wrong with the config? Can I get it to look for the build.gradle instead?
Creating Pull Request for Bitbucket Cloud
Currently, CLI only generates the output file. but does not create a pull request. Also, there is documentation on how to use the output file.
What is the plan of adding support for actually creating PR?
Always pull, even if image available locally
If we're using a mutable tag, like latest, we should always try and pull the container image regardless of whether or not it's available locally.
Lines 470 to 473 in 35deb52
replace base64 values in tests with a hash of the content
In the Yarn Berry test we have binaries added to the PRs for the first time since it vendors by default.
This means we have huge base64 values in the tests. We should replace those with a hash of the content so the files aren't huge and then add a custom diff compare function.
Error resolving private repository for Go using git
We have a Go repo we are attempting to scan with dependabot/cli, but it fails with:
updater | 2024/02/15 21:44:00 INFO Handled error whilst updating golang.org/x/sys: dependency_file_not_resolvable {:message=>"go: bitbucket.redacted.com/scm/iums/[email protected]: reading bitbucket.redacted.com/scm/iums/user-session-service-go-proto-client.git/go.mod at revision v1.15.0: git ls-remote -q origin in /home/dependabot/go/pkg/mod/cache/vcs/6cf72754ff80bde10b25a250e064293bf43b37f4cbb34cede67f8ca5083e5255: exit status 128:\n\tfatal: unable to look up bitbucket.redacted.com (port 9418) (Temporary failure in name resolution)"}
Since this only seems to be happening on dependencies referencing a private repository, I've attempted to fix this with configuring auth in my job.yaml:
job:
package-manager: go_modules
allowed-updates:
- update-type: all
source:
provider: github
repo: local/scan
directory: /
credentials:
- type: git
url: https://bitbucket.redacted.com/scm/
username: redacted
password: redacted
But the error remains unchanged and doesn't mention authenticating.
For go using a git dependency, does my job.yaml look right?
How can I resolve this dns look up?
The host should be reachable, as the repo this project is cloned from is hosted on the same bitbucket as the module we import. Also, we have other private registries for other languages which dependabot/cli has accessed.
Dependabot repair damaged commits/pullrequest
change the build-from-source instructions
In our README we suggest doing go install github.com/dependabot/cli/cmd/dependabot@latest which is nice and convenient.
However, Go doesn't inject VCS info when built this way, so when you run dependabot --version it outputs dependabot version 0.0.0-dev and that's not very informative.
I'm wondering if we should change our build-from-source instructions to be:
git clone https://github.com/dependabot/cli.git
cd cli
go install github.com/dependabot/cli/cmd/dependabotOr is there another option?
Related:
Connection timeout when contacting host.docker.internal
Full logs:
โฏ steam-run ~/download/dependabot-v1.39.0-linux-amd64/dependabot update github_actions orgname/reponame --local my\ projects/reponame/
cli | 2023/11/07 22:35:08 Adding missing credentials-metadata into job definition
cli | 2023/11/07 22:35:08 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:ce6fc9c3d663d090303dd639d7025fe12fdcb63f36b4a4d3c346af87afe696f7
cli | 2023/11/07 22:35:08 using image ghcr.io/dependabot/dependabot-updater-github-actions at sha256:9d15b67733b5994be93e6a30a2669d25793de013e2091c254b797b34436f6d9b
proxy | 2023/11/07 22:35:09 proxy starting, commit: 720801aa060f51bd9dc8b5753a6045ec3d7f5321
proxy | 2023/11/07 22:35:09 initializing metrics client: No address passed and autodetection from environment failed
proxy | 2023/11/07 22:35:09 GitHubAPIHandler has no app access tokens
proxy | 2023/11/07 22:35:09 Listening (:1080)
updater | Reinitialized existing Git repository in /home/dependabot/dependabot-updater/repo/.git/
updater | Updating certificates in /etc/ssl/certs...
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2023/11/07 22:35:14 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/11/07 22:35:14 INFO Starting job processing
updater | 2023/11/07 22:35:14 INFO Finished job processing
updater | 2023/11/07 22:35:15 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/11/07 22:35:15 INFO Starting job processing
proxy | 2023/11/07 22:35:15 [002] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:15 [002] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:16 [004] GET https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:16 [004] 200 https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:16 [006] GET https://github.com:443/aws-actions/configure-aws-credentials.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:17 [006] 200 https://github.com:443/aws-actions/configure-aws-credentials.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:17 [008] GET https://github.com:443/linz/action-pull-request-lint.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:18 [008] 200 https://github.com:443/linz/action-pull-request-lint.git/info/refs?service=git-upload-pack
proxy | 2023/11/07 22:35:18 [009] POST http://host.docker.internal:33761/update_jobs/cli/update_dependency_list
updater | 2023/11/07 22:37:28 ERROR dial tcp 172.17.0.1:33761: connect: connection timed out
updater |
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/lib/dependabot/api_client.rb:151:in `update_dependency_list'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/lib/dependabot/service.rb:82:in `update_dependency_list'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:29:in `perform_job'
updater | 2023/11/07 22:37:28 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
updater | 2023/11/07 22:37:28 ERROR bin/update_files.rb:24:in `<main>'
proxy | 2023/11/07 22:37:28 [009] No response from server
proxy | 2023/11/07 22:37:28 [009] No response from server
proxy | 2023/11/07 22:37:28 [010] POST http://host.docker.internal:33761/update_jobs/cli/record_update_job_error
I also tried building the CLI for NixOS, but ended up with what looks like the same problem (after cd-ing into the relevant repo):
โฏ dependabot update github_actions orgname/reponame --local .
cli | 2023/11/08 02:06:35 Adding missing credentials-metadata into job definition
cli | 2023/11/08 02:06:35 pulling image: ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest
cli | 2023/11/08 02:06:39 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:ce6fc9c3d663d090303dd639d7025fe12fdcb63f36b4a4d3c346af87afe696f7
cli | 2023/11/08 02:06:39 pulling image: ghcr.io/dependabot/dependabot-updater-github-actions
cli | 2023/11/08 02:07:22 using image ghcr.io/dependabot/dependabot-updater-github-actions at sha256:7157f8a8b4e3fa0f2d3273685728674fa9ae3a2d0ddc0c31c8d58008f6a8dda7
proxy | 2023/11/08 02:07:24 proxy starting, commit: 720801aa060f51bd9dc8b5753a6045ec3d7f5321
proxy | 2023/11/08 02:07:24 initializing metrics client: No address passed and autodetection from environment failed
proxy | 2023/11/08 02:07:24 GitHubAPIHandler has no app access tokens
proxy | 2023/11/08 02:07:24 Listening (:1080)
updater | Reinitialized existing Git repository in /home/dependabot/dependabot-updater/repo/.git/
updater | Updating certificates in /etc/ssl/certs...
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2023/11/08 02:07:29 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/11/08 02:07:29 INFO Starting job processing
updater | 2023/11/08 02:07:29 INFO Finished job processing
updater | 2023/11/08 02:07:30 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/11/08 02:07:30 INFO Starting job processing
proxy | 2023/11/08 02:07:30 [002] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:31 [002] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:31 [004] GET https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:31 [004] 200 https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:32 [006] GET https://github.com:443/aws-actions/configure-aws-credentials.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:32 [006] 200 https://github.com:443/aws-actions/configure-aws-credentials.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:32 [008] GET https://github.com:443/linz/action-pull-request-lint.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:33 [008] 200 https://github.com:443/linz/action-pull-request-lint.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 02:07:33 [009] POST http://host.docker.internal:38303/update_jobs/cli/update_dependency_list
updater | 2023/11/08 02:09:43 ERROR dial tcp 172.17.0.1:38303: connect: connection timed out
updater |
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/lib/dependabot/api_client.rb:151:in `update_dependency_list'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/lib/dependabot/service.rb:82:in `update_dependency_list'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:29:in `perform_job'
updater | 2023/11/08 02:09:43 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
updater | 2023/11/08 02:09:43 ERROR bin/update_files.rb:24:in `<main>'
proxy | 2023/11/08 02:09:43 [009] No response from server
proxy | 2023/11/08 02:09:43 [009] No response from server
proxy | 2023/11/08 02:09:43 [010] POST http://host.docker.internal:38303/update_jobs/cli/record_update_job_error
updater | 2023/11/08 02:11:54 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------+
updater | | Errors |
updater | +---------------+
updater | | unknown_error |
updater | +---------------+
proxy | 2023/11/08 02:11:54 [010] No response from server
proxy | 2023/11/08 02:11:54 [010] No response from server
proxy | 2023/11/08 02:11:55 0/4 calls cached (0%)
The above were both using Docker "root-ful" mode. I tried configuring rootless mode instead, and now the connection is instead refused immediately:
โฏ dependabot update github_actions orgname/reponame --local .
cli | 2023/11/08 04:05:46 Adding missing credentials-metadata into job definition
cli | 2023/11/08 04:05:46 pulling image: ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest
cli | 2023/11/08 04:05:50 using image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:latest at sha256:ce6fc9c3d663d090303dd639d7025fe12fdcb63f36b4a4d3c346af87afe696f7
cli | 2023/11/08 04:05:50 pulling image: ghcr.io/dependabot/dependabot-updater-github-actions
cli | 2023/11/08 04:06:22 using image ghcr.io/dependabot/dependabot-updater-github-actions at sha256:7157f8a8b4e3fa0f2d3273685728674fa9ae3a2d0ddc0c31c8d58008f6a8dda7
proxy | 2023/11/08 04:06:22 proxy starting, commit: 720801aa060f51bd9dc8b5753a6045ec3d7f5321
proxy | 2023/11/08 04:06:22 initializing metrics client: No address passed and autodetection from environment failed
proxy | 2023/11/08 04:06:22 GitHubAPIHandler has no app access tokens
proxy | 2023/11/08 04:06:22 Listening (:1080)
updater | Reinitialized existing Git repository in /home/dependabot/dependabot-updater/repo/.git/
updater | Updating certificates in /etc/ssl/certs...
updater | rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
updater | 1 added, 0 removed; done.
updater | Running hooks in /etc/ca-certificates/update.d...
updater | done.
updater | 2023/11/08 04:06:27 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/11/08 04:06:27 INFO Starting job processing
updater | 2023/11/08 04:06:27 INFO Finished job processing
updater | 2023/11/08 04:06:28 INFO Raven 3.1.2 configured not to capture errors: DSN not set
updater | 2023/11/08 04:06:28 INFO Starting job processing
proxy | 2023/11/08 04:06:28 [002] GET https://github.com:443/linz/action-pull-request-lint.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:29 [002] 200 https://github.com:443/linz/action-pull-request-lint.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:29 [004] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:29 [004] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:29 [006] GET https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:30 [006] 200 https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:30 [008] GET https://github.com:443/azure/setup-kubectl.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:30 [008] 200 https://github.com:443/azure/setup-kubectl.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:30 [010] GET https://github.com:443/aws-actions/configure-aws-credentials.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:31 [010] 200 https://github.com:443/aws-actions/configure-aws-credentials.git/info/refs?service=git-upload-pack
proxy | 2023/11/08 04:06:31 [011] POST http://host.docker.internal:44117/update_jobs/cli/update_dependency_list
proxy | 2023/11/08 04:06:31 [011] No response from server
proxy | 2023/11/08 04:06:31 [011] No response from server
updater | 2023/11/08 04:06:31 ERROR dial tcp 172.17.0.1:44117: connect: connection refused
updater |
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/lib/dependabot/api_client.rb:151:in `update_dependency_list'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/lib/dependabot/service.rb:82:in `update_dependency_list'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `bind_call'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/call_validation.rb:256:in `validate_call'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/sorbet-runtime-0.5.11094/lib/types/private/methods/_methods.rb:275:in `block in _on_method_added'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:29:in `perform_job'
updater | 2023/11/08 04:06:31 ERROR /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:53:in `run'
updater | 2023/11/08 04:06:31 ERROR bin/update_files.rb:24:in `<main>'
proxy | 2023/11/08 04:06:31 [012] POST http://host.docker.internal:44117/update_jobs/cli/record_update_job_error
proxy | 2023/11/08 04:06:31 [012] No response from server
proxy | 2023/11/08 04:06:31 [012] No response from server
updater | 2023/11/08 04:06:31 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------+
updater | | Errors |
updater | +---------------+
updater | | unknown_error |
updater | +---------------+
proxy | 2023/11/08 04:06:33 0/5 calls cached (0%)
connect: connection refused when running in WSL2
I've installed the dependabot cli in Ubuntu 20.04.6 running on WSL2, and whenever I run dependabot update ... there seems to be a connection problem with the proxy:
proxy | 2023/05/09 09:46:49 [479] POST http://host.docker.internal:34279/update_jobs/cli/record_update_job_error
proxy | 2023/05/09 09:46:49 [479] No response from server
updater | 2023/05/09 09:46:49 ERROR dial tcp 192.168.65.2:34279: connect: connection refused
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
docker version
Client:
Version: 20.10.21
API version: 1.41
Go version: go1.18.1
Git commit: 20.10.21-0ubuntu1~20.04.2
Built: Thu Apr 27 05:56:19 2023
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Desktop
Engine:
Version: 20.10.24
API version: 1.41 (minimum version 1.12)
Go version: go1.19.7
Git commit: 5d6db84
Built: Tue Apr 4 18:18:42 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.18
GitCommit: 2456e983eb9e37e47538f59ea18f2043c9a73640
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker network ls
NETWORK ID NAME DRIVER SCOPE
82ed92ae2b3e bridge bridge local
290c4fb24a0d host host local
a4a6a0f0e11e none null local
How to run the dependabot cli in local or in github action to Scan an image URL and provide suggestions
Hello Team,
How to run the dependabot cli in local or in github actions Workflow to Scan an image URL and provide suggestions to update the image in the workflow itself without raising a PR.
Credential issue with gitlab provider
cli version: 1.39
Hi!
I'm experiencing a credential issue, more specifically using the gitlab provider when requesting to create a pull request the commits fail to fetch. Following are my job configuration and partial output
job:
package-manager: npm_and_yarn
allowed-updates:
- dependency-type: direct
update-type: all
source:
provider: gitlab
hostname: example.com
api-endpoint: https://example.com/api/v4
repo: my-project
directory: /my-folder
credentials:
- type: git_source
host: example.com
password: token
updater | 2023/11/08 10:57:07 INFO Submitting @apollo/client pull request for creation
proxy | 2023/11/08 10:57:15 [119] GET https://example.com:443/api/v4/projects/my-project/repository/commits?
proxy | 2023/11/08 10:57:15 [119] * authenticating git server request (host: example.com)
proxy | 2023/11/08 10:57:15 [119] 404 https://example.com:443/api/v4/projects/my-project/repository/commits?
proxy | 2023/11/08 10:57:15 [119] * auth'd git request returned 404, retrying without auth
proxy | 2023/11/08 10:57:15 [119] * de-auth'd request returned 404, ignoring response
I've looked through the codebase and noticed the dependency on the gitlab api ruby project so I did some testing with that one to understand where the problem lies and found that project to be working fine running the following command.
gitlab commits my-project
How to use custom branch/commit for test command
๐ we're using dependabot in a big Elixir umbrella project and are running into some issues lately. I've setup dependabot/cli with the following yaml config:
job:
package-manager: mix
allowed-updates:
- update-type: all
source:
provider: github
repo: private/repo
directory: /
commit: xxxx
branch: xxxx
credentials:
- type: hex-organization
organization: boulevard
key: $HEX_API_KEY
- type: hex-repository
repo: oban
url: https://getoban.pro/repo
auth-key: $OBAN_API_KEY
public-key-fingerprint: $OBAN_FINGERPRINT
When running this via:
dependabot test -f dependabot-test.yaml
It keeps downloading the mix files from the latest ref our main branch instead of using the branch + commit i've specified in the yaml source:. I am not sure if i am holding things wrong, or if that is a bug in dependabot/cli. Unfortunately i dont have a public repo at hand to reproduce this, but it should be fairly straight forward to test ๐ค
Create Homebrew formula
We should support installation of the CLI using Homebrew.
Jenkins Docker/Kubernetes DNS resolution to proxy with random name
I'm trying to run dependabot within a Jenkins pipeline running on linux nodes in a docker-in-docker (dind) container. During the build, I see these errors:
updater | 2023/07/31 19:31:33 INFO Checking all dependencies for version updates...
updater | 2023/07/31 19:31:33 INFO Checking if javax.servlet:javax.servlet-api 4.0.1 needs updating
proxy | 2023/07/31 19:31:33 [002] 200 http://host.docker.internal:8088/update_jobs/cli/increment_metric
proxy | 2023/07/31 19:41:43 [003] POST http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
{"data":{"error-type":"unknown_error","error-details":null},"type":"record_update_job_error"}
proxy | 2023/07/31 19:41:43 [003] 200 http://host.docker.internal:8088/update_jobs/cli/record_update_job_error
updater | 2023/07/31 19:41:43 ERROR Error processing javax.servlet:javax.servlet-api (Excon::Error::Socket)
updater | 2023/07/31 19:41:43 ERROR no address for angry_kare6 (Resolv::ResolvError)
updater | 2023/07/31 19:41:43 ERROR /home/dependabot/dependabot-updater/vendor/ruby/3.1.0/gems/excon-0.99.0/lib/excon/socket.rb:170:in `connect'
...
updater | 2023/07/31 19:41:43 ERROR /home/dependabot/common/lib/dependabot/registry_client.rb:18:in `get'
updater | 2023/07/31 19:41:43 ERROR /home/dependabot/maven/lib/dependabot/maven/update_checker/version_finder.rb:164:in `fetch_dependency_metadata'
I noticed these lines in proxy.go:
hostName := namesgenerator.GetRandomName(1)
proxyContainer, err := cli.ContainerCreate(ctx, config, hostCfg, nil, nil, hostName)
I think the problem is that docker sets up a container with a generated random name, in this case "angry_kare6", and then kubernetes addresses the pod using something like "angry_kare6.jenkins.svc.cluster.local".
Is there any way for me to add the short hostname for pods in the same namespace to the hostname resolution?
Apologies if I've missed any obvious solution.
Edit: Looking at running pods for a different service, it appears the resolv.conf search domains should be correct. I'm wondering if the docker id could be used instead of a random hostname? Example in bash:
DOCKER_ID=$(docker run -d -it --rm proxy bash)
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro dind --hosts=docker://$DOCKER_ID
Authentication failure in running dependabot update on private-repo having pip as package-manager
Hey!
I am facing a private_source_authentication_failure when trying to run dependabot-cli on private repo. I was trying to run dependabot update command. We authenticate with username and password and used an AWS codeartifact repo as source.
Dependabot update command
dependabot update -f test.yamlError
........
........
updater | 2023/11/13 18:24:56 INFO Checking if boto3 1.24.84 needs updating
{"data":{"error-type":"private_source_authentication_failure","error-details":{"source":"https://example.com/"}},"type":"record_update_job_error"}
proxy | 2023/11/13 18:24:56 [008] POST http://host.docker.internal:45341/update_jobs/cli/record_update_job_error
proxy | 2023/11/13 18:24:56 [008] 200 http://host.docker.internal:45341/update_jobs/cli/record_update_job_error
updater | 2023/11/13 18:24:56 INFO Handled error whilst updating boto3: private_source_authentication_failure {:source=>"https:/example.com/"}
updater | 2023/11/13 18:24:56 INFO Checking if marshmallow 3.18.0 needs updating
proxy | 2023/11/13 18:24:56 [009] POST http://host.docker.internal:45341/update_jobs/cli/record_update_job_error
{"data":{"error-type":"private_source_authentication_failure","error-details":{"source":"https://example.com/"}},"type":"record_update_job_error"}
.........
........
Sample Job Description
job:
package-manager: pip
allowed-updates:
- update-type: all
security-advisories:
- dependency-name: black
affected-versions:
- <20.0.0
patched-versions: []
unaffected-versions: []
source:
provider: github
repo: example/test
directory: /
credentials:
- type: python-index
registry: [registry_url]
token: [token]What we are really looking for is to authenticate using username/password and using AWS codeartifact repo as source.
Slow scanning taking over an hour
We run dependabot two different ways against the same code bases:
- dependabot/cli (for finding vulnerabilities before alerts are created in testing)
- github actions (for creating the alerts for our staging environment)
Various projects of various languages that consume our jenkins pipeline logic (shared library) have observed that dependabot/cli can take over an hour to complete, while seemingly the Github Actions creates the alerts within a few minutes.
I am not sure what I could provide you to troubleshoot this, nor do I know if Github Actions allow me to see how long they took to execute.
If you need any details or examples, please reach out to me privately since these projects are part of an Enteprise Github Organization. Also, @lindluni (Senior DevOps Engineer at Github) may be able to relay information.
Run dependabot cli for my local branch
Issue
We only have the budget to include advanced security features to test our vulnerabilities if we release our code to production (aka default branch).
So, I would like to test the dependable CLI against a local copy of my repository before creating my pull requests.
Is this doable? If it is, how can I run it?
Note: Due to security policies, I don't want to expose any credentials on the run.
Credentials not passed to dependabot-core script
I've tried using the CLI tool like so
dependabot update --file input.json
My input.json file looks like so
{
"job": {
"package-manager": "npm_and_yarn",
"allowed-updates": [
{
"update-type": "all"
}
],
"source": {
"provider": "bitbucket",
"repo": "xxxxx",
"directory": "\/",
"branch": "master"
}
},
"credentials": [
{
"type": "git_source",
"host": "github.com",
"username": "x-access-token",
"password": "xxxxxx"
},
{
"type": "git_source",
"host": "bitbucket.org",
"username": "xxxxx",
"password": "xxxxx"
},
{
"type": "npm_registry",
"registry": "https:\/\/npm.pkg.github.com",
"token": "xxxxx"
}
]
}
I have made custom builds of both CLI and Dependabot Core to add some prints to the console into their code to help me debug where this problem occurs.
Dependabot Core requires credentials for Bitbucket, either username and password or access token.
I can see from these logs that the credentials are available in the CLI, but when the "updater" runs (dependabot-core) the credentials are missing values.
It's unclear to me where or why these credentials are getting dropped.
As a result, the connection to Bitbucket errors and PRs cannot be raised.
Provide a CLI interface more compatible with `dry-run.rb`
In order to encourage CLI adoption, I'd like a CLI interface more compatible with dry-run.rb.
When I work on dependabot-core issues, I'm now mostly still using dry-run.rb because I many times use the --dep and --commit flags to it. With the CLI I need to create an input file and that makes me lazy.
I think it could be helpful to implement these flags in the CLI.
Is it possible to run the cli for git enterprise?
based on this issue #134 i tried to change the default host of git because i have a github enterprise instance, but didnt work. received a 401, althought couldnt get more info regarding to where is trying to get access to, if my instance or the github default.
Using the --debug didnt provide more info
{
"job": {
"package-manager": "npm_and_yarn",
"allowed-updates": [
{
"update-type": "all"
}
],
"source": {
"provider": "github",
"repo": "demo-repo",
"directory": "\/",
"branch": "develop"
}
},
"credentials": [
{
"type": "git_source",
"host": "my_instance",
"username": "x-access-token",
"password": "my_token"
},
{
"type": "npm_registry",
"registry": "my_registry",
"token": "my_token"
}
]
}
Am i doing something wrong or is really not possible to access a different instance other than github.com ?
Any way to skip private registries?
When dependabot runs in GitHub Actions, it seems to work without access to private registries.
How can I get that functionality from dependabot/cli?
When it hits a private registry and fails to authenticate, the process exits with an error. I'd like to still get the results I would have from GitHub Actions.
subcommand to validate `dependabot.yml` file
There used to be a way in order to check syntax of a dependabot config file. Would it be possible to add that functionality apart of this tool? If so, would it be possible to address the concerns brought up in the issue below under this cli tool and even possibly moving that issue under this repository?
From my use perspective, it would be awesome if I could run a dependabot lint -f /path/to/dependabot.yml.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.