dependabot / dependabot-script Goto Github PK

View Code? Open in Web Editor NEW

528.0 528.0 255.0 789 KB

A simple script that demonstrates how to use Dependabot Core

License: MIT License

Ruby 96.33% Dockerfile 3.67%

dependabot-script's People

Contributors

Stargazers

Watchers

Forkers

ptrpovtyu deivid-rodriguez dexturr marcelraschke martywins okonomi adambowles minimum2scp bmankavo5626 zsylvia secustor rgbj allez-allez-allez szpak-forks mattlk13 wesi1030 feelepxyz smertniye raimmaster acraven nateradebaugh bowbaq b1rdex tuxtitlan roelandvanbatenburg fmasa kenchan0130 spartanops userhas404d juanjoqmelian eirikandre bipbip38 connectionmaster forkkit wavemotionio ryan-garner-msm wongherlung djl197 thenewguy sue445 donatien26 oviniciusfeitosa anonawolf saquibsayyad kingdavid6336 mo2k4 ferrlin jeff-cook oleg-andreyev sn4kecharmer nocheinandi czm41k francois-royer o330oei atomfrede sizuhiko myshoutcast envoc mtimbs vairamuthu-shanmugaraj limecakeio stevesoaress hixio-mh ciriarte recaph eugeny nosugarcoffee bobgehred rogierw robindirksen1 msielski massimiliano76 gwg422 sigmafi rookierick agoda-com augi sethjones skeemer veanva168 omartrigui krisgeus thegonch skedda frittentoni nprovencher sirumcz pharos jlamande cpfeiffer mlarraz jtama rjdkolb siddheshpkini rbelfils abs-paradigm iinuwa risdenk delps1001 aviationexam

dependabot-script's Issues

How to set DIRECTORY_PATH

Hi! I can't set DIRECTORY_PATH correctly.

Currently my .gitlab-ci.yml looks like this

.dependabot:
  image: dependabot/dependabot-core
  variables:
    PACKAGE_MANAGER: $CI_JOB_NAME
  before_script:
    - bundle install -j $(nproc) --path vendor
  script: bundle exec ruby ./generic-update-script.rb
  cache:
    paths:
      - vendor/
  only:
    - schedules

npm_and_yarn:
  extends: .dependabot
  only:
    variables:
      - $PACKAGE_MANAGER_SET =~ /(\bnpm|yarn\b)/
      - $DIRECTORY_PATH =~ /Frontend/

The error is that it still tries to get files from the root of the repo that I'm trying to update dependencies. So no variable cant is not applied here.

Why I did $DIRECTORY_PATH =~ /Frontend/?
Because if I do

- DIRECTORY_PATH =~ /Frontend/ - jobs:npm_and_yarn:only variables invalid expression syntax
- $DIRECTORY_PATH = /Frontend/ - jobs:npm_and_yarn:only variables invalid expression syntax
- $DIRECTORY_PATH = Frontend - jobs:npm_and_yarn:only variables invalid expression syntax
- $DIRECTORY_PATH = "Frontend" - jobs:npm_and_yarn:only variables invalid expression syntax
- $DIRECTORY_PATH: "Frontend" - gitlab just gives 500 error
- DIRECTORY_PATH: "Frontend" - gitlab just gives 500 error

I've tried a lot of things, none worked.
What is the correct way of setting DIRECTORY_PATH variable?

.dependabot/config.yml ignored

We have a private gitlab installation and I have configured the dependabot-script and schedules for some of the repos.

One of the repo has a .dependabot/config.yml in the root and I was expecting that the dependabot-script job will read the config.yml but it did not.

How do I make it read my config.yml ?

Default assignee

Is it possible to specify default assignee for all pull-requests?
For example, we have a single person in a team who's responsibility is to review/merge PRs from dependabot.

Or generic-update-script should be tweaked manually?

Commit message format

Is it possible to set commit message format?

We use commitezen and conventional-changelog.
We also have this regex /^(revert: )?(feat|fix|docs|refactor|chore)($.+$)?:.{1,50}refs #\d+/ as a push-rule.

Closed merge request is not updated

For testing reasons I have closed one of the pull requests created by dependabot on Gitlab:

And then I executed another pipeline, and I expected that a comment similar to Github's version will be created. Like "Oh, I see that this dependency does not need to be updated, etc"
But, nothing happened. CI log:

$ bundle exec ruby ./generic-update-script.rb
Fetching bundler dependency files for wemake.services/kira-dependencies
Parsing dependencies information
  - Updating dependabot-omnibus (from 0.105.6)… submitted
Done

Result (none):

Is it how it should be? Or is there a bug?

CI tests

I suggest setting up some form of CI tests for this project so issues like the one in #319 get caught sooner, ideally before getting merged.

Conventional Commits

Dependabot core seems to be able to understand when a repo is using conventional commits, but it seems that Dependabot Script does not honor that. Is there some flag I can give it to force it to do so?

Closing Previously Opened PRs / Whitelist to Auto Merge

Two of the features from the web based version that I particularly like are the closing of PRs bumping from 1.2.3. to 1.2.4 when a 1.2.3 to 1.2.5 PR opens prior to the former being merged, as well as being able to whitelist specific dependencies (e.g. dev dependencies) to automerge when status checks pass.

How can I approximate these using Dependabot Script for deployments in GitHub Enterprise?

How to deal with merge conflicts?

We have a Python project that uses boto3 and botocore. They're releasing a new version almost daily. Unfortunately for us they are next to each other in our requirementst.txt which means we have to deal with merge conflicts on a daily basis too.

If we don't, the merge requests (our private repo's are on GitLab) start to pile up.

Merging them automatically wouldn't solve it for us. One will get merged. The other can't, because of a conflict.

What is the recommended method to deal with situations like this? If it isn't possible to merge them, can we ignore patch releases for both packages and focus on minor releases only?

NpmAndYarn::Updater.updated_dependency_files throws error

Currently trying the Azure DevOps setup and cannot get the generic-script to work. Seems to me that the error is thrown from updater.updated_dependency_files. Every step until this is going fine, I just lack the PR step :)

Gemfile:

ruby "2.6.5"
source "https://rubygems.org"

gem "irb"
gem "dependabot-omnibus", "~> 0.113.28"

Stack-trace is as follows:

2020-02-18T11:43:58.5720467Z [command]/bin/bash --noprofile --norc /home/vsts/work/_temp/421cd65a-a7fe-4bc5-a2af-45c55218843f.sh
2020-02-18T11:44:02.8397880Z Found @testing-library/jest-dom @ 4.2.4...
2020-02-18T11:44:08.5986362Z   considering upgrade to 5.1.1
2020-02-18T11:44:08.6511870Z /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:117:in `rescue in run_helper_subprocess': Dependabot::SharedHelpers::HelperSubprocessFailed
2020-02-18T11:44:08.6513206Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:85:in `run_helper_subprocess'
2020-02-18T11:44:08.6513766Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:151:in `run_npm_top_level_updater'
2020-02-18T11:44:08.6514341Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:139:in `block in run_npm_updater'
2020-02-18T11:44:08.6514818Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:143:in `with_git_configured'
2020-02-18T11:44:08.6515367Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:137:in `run_npm_updater'
2020-02-18T11:44:08.6515892Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:115:in `run_current_npm_update'
2020-02-18T11:44:08.6516408Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:35:in `block (2 levels) in updated_lockfile_content'
2020-02-18T11:44:08.6516954Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:34:in `chdir'
2020-02-18T11:44:08.6517457Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:34:in `block in updated_lockfile_content'
2020-02-18T11:44:08.6518236Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block (2 levels) in in_a_temporary_directory'
2020-02-18T11:44:08.6518749Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `chdir'
2020-02-18T11:44:08.6519309Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block in in_a_temporary_directory'
2020-02-18T11:44:08.6519715Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
2020-02-18T11:44:08.6520234Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:34:in `in_a_temporary_directory'
2020-02-18T11:44:08.6520718Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:30:in `updated_lockfile_content'
2020-02-18T11:44:08.6521287Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:187:in `updated_package_lock_content'
2020-02-18T11:44:08.6521759Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:120:in `package_lock_changed?'
2020-02-18T11:44:08.6522294Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:149:in `block in updated_lockfiles'
2020-02-18T11:44:08.6522750Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `each'
2020-02-18T11:44:08.6523258Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `updated_lockfiles'
2020-02-18T11:44:08.6523907Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:39:in `updated_dependency_files'
2020-02-18T11:44:08.6524288Z 	from ./update-script.rb:84:in `block in <main>'
2020-02-18T11:44:08.6524708Z 	from ./update-script.rb:47:in `each'
2020-02-18T11:44:08.6525064Z 	from ./update-script.rb:47:in `<main>'
2020-02-18T11:44:08.6525604Z /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/2.6.0/json/common.rb:156:in `parse': 767: unexpected token at '' (JSON::ParserError)
2020-02-18T11:44:08.6526344Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/2.6.0/json/common.rb:156:in `parse'
2020-02-18T11:44:08.6526824Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:109:in `run_helper_subprocess'
2020-02-18T11:44:08.6527386Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:151:in `run_npm_top_level_updater'
2020-02-18T11:44:08.6527913Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:139:in `block in run_npm_updater'
2020-02-18T11:44:08.6528418Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:143:in `with_git_configured'
2020-02-18T11:44:08.6528920Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:137:in `run_npm_updater'
2020-02-18T11:44:08.6530866Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:115:in `run_current_npm_update'
2020-02-18T11:44:08.6532487Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:35:in `block (2 levels) in updated_lockfile_content'
2020-02-18T11:44:08.6533066Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:34:in `chdir'
2020-02-18T11:44:08.6533708Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:34:in `block in updated_lockfile_content'
2020-02-18T11:44:08.6534315Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block (2 levels) in in_a_temporary_directory'
2020-02-18T11:44:08.6534838Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `chdir'
2020-02-18T11:44:08.6536314Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:37:in `block in in_a_temporary_directory'
2020-02-18T11:44:08.6537774Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
2020-02-18T11:44:08.6538992Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/shared_helpers.rb:34:in `in_a_temporary_directory'
2020-02-18T11:44:08.6539572Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb:30:in `updated_lockfile_content'
2020-02-18T11:44:08.6539935Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:187:in `updated_package_lock_content'
2020-02-18T11:44:08.6540571Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:120:in `package_lock_changed?'
2020-02-18T11:44:08.6540937Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:149:in `block in updated_lockfiles'
2020-02-18T11:44:08.6541259Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `each'
2020-02-18T11:44:08.6541652Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:148:in `updated_lockfiles'
2020-02-18T11:44:08.6541991Z 	from /opt/hostedtoolcache/Ruby/2.6.5/x64/lib/ruby/gems/2.6.0/gems/dependabot-npm_and_yarn-0.113.28/lib/dependabot/npm_and_yarn/file_updater.rb:39:in `updated_dependency_files'
2020-02-18T11:44:08.6542269Z 	from ./update-script.rb:84:in `block in <main>'
2020-02-18T11:44:08.6542496Z 	from ./update-script.rb:47:in `each'
2020-02-18T11:44:08.6542703Z 	from ./update-script.rb:47:in `<main>'
2020-02-18T11:44:08.6723405Z ##[error]Bash exited with code '1'.
2020-02-18T11:44:08.6735238Z ##[section]Finishing: Update dependencies

Script:

require "dependabot/file_fetchers"
require "dependabot/file_parsers"
require "dependabot/update_checkers"
require "dependabot/file_updaters"
require "dependabot/pull_request_creator"
require "dependabot/omnibus"

package_manager = "npm_and_yarn"
repo = "MY_REPO"

credentials = [{
  "type" => "git_source",
  "host" => "dev.azure.com",
  "username" => "",
  "password" => ENV["AZURE_ACCESS_TOKEN"]
},{
  "type" => "npm",
  "url" => "https://pkgs.dev.azure.com/MY_ORG/_packaging/MY_FEED/npm/package.json",
  "token" => ":#{ENV["AZURE_ACCESS_TOKEN"]}"
}]

source = Dependabot::Source.new(
  provider: "azure",
  repo: repo,
  hostname: "dev.azure.com",
  api_endpoint: "https://dev.azure.com/",
  directory: "/",
  branch: nil,
)

fetcher = Dependabot::FileFetchers.for_package_manager(package_manager).new(
  source: source,
  credentials: credentials,
)

files = fetcher.files
commit = fetcher.commit 

parser = Dependabot::FileParsers.for_package_manager(package_manager).new(
  dependency_files: files,
  source: source,
  credentials: credentials,
)

dependencies = parser.parse

dependencies.select(&:top_level?).each do |dep|
  puts "Found #{dep.name} @ #{dep.version}..."

  checker = Dependabot::UpdateCheckers.for_package_manager(package_manager).new(
    dependency: dep,
    dependency_files: files,
    credentials: credentials,
  )

  if checker.up_to_date?
    puts "  already using latest version"
    next
  end

  requirements_to_unlock =
    if !checker.requirements_unlocked_or_can_be?
      if checker.can_update?(requirements_to_unlock: :none) then :none
      else :update_not_possible
      end
    elsif checker.can_update?(requirements_to_unlock: :own) then :own
    elsif checker.can_update?(requirements_to_unlock: :all) then :all
    else :update_not_possible
    end

  next if requirements_to_unlock == :update_not_possible

  updated_deps = checker.updated_dependencies(
    requirements_to_unlock: requirements_to_unlock
  )

  puts "  considering upgrade to #{checker.latest_version}"
  updater = Dependabot::FileUpdaters.for_package_manager(package_manager).new(
    dependencies: updated_deps,
    dependency_files: files,
    credentials: credentials,
  )

  updated_files = updater.updated_dependency_files

  pr_creator = Dependabot::PullRequestCreator.new(
    source: source,
    base_commit: commit,
    dependencies: updated_deps,
    files: updated_files,
    credentials: credentials,
    label_language: true,
    author_details: {
      email: "dependabot@MY_DOMAIN",
      name: "dependabot"
    },
  )

  pull_request = pr_creator.create

  if pull_request&.status == 201
    content = JSON[pull_request.body]

    puts "  PR ##{content["pullRequestId"]} submitted"
  else
    puts "  PR already exists or an error has occurred"
  end

  next unless pull_request
end

Dependabot can't resolve your Ruby dependency files

Dependabot can't resolve your Ruby dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

Bundler::VersionConflict with message: Bundler could not find compatible versions for gem "citrus":
  In Gemfile:
    dependabot-omnibus (>= 0.86.18, <= 0.86.20) was resolved to 0.86.18, which depends on
      dependabot-core (= 0.86.18) was resolved to 0.86.18, which depends on
        toml-rb (~> 1.1, >= 1.1.2) was resolved to 1.1.2, which depends on
          citrus (> 3.0, ~> 3.0)

Could not find gem 'citrus (> 3.0, ~> 3.0)', which is required by gem 'toml-rb (~> 1.1, >= 1.1.2)', in any of the sources.

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

Automatic PACKAGE_MANAGER guess

Hello, it would be nice if the update script could automatically guess the PACKAGE_MANAGER environment variable if not provided, e.g. by checking if build.gradle or Gemfile file is present.

It could also automatically traverse the directory structure and guess package manager of particular projects. In other words, automatic support for monorepos.

Maybe this or similar code is already present in the dependabot-core?

I'm not able to provide any code in Ruby, but would be possible in Java.

update-script with maven does not work for properties

Hello,

I successfully run the generic script to update maven dependencies, but I would like to run it for only one dependency. There for I used update-script.rb. But updated_deps = checker.updated_dependencies(requirements_to_unlock: :own) always returns empty array and with my investigation the script is able to retrieve the latest version which is different from current version in the pom.xml.

I see that

https://github.com/dependabot/dependabot-core/blob/06dfc696d6abb43a566464c7bede17cdca796942/common/lib/dependabot/update_checkers/base.rb#L207-L220

when :own
          preferred_version_resolvable_with_unlock?

always returns false which makes updated_deps = checker.updated_dependencies(requirements_to_unlock: :own) return an empty list and thus no updates are done.

I use multi-module maven project with shared properties. Is this the not supported?

Ruby version does not match Docker Image

Hello,
i am using the latest master version of dependabot-script with the example gitlab-ci config. It requests the docker container dependabot/dependabot-core which uses ruby 2.5 but the gemfile requires a newer version

https://github.com/dependabot/dependabot-core/blob/master/Dockerfile#L56

Error message in gitlab ci:

Your Ruby version is 2.5.3, but your Gemfile specified 2.6.1

Any info about configuring

Hi! Thank you for the great tool!

I could something miss but I've not found any info about successfully configuring 'dependabot-script
' for GitLab CI + projects based on Poetry (python).

I've followed this guide but there no luck for me both for 'PACKAGE_MANAGER_SET=pip':

Job output for pip

$ bundle exec ruby ./generic-update-script.rb
/builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:395:in 'rescue in default_branch_for_repo': Dependabot::RepoNotFound (Dependabot::RepoNotFound)
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:391:in 'default_branch_for_repo'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:61:in 'commit'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:308:in '_full_specification_for'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:125:in '_fetch_repo_contents'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:110:in 'repo_contents'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:77:in 'fetch_file_if_present'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/file_fetcher.rb:119:in 'pipfile'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/file_fetcher.rb:65:in 'pipenv_files'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/file_fetcher.rb:42:in 'fetch_files'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:55:in 'files'
	from ./generic-update-script.rb:115:in '<main>'
/builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/response/raise_error.rb:16:in 'on_complete': GET https://api.github.com/repos/product/mspy-lister: 404 - Not Found // See: https://developer.github.com/v3/repos/#get (Octokit::NotFound)
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/faraday-0.17.0/lib/faraday/response.rb:9:in 'block in call'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/faraday-0.17.0/lib/faraday/response.rb:61:in 'on_complete'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/faraday-0.17.0/lib/faraday/response.rb:8:in 'call'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/middleware/follow_redirects.rb:73:in 'perform_with_redirection'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/middleware/follow_redirects.rb:61:in 'call'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/faraday-0.17.0/lib/faraday/request/retry.rb:130:in 'call'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/faraday-0.17.0/lib/faraday/rack_builder.rb:143:in 'build_response'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/faraday-0.17.0/lib/faraday/connection.rb:387:in 'run_request'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/faraday-0.17.0/lib/faraday/connection.rb:138:in 'get'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/sawyer-0.8.2/lib/sawyer/agent.rb:94:in 'call'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/connection.rb:156:in 'request'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/connection.rb:19:in 'get'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/client/repositories.rb:29:in 'repository'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/clients/github_with_retries.rb:95:in 'public_send'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/clients/github_with_retries.rb:95:in 'block in method_missing'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/clients/github_with_retries.rb:115:in 'retry_connection_failures'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/clients/github_with_retries.rb:92:in 'method_missing'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/clients/github_with_retries.rb:66:in 'fetch_default_branch'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:393:in 'default_branch_for_repo'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:61:in 'commit'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:308:in '_full_specification_for'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:125:in '_fetch_repo_contents'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:110:in 'repo_contents'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:77:in 'fetch_file_if_present'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/file_fetcher.rb:119:in 'pipfile'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/file_fetcher.rb:65:in 'pipenv_files'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/file_fetcher.rb:42:in 'fetch_files'
	from /builds/zSsuxM4a/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers/base.rb:55:in 'files'
	from ./generic-update-script.rb:115:in '<main>'

... also as for 'PACKAGE_MANAGER_SET=poetry'

Job output for poetry

$ bundle exec ruby ./generic-update-script.rb
/builds/v5w4qxLp/0/alexandre.fedossov/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/file_fetchers.rb:11:in 'for_package_manager': Unsupported package_manager poetry (RuntimeError)

Can someone point me to the right path of investigation?

Thank you!

"pyenv: version `3.7.4' is not installed" for poetry (pip)

Bumping dependencies for Poetry project (pip manager set) fails with following stack trace:

pyenv: version `3.7.4' is not installed (set by /builds/devops/dependabot/tmp/dependabot_20191120-12-xii99d/.python-version)
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/update_checker/poetry_version_resolver.rb:319:in `run_poetry_command'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/update_checker/poetry_version_resolver.rb:85:in `block (2 levels) in fetch_latest_resolvable_version_string'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/shared_helpers.rb:141:in `with_git_configured'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/update_checker/poetry_version_resolver.rb:73:in `block in fetch_latest_resolvable_version_string'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/shared_helpers.rb:37:in `block (2 levels) in in_a_temporary_directory'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/shared_helpers.rb:37:in `chdir'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/shared_helpers.rb:37:in `block in in_a_temporary_directory'
/usr/lib/ruby/2.6.0/tmpdir.rb:93:in `mktmpdir'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/shared_helpers.rb:34:in `in_a_temporary_directory'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/update_checker/poetry_version_resolver.rb:72:in `fetch_latest_resolvable_version_string'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/update_checker/poetry_version_resolver.rb:42:in `latest_resolvable_version'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-python-0.113.15/lib/dependabot/python/update_checker.rb:43:in `latest_resolvable_version'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/update_checkers/base.rb:70:in `preferred_resolvable_version'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/update_checkers/base.rb:233:in `preferred_version_resolvable_with_unlock?'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/update_checkers/base.rb:225:in `numeric_version_can_update?'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/update_checkers/base.rb:175:in `version_can_update?'
/builds/devops/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.15/lib/dependabot/update_checkers/base.rb:38:in `can_update?'
./generic-update-script.rb:152:in `block in <main>'
./generic-update-script.rb:130:in `each'
./generic-update-script.rb:130:in `<main>'

Can I disable github.com source provider ?

Hi,

I would like to know if it's possible to only use local registry / repository without accessing github.com?

I was able to configure local maven repository using generic-update-script but it keeps using api.github.com for external dependencies like spring.

I see the benefits but I would like to be internet independent because I am running on an GHE.

Thx

add support for .dependabot/config.yml

As you can see in #403 and dependabot/dependabot-core#399 (comment) people are asking for config.yml in this script

rebase a MR

Hi... I have a question...

How can I force a merge request rebase on gitlab?

Operate under the assumption of semi-linear merges?

Gitlab has a very cool (and helpful) feature called "Merge commit with semi-linear history":

In practice, in order for a MR to be merged, it must be first contain all commits of the target branch (via rebase or merge).

This guarantees that the CI run for the MR source branch is going to lead to a green build also when merged in the target branch.

The problem is that dependabot-script generates dozens of dependency upgrade MRs (which is fine), and each merge requires a full rebase of all other MRs. The question is whether dependabot-script can somehow rebase those, or react to triggers on merge, so that its open MRs are rebased automatically.

Is something like that feasible?

Custom Labels?

Is it possible to define custom labels and colors?

The only solution google suggests is to write @dependabot use these labels but this obviously does not work with dependabot-script

Add Dockerfile + dockerhub integration

Hi, @greysteil! I am trying to integrate this project to my existing workflow inside Gitlab.
It works great, but still makes me a little bit uncomfortable.

Because I have to keep generic-update-script.rb, Gemfile, etc inside my project.
I also have to update gems inside this Gemfile as well.

What do I suggest?

Create Dockerfile inside this project with all dependencies
Run dockerhub build on each commit
Use image: dependabot/gitlab:latest inside your own .gitlab-ci.yml
Use script: ./generic-update-script.rb inside your update jobs

Looks like a big improvement to me.
I can help you with Dockerfile part and new docs, but I am not able to setup dockerhub integration for you. That's where I need help fro your side.

Cheers!

Ruby version number miss-match

Default dependabot-script configuration does not work.

Here's the error I am facing:

Running with gitlab-runner 11.10.0-rc2 (10efa505)
  on docker-auto-scale fa6cab46
Using Docker executor with image dependabot/dependabot-core ...
Pulling docker image dependabot/dependabot-core ...
Using docker image sha256:cdfeba49bbbc71f65eaf61dc6aa7af0c404c8f866999bd5fb4d767711b5746c3 for dependabot/dependabot-core ...
Running on runner-fa6cab46-project-11947325-concurrent-0 via runner-fa6cab46-srm-1555756783-44a2c874...
Initialized empty Git repository in /builds/wemake.services/kira-dependencies/.git/
Fetching changes...
Created fresh repository.
From https://gitlab.com/wemake.services/kira-dependencies
 * [new branch]      master     -> origin/master
Checking out a6fe9539 as master...

Skipping Git submodules setup
Checking cache for default...
FATAL: file does not exist                         
Failed to extract cache
$ bundle install -j $(nproc) --path vendor
Your Ruby version is 2.6.2, but your Gemfile specified 2.6.1
ERROR: Job failed: exit code 1

I am using this exact version: 05c8c34

My workaround is to change ruby version in Gemfile to ruby "2.6.2".

Note about `Faraday::Error::ClientError is deprecated`

I get this note when I run the script

 $ bundle exec ruby ./generic-update-script.rb
 NOTE: Inheriting Faraday::Error::ClientError is deprecated; use Faraday::ClientError instead. It will be removed in or after version 1.0
 Faraday::Error::ClientError.inherited called from /builds/*****/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/middleware/follow_redirects.rb:14.
 Fetching npm_and_yarn dependency files for *****
 Parsing dependencies information

Synchronise dependabot-script with local dependabot-core dev version

Hello there 😄 I am currently developing dependabot-core locally and I use the development docker container to run it. I would like to run dependabot-script against my local development version to test it with a private repository. Does anybody have any idea what is a potential way to do it?

Is it possible to create PR's only for security updates?

Hey, kudos for the great work.
Quick question, in the dependabot hosted version (https://app.dependabot.com) I'm able to select PR's on "Only security updates" is it possible to do the same here?
Cheers

Add an example Azure DevOps pipeline yml file

There is already an example for GitLab CI, but there is not one for Azure DevOps. The script and core do seem to support Azure, but there is no documentation or examples on how to actually set it up.

It would be good to document Azure DevOps usage.

eslint update fails on generate pull request

we have integrated dependabot-script in our jenkins pipeline(running inside docker) the current dependabot-omnibus running on it is v0.117.3, however for the last couple of eslint updates we are noticing our pipeline is breaking on this error(pic attached), any help would be really appreciated :)

Stack Trace here:
[2019-12-05T16:11:50.290Z] /usr/local/lib/ruby/2.6.0/time.rb:372:in _parse' [2019-12-05T16:11:50.290Z] /usr/local/lib/ruby/2.6.0/time.rb:372:in parse' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-npm_and_yarn-0.113.26/lib/dependabot/npm_and_yarn/metadata_finder.rb:67:in block in previous_releasers' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-npm_and_yarn-0.113.26/lib/dependabot/npm_and_yarn/metadata_finder.rb:67:in reject' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-npm_and_yarn-0.113.26/lib/dependabot/npm_and_yarn/metadata_finder.rb:67:in previous_releasers' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-npm_and_yarn-0.113.26/lib/dependabot/npm_and_yarn/metadata_finder.rb:28:in maintainer_changes' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-common-0.113.26/lib/dependabot/pull_request_creator/message_builder.rb:527:in maintainer_changes' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-common-0.113.26/lib/dependabot/pull_request_creator/message_builder.rb:427:in maintainer_changes_cascade' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-common-0.113.26/lib/dependabot/pull_request_creator/message_builder.rb:315:in metadata_cascades_for_dep' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-common-0.113.26/lib/dependabot/pull_request_creator/message_builder.rb:291:in metadata_cascades' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-common-0.113.26/lib/dependabot/pull_request_creator/message_builder.rb:47:in pr_message' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-common-0.113.26/lib/dependabot/pull_request_creator.rb:103:in github_creator' [2019-12-05T16:11:50.290Z] /usr/local/bundle/gems/dependabot-common-0.113.26/lib/dependabot/pull_request_creator.rb:73:in create' [2019-12-05T16:11:50.290Z] /app/update.rb:153:in block in <main>' [2019-12-05T16:11:50.290Z] /app/update.rb:98:in each'

Avoid forking repo

I'm using this script with a privately hosted GitLab instance. I've created a Dependabot user and given it access to the repositories it's monitoring.

With the above in mind, it would be really nice if Dependabot could submit a MR/PR directly rather than forking the repo first. Is that possible?

Error Broken pipe

I'm facing error with some environments (but not all).

/usr/lib/ruby/2.5.0/openssl/buffering.rb:325:in `syswrite': Broken pipe (Errno::EPIPE)
	from /usr/lib/ruby/2.5.0/openssl/buffering.rb:325:in `do_write'
	from /usr/lib/ruby/2.5.0/openssl/buffering.rb:344:in `block in write'
	from /usr/lib/ruby/2.5.0/openssl/buffering.rb:343:in `each'
	from /usr/lib/ruby/2.5.0/openssl/buffering.rb:343:in `inject'
	from /usr/lib/ruby/2.5.0/openssl/buffering.rb:343:in `write'
	from /usr/lib/ruby/2.5.0/net/protocol.rb:233:in `write0'
	from /usr/lib/ruby/2.5.0/net/protocol.rb:207:in `block in write'
	from /usr/lib/ruby/2.5.0/net/protocol.rb:224:in `writing'
	from /usr/lib/ruby/2.5.0/net/protocol.rb:206:in `write'
	from /usr/lib/ruby/2.5.0/net/http/generic_request.rb:188:in `send_request_with_body'
	from /usr/lib/ruby/2.5.0/net/http/generic_request.rb:121:in `exec'
	from /usr/lib/ruby/2.5.0/net/http.rb:1492:in `block in transport_request'
	from /usr/lib/ruby/2.5.0/net/http.rb:1491:in `catch'
	from /usr/lib/ruby/2.5.0/net/http.rb:1491:in `transport_request'
	from /usr/lib/ruby/2.5.0/net/http.rb:1464:in `request'
	from /usr/lib/ruby/2.5.0/net/http.rb:1457:in `block in request'
	from /usr/lib/ruby/2.5.0/net/http.rb:910:in `start'
	from /usr/lib/ruby/2.5.0/net/http.rb:1455:in `request'
	from /.../vendor/ruby/2.5.0/gems/httparty-0.16.2/lib/httparty/request.rb:143:in `perform'
	from /.../vendor/ruby/2.5.0/gems/httparty-0.16.2/lib/httparty.rb:563:in `perform_request'
	from /.../vendor/ruby/2.5.0/gems/httparty-0.16.2/lib/httparty.rb:505:in `post'
	from /.../vendor/ruby/2.5.0/gems/gitlab-4.5.0/lib/gitlab/request.rb:44:in `block (2 levels) in <class:Request>'
	from /.../vendor/ruby/2.5.0/gems/gitlab-4.5.0/lib/gitlab/client/commits.rb:143:in `create_commit'
	from /.../vendor/ruby/2.5.0/bundler/gems/dependabot-core-cc95449efb78/lib/dependabot/pull_request_creator/gitlab.rb:101:in `create_commit'
	from /.../vendor/ruby/2.5.0/bundler/gems/dependabot-core-cc95449efb78/lib/dependabot/pull_request_creator/gitlab.rb:36:in `create'
	from /.../vendor/ruby/2.5.0/bundler/gems/dependabot-core-cc95449efb78/lib/dependabot/pull_request_creator.rb:54:in `create'
	from ./generic-update-script.rb:160:in `block in <main>'
	from ./generic-update-script.rb:110:in `each'
	from ./generic-update-script.rb:110:in `<main>'

Any idea where to start?

No option to provide reviewers with the Dependabot: Azure devops client

I have been using dependabot-script with Azure Devops, but I notice that, in the pull_request_creator.rb file we do not provide a reviewers param to azure_creator method.
Similarly I notice that in the content object of create_pull_request method of the azure client, we do not pass any reviewers option.
I see a reviewers option in the documentation for azure devops' pull request create method: https://docs.microsoft.com/en-us/rest/api/azure/devops/git/pull%20requests/create?view=azure-devops-rest-5.1
Is there a reason, why this was not added? or are there plans to add this feature ?
Thanks in advance!

Providing ECR credentials

From issues in depedabot-core I read that aws ecr hosted docker dependencies are supported. However I'm not sure how to provide credentials for ecr if used with dependabot-script.
Is this even possible? Can you provide documentation on this?

[Gitlab] Merge requests on to a different branch

I've been trying to get the script to use the "develop" branch to check and make merge requests to. and not "master". I have tried to use the .dependabot/config.yaml file, but this does not seem to work for some reason.

Is this a bug? intended? am i doing something wrong?

GitHub Api limit exceeded - TooManyRequests

I am trying to use the script for a GitLab repository. Thereby, a GitLab Access Token is specified.
The above setting leads to following output:

/builds/<user_name>/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/response/raise_error.rb:16:in `on_complete': GET https://api.github.com/repos/fabric8io/fabric8-maven-plugin/contents/doc: 403 - API rate limit exceeded for <ip>. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) // See: https://developer.github.com/v3/#rate-limiting (Octokit::TooManyRequests)

I thought that dependabot fetches the dependency information (in case of maven) from maven central. So why does it hit GitHub API limit?

Working/temporary directory configuration

Is it possible to configure the directory where Dependabot downloads the files to? It would be also great if this working directory were configurable via an environment variable.

Add support for updating subdependencies

👋 Currently only direct/top-level dependencies are kept up to date by this script. It would be great if it would be possible to enable also updating subdependencies of a project.

Related ticket on dependabot/feedback: dependabot/feedback#669.

How-to run the script as a docker container

I'd like to run the script against repos in our internal GHE, but I have no experience with setting up ruby. Our CI/CD environment is based on Docker images, so the best case scenario would be to have a docker image that contains dependabot core and the script and I can configure it using env vars. Unfortunately due to my lack of ruby skills I can't figure out how to bake this... 😢

`up_to_date?': undefined method `appears_in_lockfile?' for nil:NilClass (NoMethodError)

So I'm trying to debug dependabot issues on one of our projects. @greysteil recommended me to first try to make this script run, but seems it doesn't run. Do you have some pointers to figure out why?

ruby update-script.rb
warning: parser/current is loading parser/ruby26, which recognizes
warning: 2.6.2-compliant syntax, but you are running 2.6.1.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
Traceback (most recent call last):
	1: from update-script.rb:91:in `<main>'
/usr/share/rvm/gems/ruby-2.6.1/gems/dependabot-common-0.98.71/lib/dependabot/update_checkers/base.rb:22:in `up_to_date?': undefined method `appears_in_lockfile?' for nil:NilClass (NoMethodError)

Private Repo for maven

Hi,
I've alreadt checked that the issue of using private maven repository is solved as stated in:

Since I'm in a situation where all java artifacts are proxied by a nexus private installation, how can I setup the reference to my nexus?
I know i could set the repo in my pom, but I rather prefer to set them in settings and then profile and i'm not sure dependabot will resolve them.

I was wondering if it could be solved adding an item to credential array in generic-update-script.rb

Thanks.

Ruby version mismatch

Running with gitlab-runner 12.3.0 (a8a019e0)
  on gitlab702.zzz.ru iNrxm2Lv
Using Docker executor with image dependabot/dependabot-core ...
Pulling docker image dependabot/dependabot-core ...
Using docker image sha256:a0c6498168b3333203010d869fb24d885344422a8e80ae71a55bf694aa6d26e9 for dependabot/dependabot-core ...
Running on runner-iNrxm2Lv-project-23-concurrent-0 via 2852ec717367...
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/zzz/dependabot/.git/
From https://gitlab.zzz.ru/zzz/dependabot
   b7784a7..96ea85f  master     -> origin/master
Checking out 96ea85f1 as master...
Removing .bundle/
Removing vendor/

Skipping Git submodules setup
Checking cache for default...
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted. 
Successfully extracted cache
$ bundle install -j $(nproc) --path vendor
Your Ruby version is 2.6.5, but your Gemfile specified 2.6.2
ERROR: Job failed: exit code 1

Setup instructions are out-of-date

Since the refactor of Dependabot Core the setup instructions in the README are out-of-date. They should be updated to make use of the new build scripts.

Dependabot::RepoNotFound

Hi All,

We are attempting to run dependabot against an Azure DevOps GIT repository to no avail. Any assistance would be greatly appreciated.

Assuming the proper information is:
https://dev.azure.com/ourOrganization/ProjectName/_git/package-name

Steps are as follows:

clone repo
docker pull dependabot/dependabot-core
docker run -v "c:/projects/2019/depbot/dependabot-script:/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script dependabot/dependabot-core bundle install -j 3 --path vendor
docker run -v "c:/projects/2019/depbot/dependabot-script:/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script -e PACKAGE_MANAGER=npm_and_yarn -e PROJECT_PATH=ProjectName/_git/package-name -e AZURE_ACCESS_TOKEN=ADO_PAT -e AZURE_HOSTNAME=dev.azure.com/ourOrganization dependabot/dependabot-core bundle exec ruby ./generic-update-script.rb

Dependabot can't resolve your Ruby dependency files

Dependabot can't resolve your Ruby dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

Bundler::VersionConflict with message: Bundler could not find compatible versions for gem "citrus":
  In Gemfile:
    dependabot-omnibus (>= 0.86.18, <= 0.86.22) was resolved to 0.86.18, which depends on
      dependabot-core (= 0.86.18) was resolved to 0.86.18, which depends on
        toml-rb (~> 1.1, >= 1.1.2) was resolved to 1.1.2, which depends on
          citrus (> 3.0, ~> 3.0)

Could not find gem 'citrus (> 3.0, ~> 3.0)', which is required by gem 'toml-rb (~> 1.1, >= 1.1.2)', in any of the sources.

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

"Could not locate Gemfile"

I try using dependabot-core on my python project in gitlab on demand.
My .gitlab-ci.yaml:

image: python:3.6
...

checks:dependabot:
  image: dependabot/dependabot-core
  variables:
    PACKAGE_MANAGER: "pip"
  before_script:
    - bundle install -j $(nproc) --path vendor
  script: bundle exec ruby ./generic-update-script.rb
  cache:
    paths:
      - vendor/
  only:
    - schedules

I add schedule config like on screenshot

Log of job:

Running with gitlab-ci-multi-runner 9.5.1 (96b34cc)
  on example-python-project [gitlab-ci-runner-4] (66f6e160)
Using Docker executor with image dependabot/dependabot-core ...
Using docker image sha256:f21c27b19825abb017667311022bdb37ce98755a8ef39ea6784295bc1e57792f for predefined container...
Pulling docker image dependabot/dependabot-core ...
Using docker image dependabot/dependabot-core ID=sha256:7063dfbd3d5bce196107a274a87228451a052a2158858feb4593e6c1940308a8 for build container...
Running on runner-66f6e160-project-35-concurrent-2 via gitlab-ci-runner-4...
Fetching changes...
Removing .bundle/
HEAD is now at 2d4ac36 Add dependabot
From https://gitlab.example.net/backend/example-python-project
   2d4ac36..a4a3d9b  branch       -> origin/branch
Checking out a4a3d9ba as branch...
Skipping Git submodules setup
Checking cache for default...
Successfully extracted cache
$ bundle install -j $(nproc) --path vendor
Could not locate Gemfile

Any ideas?

Use SSH access to allow updating private repository dependencies

Apologies if this should go into Dependabot Core, let me know if I should reopen there.

Using Dependabot for Hex via Dependabot Script in GitHub Enterprise is mostly working okay. At this point, it is able to pull down mix.exs files, update them with Hex package updates, GitHub package updates, and make all the appropriate PRs. Wonderful! But what I can't seem to get working is dependencies of the form:

{:my_repo, git: "git@my_enterprise_url/my_repo.git", tag: "0.1"}

Is there something special I have to do for dependencies of this form?

SSL certificate verify failed error while access self hosted Gitlab repo

I am trying to setup dependabot on premise server for private gitlab repo. But it is throwing this error

`Faraday::Error::ClientError.inherited called from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/middleware/follow_redirects.rb:14.

/usr/lib/ruby/2.6.0/net/protocol.rb:44:in connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError) from /usr/lib/ruby/2.6.0/net/protocol.rb:44:in ssl_socket_connect'
from /usr/lib/ruby/2.6.0/net/http.rb:996:in connect' from /usr/lib/ruby/2.6.0/net/http.rb:930:in do_start'
from /usr/lib/ruby/2.6.0/net/http.rb:919:in start' from /usr/lib/ruby/2.6.0/net/http.rb:1470:in request'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/httparty-0.17.1/lib/httparty/request.rb:145:in perform' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/httparty-0.17.1/lib/httparty.rb:594:in perform_request'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/httparty-0.17.1/lib/httparty.rb:508:in get' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/request.rb:46:in block (2 levels) in class:Request'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/client/projects.rb:49:in project' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/clients/gitlab_with_retries.rb:67:in public_send'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/clients/gitlab_with_retries.rb:67:in block in method_missing' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/clients/gitlab_with_retries.rb:82:in retry_connection_failures'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/clients/gitlab_with_retries.rb:64:in method_missing' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/clients/gitlab_with_retries.rb:51:in fetch_default_branch'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/file_fetchers/base.rb:395:in default_branch_for_repo' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/file_fetchers/base.rb:61:in commit'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/file_fetchers/base.rb:310:in _full_specification_for' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/file_fetchers/base.rb:320:in _fetch_file_content'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/file_fetchers/base.rb:90:in fetch_file_from_host' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-maven-0.113.28/lib/dependabot/maven/file_fetcher.rb:32:in pom'
from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-maven-0.113.28/lib/dependabot/maven/file_fetcher.rb:25:in fetch_files' from /home/dependabot/dependabot-script/vendor/ruby/2.6.0/gems/dependabot-common-0.113.28/lib/dependabot/file_fetchers/base.rb:55:in files'
from ./generic-update-script.rb:115:in <main>'

Is there any way I can add ssl certificate to octokit client( I don't know ruby) .
I am using docker.

Support Ignoring Specific Versions

I am running dependabot-script against https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-stream-dependencies . The problem I am running into is that this repository began being versioned like this:

1.0.2
1.0.1

Then transitioned to being versioned like this:

Chelsea.RELEASE
Brooklyn.RELEASE

Consequently, the dependabot-script ends up thinking that I should update from Fishtown.SR2 (released March 2019) to 1.0.3 (released September 2016) which is incorrect.

I was wondering if there was any current or planned way to pass a list of ignored versions to dependabot-script so we could clean up this confusion manually.

Best way to setup a bot?

I'd like to host my own bot on Oracle Cloud and I don't know which is the best way to set it up.

Is there a way to create a service that runs continuously and check dependencies every day, or should I setup my script like the one provided and run it every day (like an AWS Lambda)?

Branch name issue

I have a push-rule that enforces consistent branch names across the project.
And dependabot fails to update any dependencies because of that:

  - Updating dependabot-omnibus (from 0.105.6)…/builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.10.0/lib/gitlab/request.rb:67:in `validate': Server responded with code 400, message: Branch name does not follow the pattern '^(issue-\d+)|(master)$'. Request URI: https://gitlab.com/api/v4/projects/wemake%2Eservices%2Fkira%2Ddependencies/repository/branches (Gitlab::Error::BadRequest)
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.10.0/lib/gitlab/request.rb:46:in `block (2 levels) in <class:Request>'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.10.0/lib/gitlab/client/branches.rb:81:in `create_branch'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.105.6/lib/dependabot/clients/gitlab_with_retries.rb:67:in `public_send'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.105.6/lib/dependabot/clients/gitlab_with_retries.rb:67:in `block in method_missing'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.105.6/lib/dependabot/clients/gitlab_with_retries.rb:83:in `retry_connection_failures'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.105.6/lib/dependabot/clients/gitlab_with_retries.rb:64:in `method_missing'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.105.6/lib/dependabot/pull_request_creator/gitlab.rb:87:in `create_branch'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.105.6/lib/dependabot/pull_request_creator/gitlab.rb:40:in `create'
	from /builds/wemake.services/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.105.6/lib/dependabot/pull_request_creator.rb:59:in `create'
	from ./generic-update-script.rb:143:in `block in <main>'
	from ./generic-update-script.rb:92:in `each'
	from ./generic-update-script.rb:92:in `<main>'

I am just using default config from dependabot-script, no changes from my side.
How can this be solved?

Error after run

Hi!

So, with the (incorrect, unreviewed) changes in the PRs I just opened, I run the script. It sucessfully created 17 PRs, and then it failed with:

Traceback (most recent call last):
	7: from bin/dependabot:10:in `<main>'
	6: from bin/dependabot:10:in `load'
	5: from /home/deivid/Code/nipanipa/bin/dependabot-script/gitlab-update-script.rb:74:in `<top (required)>'
	4: from /home/deivid/Code/nipanipa/bin/dependabot-script/gitlab-update-script.rb:74:in `each'
	3: from /home/deivid/Code/nipanipa/bin/dependabot-script/gitlab-update-script.rb:97:in `block in <top (required)>'
	2: from /home/deivid/Code/nipanipa/.bundle/ruby/2.5.0/bundler/gems/dependabot-core-211620be1cc9/lib/dependabot/file_updaters/ruby/bundler.rb:30:in `updated_dependency_files'
	1: from /home/deivid/Code/nipanipa/.bundle/ruby/2.5.0/bundler/gems/dependabot-core-211620be1cc9/lib/dependabot/file_updaters/ruby/bundler.rb:101:in `updated_lockfile_content'
/home/deivid/Code/nipanipa/.bundle/ruby/2.5.0/bundler/gems/dependabot-core-211620be1cc9/lib/dependabot/file_updaters/ruby/bundler/lockfile_updater.rb:48:in `updated_lockfile_content': Expected content to change! (RuntimeError)

Not sure if it's due to the problems you detected in the PRs, with the way I'm running the script, or with a real bug somewhere? 🤷‍♂️

Reporting just in case it's helpful.