Merge branch 'dependabot:main' into main

.github/workflows/ci.yml

@@ -92,7 +92,7 @@ jobs:
       BUNDLE_GEMFILE: updater/Gemfile
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - uses: ruby/setup-ruby@d5fb7a202fc07872cb44f00ba8e6197b70cb0c55 # v1.179.0
+      - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1
         with:
           bundler-cache: true
       - run: ./bin/lint

.github/workflows/gems-bump-version.yml

@@ -31,7 +31,7 @@ jobs:
           ref: "main"
 
       # bump-version.rb needs bundler
-      - uses: ruby/setup-ruby@d5fb7a202fc07872cb44f00ba8e6197b70cb0c55 # v1.179.0
+      - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1
         with:
           # Use the version of bundler specified in `updater/Gemfile.lock`.
           # Otherwise the generated PR will change `BUNDLED WITH` in

.github/workflows/gems-release-to-rubygems.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-      - uses: ruby/setup-ruby@d5fb7a202fc07872cb44f00ba8e6197b70cb0c55 # v1.179.0
+      - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1
       - run: |
           [ -d ~/.gem ] || mkdir ~/.gem
           echo "---" > ~/.gem/credentials

.github/workflows/smoke.yml

@@ -16,6 +16,7 @@ concurrency:
 
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  SMOKE_TEST_BRANCH: main
 jobs:
   discover:
     runs-on: ubuntu-latest
@@ -44,7 +45,7 @@ jobs:
           cat filtered.json
 
           # Curl the smoke-test tests directory to get a list of tests to run
-          URL=https://api.github.com/repos/dependabot/smoke-tests/contents/tests
+          URL=https://api.github.com/repos/dependabot/smoke-tests/contents/tests?ref=${{ env.SMOKE_TEST_BRANCH }}
           curl $URL > tests.json
 
           # Select the names that match smoke-$test*.yaml, where $test is the .text value from filtered.json
@@ -84,7 +85,7 @@ jobs:
       - name: Download test
         if: steps.cache-smoke-test.outputs.cache-hit != 'true'
         run: |
-          URL=https://api.github.com/repos/dependabot/smoke-tests/contents/tests/${{ matrix.suite.name }}
+          URL=https://api.github.com/repos/dependabot/smoke-tests/contents/tests/${{ matrix.suite.name }}?ref=${{ env.SMOKE_TEST_BRANCH }}
           curl $(gh api $URL --jq .download_url) -o smoke.yaml
 
       - name: Cache Smoke Test

.github/workflows/sorbet.yml

@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
-      - uses: ruby/setup-ruby@d5fb7a202fc07872cb44f00ba8e6197b70cb0c55 # v1.179.0
+      - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1
         with:
           bundler-cache: true
 

.rubocop.yml

@@ -341,6 +341,7 @@ Style/SpecialGlobalVars:
 Style/SelectByRegexp:
   Enabled: false
 Sorbet/TrueSigil:
+  Enabled: true
   Exclude:
     - "**/spec/**/*"
 Sorbet/StrictSigil:

.rubocop_todo.yml

@@ -22,14 +22,6 @@ RSpec/AnyInstance:
     - 'updater/spec/dependabot/dependency_change_builder_spec.rb'
     - 'updater/spec/dependabot/file_fetcher_command_spec.rb'
 
-# Offense count: 7
-RSpec/BeforeAfterAll:
-  Exclude:
-    - 'nuget/spec/dependabot/nuget/update_checker/dependency_finder_spec.rb'
-    - 'pub/spec/dependabot/pub/file_updater_spec.rb'
-    - 'pub/spec/dependabot/pub/infer_sdk_versions_spec.rb'
-    - 'pub/spec/dependabot/pub/update_checker_spec.rb'
-
 # Offense count: 1286
 # Configuration parameters: CountAsOne.
 RSpec/ExampleLength:
@@ -55,12 +47,7 @@ RSpec/FilePath:
 # Configuration parameters: AssignmentOnly.
 RSpec/InstanceVariable:
   Exclude:
-    - 'bundler/helpers/v2/spec/ruby_version_spec.rb'
-    - 'common/spec/dependabot/clients/azure_spec.rb'
     - 'go_modules/spec/dependabot/go_modules/file_updater_spec.rb'
-    - 'pub/spec/dependabot/pub/file_updater_spec.rb'
-    - 'pub/spec/dependabot/pub/infer_sdk_versions_spec.rb'
-    - 'pub/spec/dependabot/pub/update_checker_spec.rb'
 
 # Offense count: 22
 RSpec/IteratedExpectation:
@@ -94,11 +81,6 @@ RSpec/MessageChain:
 RSpec/MessageSpies:
   Enabled: false
 
-# Offense count: 1
-RSpec/MultipleDescribes:
-  Exclude:
-    - 'common/spec/dependabot/errors_spec.rb'
-
 # Offense count: 1380
 RSpec/MultipleExpectations:
   Max: 17

Dockerfile.updater-core

@@ -110,17 +110,18 @@ RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuge
 
 WORKDIR $DEPENDABOT_HOME/dependabot-updater
 
-ARG RUBYGEMS_VERSION=3.5.11
-RUN gem update --system $RUBYGEMS_VERSION
-
-# When bumping Bundler, need to also:
-# * Regenerate `updater/Gemfile.lock` via `BUNDLE_GEMFILE=updater/Gemfile bundle lock --update --bundler`
+# RubyGems & Bundler should be bumped together following these steps:
+# * Bump RubyGems version below. That will also automatically update the default Bundler version.
+# * Regenerate `updater/Gemfile.lock` via `BUNDLE_GEMFILE=updater/Gemfile bundle lock --update --bundler`.
 # * Regenerate `Gemfile.lock` via `bundle lock --update --bundler`.
-ARG BUNDLER_V2_VERSION=2.5.11
+#
+# Note that RubyGems & Bundler versions are currently released in sync, but
+# RubyGems version is one major ahead. So when bumping to RubyGems 3.y.z, Bundler
+# version will jump to 2.y.z
+ARG RUBYGEMS_VERSION=3.5.14
+RUN gem update --system $RUBYGEMS_VERSION
 
-RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \
- rm -rf /var/lib/gems/*/cache/* && \
- bundle config set --global build.psych --with-libyaml-source-dir=$DEPENDABOT_HOME/src/libyaml/yaml-$LIBYAML_VERSION && \
+RUN bundle config set --global build.psych --with-libyaml-source-dir=$DEPENDABOT_HOME/src/libyaml/yaml-$LIBYAML_VERSION && \
  bundle config set --local path 'vendor' && \
  bundle config set --local frozen 'true' && \
  bundle config set --local without 'development' && \

Gemfile.lock

@@ -1,20 +1,20 @@
 PATH
   remote: bundler
   specs:
-    dependabot-bundler (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-bundler (0.264.0)
+      dependabot-common (= 0.264.0)
       parallel (~> 1.24)
 
 PATH
   remote: cargo
   specs:
-    dependabot-cargo (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-cargo (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: common
   specs:
-    dependabot-common (0.262.0)
+    dependabot-common (0.264.0)
       aws-sdk-codecommit (~> 1.28)
       aws-sdk-ecr (~> 1.5)
       bundler (>= 1.16, < 3.0.0)
@@ -37,107 +37,107 @@ PATH
 PATH
   remote: composer
   specs:
-    dependabot-composer (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-composer (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: devcontainers
   specs:
-    dependabot-devcontainers (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-devcontainers (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: docker
   specs:
-    dependabot-docker (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-docker (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: elm
   specs:
-    dependabot-elm (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-elm (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: git_submodules
   specs:
-    dependabot-git_submodules (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-git_submodules (0.264.0)
+      dependabot-common (= 0.264.0)
       parseconfig (~> 1.0, < 1.1.0)
 
 PATH
   remote: github_actions
   specs:
-    dependabot-github_actions (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-github_actions (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: go_modules
   specs:
-    dependabot-go_modules (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-go_modules (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: gradle
   specs:
-    dependabot-gradle (0.262.0)
-      dependabot-common (= 0.262.0)
-      dependabot-maven (= 0.262.0)
+    dependabot-gradle (0.264.0)
+      dependabot-common (= 0.264.0)
+      dependabot-maven (= 0.264.0)
 
 PATH
   remote: hex
   specs:
-    dependabot-hex (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-hex (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: maven
   specs:
-    dependabot-maven (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-maven (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: npm_and_yarn
   specs:
-    dependabot-npm_and_yarn (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-npm_and_yarn (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: nuget
   specs:
-    dependabot-nuget (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-nuget (0.264.0)
+      dependabot-common (= 0.264.0)
       rubyzip (>= 2.3.2, < 3.0)
 
 PATH
   remote: pub
   specs:
-    dependabot-pub (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-pub (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: python
   specs:
-    dependabot-python (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-python (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: silent
   specs:
-    dependabot-silent (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-silent (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: swift
   specs:
-    dependabot-swift (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-swift (0.264.0)
+      dependabot-common (= 0.264.0)
 
 PATH
   remote: terraform
   specs:
-    dependabot-terraform (0.262.0)
-      dependabot-common (= 0.262.0)
+    dependabot-terraform (0.264.0)
+      dependabot-common (= 0.264.0)
 
 GEM
   remote: https://rubygems.org/
@@ -417,4 +417,4 @@ DEPENDENCIES
   webrick (>= 1.7)
 
 BUNDLED WITH
-   2.5.11
+   2.5.14

README.md

@@ -62,7 +62,7 @@ It is intended as a starting point for advanced users to run a self-hosted versi
 ## Dependabot CLI
 
 The [Dependabot CLI](https://github.com/dependabot/cli) is a newer tool that may eventually replace [`dependabot-script`](#dependabot-script) for standalone use cases.
-While it creates dependency diffs, it's currently missing the logic to turn those diffs into actual PR's. Nevertheless, it
+While it creates dependency diffs, it's currently missing the logic to turn those diffs into actual PRs. Nevertheless, it
 may be useful for advanced users looking for examples of how to hack on Dependabot.
 
 ## Dependabot on CI

bin/bump-version.rb

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 unless %w(minor patch).include?(ARGV[0])

bin/dry-run.rb

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 # This script executes a full update run for a given repo (optionally for a

bundler/.rubocop.yml

@@ -5,6 +5,5 @@ inherit_mode:
     - Exclude
 
 Sorbet/TrueSigil:
-  Enabled: true
   Exclude:
     - "helpers/**/monkey_patches/*.rb"

bundler/helpers/v2/spec/ruby_version_spec.rb

@@ -9,13 +9,13 @@
   include_context "when stubbing rubygems compact index"
 
   let(:project_name) { "ruby_version_implied" }
+  let(:ui) { Bundler.ui }
 
   before do
-    @ui = Bundler.ui
     Bundler.ui = Bundler::UI::Silent.new
   end
 
-  after { Bundler.ui = @ui }
+  after { Bundler.ui = ui }
 
   it "updates to the most recent version" do
     in_tmp_folder do