- Add lowest_security_fix_version method to update checkers
- Go: Promote experimental
go mod tidy
support to stable (i.e., always tidy if repo_contents_path is given) - Go: Promote experimental
go mod vendor
support to stable (i.e., always vendor if repo_contents_path is given and vendor/modules.txt is present) - Bump jest from 26.5.3 to 26.6.0 in /npm_and_yarn/helpers
- Bump object-path from 0.11.4 to 0.11.5 in /npm_and_yarn/helpers
- Bump composer/composer from 1.10.10 to 1.10.15 in /composer/helpers
- Go mod: Handle
cannot find module
during go mod tidy - Python: Add 3.9.0 and upgrade pyenv to v1.2.21 (@ulgens)
- Bundler: Ignore changed .gemspec from vendor/cache folder
- Bundler: Refactored Dependabot's use of Bundler commands to shell out instead
of running in a forked process.
- This aligns Bundler with other package managers and will enable us to support other Bundler versions in future.
- Bump phpstan/phpstan from 0.12.48 to 0.12.49 in /composer/helpers
- Gracefully handle gomod package import that has changed
- Treat .bundlecache files as binary
- Check if files are binary using the
file
util - Bump jest from 26.5.2 to 26.5.3 in /npm_and_yarn/helpers
- Bump eslint from 7.10.0 to 7.11.0 in /npm_and_yarn/helpers
- Update tests and fixtures for new Cargo.lock format
- Explicitly install version of rust toolchain
- Rust toolchain has been upgraded to 1.47.0. This means PRs will now try to upgrade the lockfile to cargo's v2 format.
- Update rubocop requirement from ~> 0.92.0 to ~> 0.93.0 in /common
- Add a fingerprint to generated gitconfigs
- If there isn't a backup gitconfig, remove the generated one
- dry-run: updater-opts via option
- Add experimental support for
go mod vendor
- Enable code coverage reporting of dependabot-core
- Configure git when creating a temp repo for gomod updates
- Bump jest from 26.5.0 to 26.5.2 in /npm_and_yarn/helpers
- Bump poetry from 1.1.1 to 1.1.2 in /python/helpers
- Refactor: reusable VendorDependencies object
- Add experimental support for
go mod tidy
- Allow requirements.txt files of up to 200kb
- Bump poetry from 1.0.10 to 1.1.1 in /python/helpers
- Bump jest from 26.4.2 to 26.5.0 in /npm_and_yarn/helpers
- Reduce docker image size (@wreulicke)
- Bump phpstan/phpstan from 0.12.47 to 0.12.48 in /composer/helpers
- Update rubocop requirement from ~> 0.91.0 to ~> 0.92.0 in /common
- Adds python 3.7.9. (@jeremiq)
- Go: Bump golang to v1.15.2
- Bump phpstan/phpstan from 0.12.45 to 0.12.47 in /composer/helpers
- Upgrade Python to 3.8.6 (@ulgens)
- Handle empty pipfile requirement string
- Teach FileFetcher to fetch from disk if local repository clone is present
- Bundler: refactor DependencySource from LatestVersionFinder
- Fix uninitialized constant error (
Dependabot::VERSION
) when usingSharedHelpers
- Fix
SharedHelpers.excon_defaults
when passing in extra headers - Bump phpstan/phpstan from 0.12.44 to 0.12.45 in /composer/helpers
- Bump eslint from 7.9.0 to 7.10.0 in /npm_and_yarn/helpers
- Add trailing slash to pypi.org index requests
- Add a default User-Agent header to excon requests
- Bump phpstan/phpstan from 0.12.43 to 0.12.44 in /composer/helpers
- Default to pypi.org instead of pypi.python.org
- BREAKING: New exception
Dependabot::PullRequestCreator::AnnotationError
Raised when a pull request is created but fails further steps (e.g. assigning reviewer) Code that rescues fromPullRequestCreator
can use thepull_request
property for the incomplete PR, and thecause
property for the original error. - Allow Azure client to set linked work item (@JamieMagee)
- Bump eslint from 7.8.1 to 7.9.0 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.12.42 to 0.12.43 in /composer/helpers
- Bump prettier from 2.1.1 to 2.1.2 in /npm_and_yarn/helpers
- Bump rubocop from ~> 0.90.0 to ~> 0.91.0 in /common
- Bump jason from 1.2.1 to 1.2.2 in /hex/helpers
- Fix a bug generating commit messages introduced in v0.119.5
- bundler: add temporary support for persistent_gems_after_clean
- Fix missing notice in PR content when source text is truncated
- composer: remove root cache
- nuget: Force encode nuspec files to utf-8 for regex matching
- hex: fix lockfile updating transitive dependencies
- python: fix python path dependencies with file (@lfdebrux)
- Upgrade elixir/mix to 1.10.4
- Bump rubocop from ~> 0.88.0 to ~> 0.90.0 in /common
- Fix for nuget v2 responses that don't specify a base (@ppejovic)
- formatting changes to avoid linting errors
- Upgrade elixir/mix to 1.10.0
- Add OAuth support to Azure client
- Bump eslint from 7.7.0 to 7.8.1 in /npm_and_yarn/helpers
- Bump prettier from 2.0.5 to 2.1.1 in /npm_and_yarn/helpers
- Support cargo 1.46.0 ref not found message
- Don't downgrade a pinned commit to a tag. (@reitermarkus)
- Dockerfile.dev: set git author
- Bump phpstan/phpstan from 0.12.37 to 0.12.39 in /composer/helpers
- Update to poetry to 1.0.10
- Add beta support for vendoring git dependencies in Bundler
- Only replace version part of cargo line
- Add beta support for vendoring dependencies in Bundler
- Add a optional repo_contents_path attribute to the file parser/fetcher/updater
- Handle deleting binary files in the PR creator/updater
- Support binary and deleted files in PR updater/creator
- Add deleted and content_encoding properties to dependency_file
- Bump npm from 6.14.4 to 6.14.8 in /npm_and_yarn/helpers
- Bump eslint from 7.6.0 to 7.7.0 in /npm_and_yarn/helpers
- Bump jest from 26.2.2 to 26.4.0 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.12.34 to 0.12.37 in /composer/helpers
- Add python 3.7.8
- Test caching strategy from old circle config
- docker: consistent indentation of Dockerfile (@localheinz)
- python: properly escape username nad password in auth URL
- CI: publish versioned images to DockerHub
- CI: performance improvements
- common: increase default http client read timeout
- go_modules: always return a Version object for indirect dependencies
- Bump composer/composer from 1.10.9 to 1.10.10 in /composer/helpers
- Bump pip-tools from 5.3.0 to 5.3.1 in /python/helpers
- CI: performance improvements
- Bump jest from 26.2.1 to 26.2.2 in /npm_and_yarn/helpers
- Bump eslint from 7.5.0 to 7.6.0 in /npm_and_yarn/helpers
- Encode '@' in python HTTP basic auth passwords
- CI: Move from Circle CI to actions
- CI: Use job matrix @localheinz
- Composer: Best practices for 7.4 @localheinz
- Composer: Explicitly require latest stable version of composer/composer @localheinz
- Actions: Fix updating actions that are quoted
- Bump jest from 26.1.0 to 26.2.1 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.12.33 to 0.12.34 in /composer/helpers
- Bump pip-tools from 5.2.1 to 5.3.0 in /python/helpers
- Upgrade Python version to 3.8.5 (@ulgens)
- Copy composer from the composer image
- Attempt to fix error where version is added to path dependency (@jtbeach)
- Undefined names: import PipSession and parse_requirements
- Update python/spec/dependabot/python/update_checker/pipenv_version_resolver_spec.rb
- Upgrade default python version to 3.8.4 (@ulgens)
- Update excon to 0.75.0
- Bump friendsofphp/php-cs-fixer in /composer/helpers
- Bump npm-registry-fetch from 4.0.3 to 4.0.5 in /npm_and_yarn/helpers
- Bump composer/composer from 1.10.8 to 1.10.9 in /composer/helpers
- Bump cython from 0.29.20 to 0.29.21 in /python/helpers
- Bump phpstan/phpstan from 0.12.31 to 0.12.33 in /composer/helpers
- Update gitlab requirement from = 4.15.0 to = 4.16.1 in /common
- Bump eslint from 7.4.0 to 7.5.0 in /npm_and_yarn/helpers
- Fix npm indentation spec
- Add rubygems stubbed info responses
- Bump rubocop to 0.88.0
- Fix docker-dev-shell ruby/php build
- Add native version range syntax support for NuGet (@eager)
- Bump eslint from 7.3.1 to 7.4.0 in /npm_and_yarn/helpers
- Use Maven version ranges for ignored_versions in Maven and Gradle (@eager)
- Python: support binary path dependencies when using requirements.txt/in files
- Bump phpstan/phpstan from 0.12.30 to 0.12.31 in /composer/helpers
- Bump composer/composer from 1.10.7 to 1.10.8 in /composer/helpers
- Prefer exact match for 'security' label @qnighy
- Actions: Fix multiple sources matching major versions
- Maven: Add support for dependency classifiers @a1flecke
- Add support for
+
separator when calculating semver change @a1flecke - Bump eslint from 7.3.0 to 7.3.1 in /npm_and_yarn/helpers
- Bump prettier from 2.0.4 to 2.0.5 in /npm_and_yarn/helpers
- Bump jason from 1.2.0 to 1.2.1 in /hex/helpers
- Bump eslint from 7.2.0 to 7.3.0 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.12.29 to 0.12.30 in /composer/helpers
- Safely output markdown from link_and_mention_sanitizer
- Bump composer/composer from 1.10.6 to 1.10.7 in /composer/helpers
- Correctly handle path dependencies in composer
- Bump eslint from 6.8.0 to 7.2.0 in /npm_and_yarn/helpers
- Bump composer/composer from 1.9.3 to 1.10.6 in /composer/helpers
- Bump eslint-plugin-prettier from 3.1.3 to 3.1.4 in /npm_and_yarn/helpers
- Bump cython from 0.29.19 to 0.29.20 in /python/helpers
- Bump pip-tools from 5.1.2 to 5.2.1 in /python/helpers
- Bump phpstan/phpstan from 0.12.19 to 0.12.29 in /composer/helpers
- Bump poetry from 1.0.8 to 1.0.9 in /python/helpers
- Bump hashin from 0.14.6 to 0.15.0 in /python/helpers
- [Python] Add parsing of environment markers (@mayeut)
- GitHub Actions: Handle multiple sources for the same action
- Gradle: Add support for properties set as defaults, supports both the findProperty and hasProperty syntax styles.
- Nuget: Added support for elements with MSBuild projects
- GitLab: Add pull_request_updater
- Handle missing repo when fetching recent commits
- Handle new protected branch error when updating PRs
- Update rubocop requirement from ~> 0.83.0 to ~> 0.85.0 in /common
- Upgrade poetry to 1.0.8
- Update vcr requirement from = 5.0 to = 6.0.0 in /common
- Update gitlab requirement from = 4.14.1 to = 4.15.0 in /common
- Specs: Update rubygems index and stubbed info responses
- Handle cargo native dependencies
- Fix failing non-existing author email (@hsyn)
- docker-dev-shell --rebuild no args
- Remove support for jinja requimrents files
- Upgrade python helpers to latest version of pip
- Bump pip from 19.3.1 to 20.1.1
- Bump pip-tools from 4.5.1 to 5.1.2 in /python/helpers
- Optionally raise Dependabot::AllVersionsIgnored when all potential updates are ignored
- Update Python version to 3.8.3 and 2.8.18 (@ulgens)
- Always use exact dependencies label if one exists
- Bump cython from 0.29.18 to 0.29.19 in /python/helpers
- go_modules: Handle multiline errors
- docker-dev-shell: rebuild core image when passing
--rebuild
option
- Handle protected branches enforcing linear history
- Bump cython from 0.29.17 to 0.29.18 in /python/helpers
- Update rubocop requirement from ~> 0.82.0 to ~> 0.83.0 in /common
- gradle: Fix version types in gradle to allow matching postfixed version types
- bundler: Sanitize Dir.chdir calls in gemspecs
- go_modules: Remove unnecessary
require
s from go.mod - dependencies: Fix acorn vulnerability
- Nuget: Handle version requirements with suffix
- Bump eslint-plugin-prettier from 3.1.2 to 3.1.3 in /npm_and_yarn/helpers
- Bump jest from 25.3.0 to 25.4.0 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.12.18 to 0.12.19 in /composer/helpers
- Update rubocop requirement from ~> 0.80.1 to ~> 0.82.0 in /common
- Bump friendsofphp/php-cs-fixer in /composer/helpers
- Bump semver from 7.1.3 to 7.3.2 in /npm_and_yarn/helpers
- Handle unauthorized pushes to protected branches
- Bump jest from 25.2.3 to 25.3.0 in /npm_and_yarn/helpers
- Bump prettier from 2.0.2 to 2.0.4 in /npm_and_yarn/helpers
- Adds python 3.7.7 (@sobolevn)
- Bump jest from 25.2.0 to 25.2.3 in /npm_and_yarn/helpers
- Bump jest from 25.1.0 to 25.2.0 in /npm_and_yarn/helpers
- Bump npm from 6.14.3 to 6.14.4 in /npm_and_yarn/helpers
- Bump cython from 0.29.15 to 0.29.16 in /python/helpers
- Bump prettier from 1.19.1 to 2.0.2 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.12.14 to 0.12.18 in /composer/helpers
- Bump npm from 6.14.2 to 6.14.3 in /npm_and_yarn/helpers
- Upgrade to PHP 7.4 (@kubawerlos)
- python: upgrade to poetry ^1.0.0 (@tommilligan)
- Update pyenv version (@ulgens)
- Update Python version to 3.8.2 (@ulgens)
- Bump acorn from 6.3.0 to 6.4.1 in /npm_and_yarn/helpers
- Update gitlab requirement from = 4.13.1 to = 4.14.1 in /common
- Update Maven Requirement (@a1flecke)
- Improve PR descriptions for non-github PR's
- Correctly mark requirements as not up to date
- Bump npm from 6.14.1 to 6.14.2 in /npm_and_yarn/helpers
- Gradle: Add support for authenticated repositories (@GeorgiosGoniotakis)
- Bump phpstan/phpstan from 0.12.12 to 0.12.14 in /composer/helpers
- Maven: Add support for "+" Semver Build Identifier
- Sanitize github ref links in plaintext/rdoc
- Codecommit: Ensures a commit is created before opening a PR
- Hex: Fix mix.lock file parser for hex 0.20.2+
- Bump rubocop requirement from ~> 0.79.0 to ~> 0.80.1 in /common
- Bump phpstan/phpstan from 0.12.08 to 0.12.12 in /composer/helpers
- Bump npm from 6.13.7 to 6.14.1 in /npm_and_yarn/helpers
- Bump pip-tools from 4.4.1 to 4.5.1 in /python/helpers
- Bump semver from 7.1.2 to 7.1.3 in /npm_and_yarn/helpers
- Bump cython from 0.29.14 to 0.29.15 in /python/helpers
- Bump rimraf from 3.0.1 to 3.0.2 in /npm_and_yarn/helpers
- Bump composer/composer from 1.9.2 to 1.9.3 in /composer/helpers
- Remove security_updates_only (unused)
- Better branch name sanitisation
- Bump semver from 7.1.1 to 7.1.2 in /npm_and_yarn/helpers
- Add security updates only option to the update checker (unused)
- Bump npm from 6.13.6 to 6.13.7 in /npm_and_yarn/helpers
- Bump rimraf from 3.0.0 to 3.0.1 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.12.5 to 0.12.8 in /composer/helpers
- Maven: Add Support for Semver Build Identifier "+"
- Bump commonmarker requirement from ~> 0.20.1 to >= 0.20.1, < 0.22.0
- Bump jest from 24.9.0 to 25.1.0 in /npm_and_yarn/helpers
- Bump pip-tools from 4.3.0 to 4.4.0 in /python/helpers
- Git Dependencies: Respect HTTP scheme for service pack URLs
- Maven: Support properties with attributes
- Bump composer/composer from 1.9.1 to 1.9.2 in /composer/helpers
- Bump phpstan/phpstan from 0.12.4 to 0.12.5 in /composer/helpers
- Go Modules: Stop trying to update indirect deps
- Bump npm from 6.13.4 to 6.13.6 in /npm_and_yarn/helpers
- Hex: fix file fetching for nested umbrella apps
- Python: Fix latest version finder when the dependency name has extras
- Go Modules: Fix version comparison in
SecurityAdvisory
- Bump default Python to 3.8.1 and add 3.7.6 to allowed versions
- [Security] Bump handlebars from 4.1.2 to 4.5.3 in /npm_and_yarn/helpers
- Bump rubocop requirement from ~> 0.78.0 to ~> 0.79.0 in /common
- Bump phpstan/phpstan from 0.12.3 to 0.12.4 in /composer/helpers
- Bump eslint from 6.7.2 to 6.8.0 in /npm_and_yarn/helpers
- Handle links with breaks in the link sanitizer
- Update gitlab requirement from = 4.12 to = 4.13.1 in /common
- Refactor sanitize_mentions method to use commonmarker
- Python: Fix dep name extras bug in metadafinder
- Update rubocop requirement from ~> 0.77.0 to ~> 0.78.0 in /common
- Bump semver from 7.1.0 to 7.1.1 in /npm_and_yarn/helpers
- Refactor sanitize_links method
- HTML is now output in Dependabot::PullRequestCreator::MessageBuilder#pr_message.
- Bump semver from 7.0.0 to 7.1.0 in /npm_and_yarn/helpers
- GitLab: Pass all assignees to merge request creator
- Bump phpstan/phpstan from 0.11.19 to 0.12.3 in /composer/helpers
- Bump eslint-plugin-prettier from 3.1.1 to 3.1.2 in /npm_and_yarn/helpers
- Bump semver from 6.3.0 to 7.0.0 in /npm_and_yarn/helpers
- Bump npm from 6.13.2 to 6.13.4 in /npm_and_yarn/helpers
- Bump @dependabot/yarn-lib from 1.21.0 to 1.21.1 in /npm_and_yarn/helpers
- Python: Preserve dependency name extras
- JS: Fix unfetchable tarball path deps ∞ loop
- Codecommit: Create client without credentials
- Bump npm from 6.13.1 to 6.13.2 in /npm_and_yarn/helpers
- Bump @dependabot/yarn-lib from 1.19.2 to 1.21.0 in /npm_and_yarn/helpers
- Bump eslint from 6.7.1 to 6.7.2 in /npm_and_yarn/helpers
- Cargo: Handle virtual manifests with workspace glob on src/*
- Bump default Python from 3.7.5 to 3.8.0
- Update rubocop requirement from ~> 0.76.0 to ~> 0.77.0 in /common
- Docker: support mixed case version suffixes (RC)
- Support Jina templates in requirements files
- Bump friendsofphp/php-cs-fixer in /composer/helpers
- Bump pip-tools from 4.2.0 to 4.3.0 in /python/helpers
- JS: Fetch tarball path dependencies
- Bump eslint from 6.6.0 to 6.7.1 in /npm_and_yarn/helpers
- Bump @dependabot/yarn-lib from 1.19.1 to 1.19.2 in /npm_and_yarn/helpers
- Add pull request message header support (thanks, @millerick!)
- Go: Add go version specifier (thanks, @chenrui333!)
- Go: Bump golang to v1.13.4 (thanks, @chenrui333!)
- Docker: Support mix of Docker tags for the same image (thanks, @michael-booth!)
- Maven: Change logic to check if a version is released
- Bump npm from 6.13.0 to 6.13.1 in /npm_and_yarn/helpers
- Bump https-proxy-agent in /npm_and_yarn/helpers
- Bump prettier from 1.18.2 to 1.19.1 in /npm_and_yarn/helpers
- Fix Gitlab API commit file type to match GitHub's submodule type
- Decompress gzipped http responses
- Bump npm from 6.12.1 to 6.13.0 in /npm_and_yarn/helpers
- Bump pip from 19.2.3 to 19.3.1 in /python/helpers
- Gradle: Skip name property if we already present
- Common: Fix hanging regex in LinkAndMentionSanitizer
- Bump cython from 0.29.13 to 0.29.14 in /python/helpers
- Bump composer/composer from 1.9.0 to 1.9.1 in /composer/helpers
- Bump default Python versions to 3.7.5 and 2.7.17
- Bump nock from 11.6.0 to 11.7.0 in /npm_and_yarn/helpers
- GitLab: Don't pass empty array to update approvers
- Bump pip-tools from 4.1.0 to 4.2.0 in /python/helpers
- Bump npm from 6.10.3 to 6.12.1 in /npm_and_yarn/helpers
- Update rubocop requirement from ~> 0.75.0 to ~> 0.76.0 in /common
- Update toml-rb requirement from ~> 1.1, >= 1.1.2 to >= 1.1.2, < 3.0
- Fix mismatched code span issue when sanitizing mentions
- Bump eslint from 6.5.1 to 6.6.0 in /npm_and_yarn/helpers
- Bump nock from 11.5.0 to 11.6.0 in /npm_and_yarn/helpers
- Bump phpstan/phpstan from 0.11.16 to 0.11.19 in /composer/helpers
- Add support for VS Code Remote Development on Docker
- Bump nock from 11.4.0 to 11.5.0 in /npm_and_yarn/helpers
- Add whatsnew to changelog names
- JS: Fix missing previous version when the version is a git sha
- JS: Fix bug where previous version was equal to the new version
- Gradle: Support updates that use git dependencies
- Improve @mention sanitizer for verbatim backticks in code fences
- Disable the Go module proxy
- Upgrade Go to 1.13.1
- Improve @mention sanitizer for compact code blocks
- JS: Handle GitHub shorthand links in MetadataFinder
- Python: Revert file fetching change
- Bump eslint from 6.5.0 to 6.5.1 in /npm_and_yarn/helpers
- Bump rubocop requirement from ~> 0.74.0 to ~> 0.75.0 in /common
- Bump @dependabot/yarn-lib from 1.17.3 to 1.19.0 in /npm_and_yarn/helpers
- Bundler: Fall back to unlocking all sub-dependencies in lockfile updater
- Python: Fetch path dependency files relative to directory they're required in
- Python: Handle nested path dependencies during parsing
- JS: Handle cases where the resolved previous version is the latest version
- JS: Resolve the previous version from the version requirements when there is no lockfile
- JS: Handle malformed lockfile versions
- Gradle: Support pre-release syntax 1.0.0pr
- Update security vulnerability disclosure to GitHub Bug Bounty program
- Dependencies: Make gpgme an optional dependency
- Dev env: Allow a few options to be provided to the dev shell
- Dev env: Mount .rubocop.yml in the docker dev shell
- Dry-run: Only git init when writing output
- Dry run: support multiple package managers when caching files
- Dry run: add --commit option to fetch from
- Bump nock from 10.0.6 to 11.3.4 in /npm_and_yarn/helpers
- Bump eslint from 6.3.0 to 6.4.0 in /npm_and_yarn/helpers
- Dry run script: add options and improve logging
- Add support for AWS codecommit
- Python: Stricter marker ignoring
- Docker: Add support for docker images with build num as tags (thanks @tscolari!)
- Composer: Tighten platform extensions regex
- JS: Parse dependency on pkg.github.com registry more sensibly
- Python: import setuptools for access to both find_packages() and setup() (thanks @cclauss!)
- Add details of error to the "Unexpected git error!" message
- JS: Ignore user-specified registries that don't return JSON
- Handle bintray private registries
- Don't comment on cases where a GitHub bug prevents us adding a team reviewer
- .NET: Add support for GlobalPackageReference, Packages.props and using Update in addition to Include (thanks @david-driscoll)
- Reverse commit order when looking for most recent Dependabot commit
- Python: Bump hashin from 0.14.5 to 0.14.6 in /python/helpers
- Prioritise
changes
files overhistory
files when looking for a changelog - Sanitize gemfury URLs globally
- Composer: Helper cleanup (thanks @localheinz)
- PHP: Fix SHA pinning for git dependencies with an alias
- Ruby: Update Ruby versions
- Gradle: Exclude dependencies that don't have a valid version
- Rust: Remove default-run specification before running version resolution
- Python: Pass index URLs to pip-compile as arguments
- .NET: Include default source unless a config file clears it
- Comment on created PRs that we are unable to assign reviewers to
- Cargo: Better check for globs in workspace paths
- Sanitize issue/PR references that specify a repo
- Python: Update marker handling to ignore deps with a < in the requirement
- Composer: Fix tests and enforce latest_allowable_version for stability-flag versions
- Docker: Use most specific version for .0 releases
- Handle trailing dots when creating branch names
- JS: Use all dependency URLs when building a .npmrc (don't prefer one lockfile format)
- Composer: Tighter regex on installation requirements
- JS: Handle leading equals signs
- Bundler: Mimic Bundler 2.x default of using HTTPS for GitHub dependencies
- Composer: Refactor FileParser
- Composer: Support stability flags in parser and update checker
- Composer: Raise phpstan level from 5 to 6
- Composer: Smarter selection of implicit PHP requirements for applications
- Composer: Remove alias when determining git dependency branch
- Composer: Tighter regex for missing platform requirements
- Bundler: Don't update gemspec requirements
- Bundler: Raise a runtime error if no files change in file updater
- Composer: Try to use lowest possible PHP version when updating requirements
- Python: Bump pip-tools from 4.0.0 to 4.1.0 in /python/helpers
- Bundler: Handle gemspec with a float version number
- Composer: More lockfile parsing robustness
- PHP: Handle doctored lockfile in FileParser
- Bundler: Update source for gemspec requirements when updating for Gemfile ones
- Switch back to npm v6.10.3
- Update Golang and Dep versions
- Composer: Parse git dependencies (ignore them in the update checker)
- Python: Bump pip from 19.2.2 to 19.2.3 in /python/helpers
- JS: Bump npm from 6.11.1 to 6.11.2 in /npm_and_yarn/helpers
- GitHub Actions: More precise file updating
- Yarn: Ignore dependencies with npm registry alias in the name (
alias@npm:package
)
- Handle git dependencies that pin to a tag in ReleaseFinder
- GitHub Actions: Update commit SHA pins to version pins when possible
- Add GitCommitChecker#pinned_ref_looks_like_commit_sha? method
- Bump npm from 6.10.3 to 6.11.1 in /npm_and_yarn/helpers
- Composer: Treat stability flag requirements as default requirement
- Composer: Don't update the commit SHA for git dependencies when doing other updates
- Update JS subdependencies
- Bump Rust version in Dockerfile
- Composer: Several internal improvements courtesy of @localheinz
- Python: Better GIT_DEPENDENCY_UNREACHABLE_REGEX for Poetry
- GitHub: Only update version tag if commit SHA has changed
- Look up a commit in GitCommitChecker#head_commit_for_current_branch if no version
- Better VERSION_REGEX for git commit checker
- Python: Handle arrays of Python requirements (from pyproject.toml) in PipenvVersionResolver
- JS: Add failing test for dependencies with latest
- JS: Better sanitization of {{ variable }} text in package.json files
- Composer: Handle php-64bit requirements
- PHP: Handle loosely specified PHP versions for libraries better
- PHP: Raise a Dependabot::DependencyFileNotResolvable error in some VersionResolver cases
- Better commit messages when updating a git tag without a lockfile
- Add github_actions as a gem everywhere
- Update dry run to cache editable dependency files
- Add support for updating GitHub Action workflow files
- Composer: Parse ranges with a wildcard as invalid
- .NET: Add Directory.Build.props regex to FileUpdater.updated_files_regex
- Add
require_up_to_date_base
filter to PullRequestCreator - Expose GitMetadataFinder#head_commit_for_ref method
- Python: Update Python versions
- Python: Bump pip from 19.2.1 to 19.2.2 in /python/helpers
- Bundler: Handle path dependencies that use a .specification file
- Maven: Improve dot separator regex to fix XML searching bug
- PHP: Stricter regex for finding missing extensions and PHP versions
- Bundler: Tighter check on source being Rubygems
- Terraform: Handle registry dependencies that specify a sub-directory
- Retry tree creation if we're persistently failing to create a commit for it
- Better check that pull request creation errors have details
- Python: Better error message in pip-compile for bad Python version
- Gradle: Handle redirect loops
- Maven: Handle redirect loops
- Composer: Add special case for bad nova.laravel.com credentials
- Retry PR creation for unexpected 422s
- JS: Bump npm from 6.10.2 to 6.10.3 in /npm_and_yarn/helpers
- Update Excon requirement
- Bundler: Sanitize out date from gemspecs
- Python: Handle UnsupportedPythonVersion errors in pip-compile
- .NET: Treat blank versions the same as missing versions
- Rust: Ignore error in workspaces with clashing native dependencies
- Ignore merged PRs in PullRequestCreator::GitHub
- Python: Distinguish between dev and prod sub-dependencies (Poetry)
- Python: Distinguish between dev and prod sub-dependencies (Pipenv)
- PHP: Distinguish between production and development subdependencies
- Bundler: Simplify parser logic for subdependency_metadata
- JS: Include details of whether a sub-dependency is production or not
- Bundler: Detect whether subdependencies are production or not
- Validate subdependency_metadata format
- Store subdependency_metadata as an array of hashes (not a hash)
- Raise Octokit::Unauthorized from PullRequestCreator::GitHub if service pack 401s
- .NET: Move blank version handling
- PHP: Bump composer/composer from 1.8.6 to 1.9.0
- .NET: Handle blank strings when comparing versions
- Handle Python homepage URLs that create a redirect loop
- Handle "could not add requested reviewers" errors
- Go (modules): switch to gomodules-extracted@v1.1.0
- Remove invalid .editorconfig file
- JS: Fix git URL parsing edge case
- Add missing pip support to dry-run
- JS: Ignore git dependencies locked to a non-commit version
- Elixir: Bump elixir version to 1.9.1 in Dockerfile
- .NET: Better pre-release comparison
- .NET: Fetch all nuget.config files
- JS: Better git URL parsing
- Python: Handle link tags without a href
- Bump cython from 0.29.12 to 0.29.13 in /python/helpers
- Don't map all git dependencies to GitHub
- Handle credentials with an
@
in the username in GitMetadataFetcher
- Don't use semver labels if a skip-release label exists
- Python: Handle devpi index requirements (package name in URL, must request text/html)
- Python: Use namespace when using NameNormaliser
- Python: Regex updates for new pip version
- Python: Update error message parsing for new pip version
- Python: Bump pip-tools from 3.9.0 to 4.0.0 in /python/helpers
- Python: Bump pip from 19.1.1 to 19.2.1 in /python/helpers
- Python: Handle pip-compiled files with specified names (when included in header)
- Composer: Better selection of valid versions from requirements
- JS: Bump semver from 6.2.0 to 6.3.0 in /npm_and_yarn/helpers
- JS: Bump npm from 6.10.1 to 6.10.2 in /npm_and_yarn/helpers
- Python: Fix typo
- Add new Dependency.name_normaliser_for_package_manager method, and implement for Python
- Python: Consider whether a version has been yanked in LatestVersionFinder
- Bundler: Stop using --full-index, since artifactory issue is now fixed
- Python: Correctly check for hashes when freezing versions in a pyproject.toml
- Don't pluralize security fixes if there is only one
- Yarn: Use npmjs.org as registry if explicitly specified in .yarnrc
- Composer: Fix conversion of requirements to version when handling missing extensions
- Python: Handle git@ URLs in FileFetcher
- Python: Check using Python 2 when updating fails due to an issue with dep being updated
- PHP: Use lower bound of library PHP requirement when resolving
- Properly catch pandoc timeouts
- Catch pandoc timeouts
- Time out calls to pandoc after 10 seconds
- Python: Bump pip-tools from 3.8.0 to 3.9.0 in /python/helpers
- Handle 401s from GitHub in GitMetadataFetcher
- Bundler: Handle symbols being used for requirements
- Python: Handle authed URLs which include an
@
in metadata finder - Maven: Handle bad URIs in VersionFinder
- .NET: Ignore .sln files that can't be encoded to UTF-8
- Handle disabled repos in PullRequestCreator::Github
- Bundler: Replace JSON.parse lines in gemspec
- Yarn: Add support for missing
link:
path dependencies which exist in the lockfile - Update rubocop requirement from ~> 0.72.0 to ~> 0.73.0 in /common
- JS: Fix yarn file path resolutions when manifest is missing
- Better library definition in PullRequestCreator
- Gradle: Handle dependency names that can't be converted to XPaths
- Maven: Fetch modules listed in profiles
- Handle @-mentions that include a hyphen
- Docker: Insist on updated docker_registry2 to fix Artifactory bug
- Yarn: Enforce https for most common hostnames
- Yarn: Bump @dependabot/yarn-lib from 1.16.0 to 1.17.3 in /npm_and_yarn/helpers
- Go (modules): bump masterminds/vcs to v1.13.1 to fix Go bitbucket support
- Cascade author details to Azure commit
- JS: Bump npm from 6.10.0 to 6.10.1 in /npm_and_yarn/helpers
- JS: Fetch yarn file path resolutions from manifest
- JS: Bump lodash from 4.17.11 to 4.17.14 in /npm_and_yarn/helpers
- Fix typo
- Mark fetched symlinks as symlinks, and update the target when updating
- Maven/Gradle: Make version classes consistent
- Look for previous version in changelogs as well as new version
- Composer: Handle PHP requirements with an OR condition
- Sanitize
gh-
links (i.e., handle lowercase) - Python: Bump cython from 0.29.11 to 0.29.12 in /python/helpers
- Docker: Handle versions with a KB prefix (imperfectly...)
- Docker: Allow uppercase prefixes and suffixes
- Update Pyenv, Elixir and Rust versions
- PHP: Composer missing extension support
- Python: Fix typo
- Python: Bump poetry from 0.12.16 to 0.12.17 in /python/helpers
- Python: Handle unparseable python_requires values in setup.py
- Handle commit messages that are just a newline
- Python: Better Python requirement parsing
- JS: Bump npm from 6.9.2 to 6.10.0 in /npm_and_yarn/helpers
- Python: Add PipVersionResolver
- Python: Parse setup.py python_requires lines
- Fix rubocop
- .NET: Raise clearer file fetching error when a path in a .sln file can't be fetched
- JS: Store status on registry errors
- Python: Move Python version requirement detection into its own class
- Don't treat dependencies where we can't update the requirement file as updatable
- JS: Bump npm from 6.9.0 to 6.9.2 in /npm_and_yarn/helpers
- JS: Bump semver from 6.1.2 to 6.2.0 in /npm_and_yarn/helpers
- Composer: Parse auth.json to fetch credentials
- Python: Treat != requirements as unfixable
- Rust: Include user-agent when making requests to crates.io
- Ruby: Raise helpful error for plugin sources
- Ruby: Skip requirements which include an or
- Strip @ from branch name
- Python: More robust exclusion of path and git dependencies
- Terraform: Quietly ignore custom registries (don't raise)
- Python: Handle wildcards with trailing characters in requirement parser
- Python: Bump cython from 0.29.10 to 0.29.11 in /python/helpers
- Docker: Handle case where new digest can't be found
- NuGet: Fetch build files case insensitively
- NuGet: Fetch Directory.Build.targets files
- NuGet: Handle non-utf-8 encodings from registry
- NuGet: Handle zero padding around registry responses
- Python: Use Nokogiri to parse simple index response
- Docker: Paginate through all tags when registry returns paginated response
- Handle custom commit message prefixes for dev dependencies
- Implemented Azure client for file fetcher/pull request creator (see #1211. Thanks @chris5287!)
- Ruby: Handle precision mismatch when updating ranges
- BREAKING: Allow commit_message_options to be passed to pull request creator. This replaces the signoff_details argument. See #1227 for full details.
- Ruby: Handle unreleased git dependencies properly
- Add tests for PrNamePrefixer
- Python: Handle multiline links in PyPI simple index response
- JS: Handle Excon::Error::Socket errors when fetching latest details
- Raise helpful error for unexpected Bitbucket responses
- Composer: Handle stability flags in version updater
- JS: Bump semver from 6.1.1 to 6.1.2 in /npm_and_yarn/helpers
- PHP: Add php7.3-geoip to Dockerfile
- Add longer read timeout when fetching git metadata
- PHP: Handle leading space in requirement strings
- Python: Use --pre in pip-compile options if it was used previously
- Go (modules): keep bumping pinned dependencies
- Go (modules): don't update replace-pinned dependencies
- Sanitize markdown in commit messages
- Python: Handle a specified python version in LatestVersionFinder
- Python: Better backup parsing of setup.py files
- .NET: Handle multi-line sln declarations, and tighten regex. Fixes #520
- Python: Handle quotes around index URLs in requirement.txt files
- Npm: Ignore bundled sub-dependencies
- JS: Handle unexpected objects in package-lock.json when looking for path dependencies
- PHP: Add ext-imap to Dockerfile
- Python: Handle requirement files with spaces before their comments
- Gradle: Treat Early Access Programme (EAP) versions as pre-releases
- Cargo: Handle implicit workspace declarations
- Docker: Retry server errors
- Composer: Bump composer/composer from 1.8.5 to 1.8.6
- Go (modules): handle replace directive in updater
- Python: Properly remove setup tools warning
- Go (modules): don't build during go get -d
- Bundler: Remove existing load paths before loading git dependency gemspecs
- NuGet: Additional handling for timeouts from private registries
- Maven, Gradle: Special case display name for undescriptive artifact IDs
- Make dependency display name configurable by package manager
- JS: Ignore invalid lerna.json setups
- Docker: Support tag format with 'v' prefix
- Python: Bump pip-tools from 3.7.0 to 3.8.0 in /python/helpers
- Go (modules): handle local module replacements
- JS: Sanitize escaped slashes in package names for issue details
- Sanitize each cascade separately, to ensure truncated codeblocks don't cause issues
- Rust: Handle blank versions specified within a hash
- Fix method name typo
- Python: Raise an error for self-referential requirements files
- Docker: Retry RestClient::ServerBrokeConnection
- Better error for debugging repeated branch creation failure
- Bump js-yaml from 3.13.0 to 3.13.1 in /npm_and_yarn/helpers
- Composer: Retry more transitory failure classes in LockfileUpdater
- Python: Handle flags in requirement file, and fetch constraints files better
- Scope reference creation failure retries to a tighter error, and retry more
- JS: Bump handlebars from 4.1.0 to 4.1.2 in /npm_and_yarn/helpers
- Handle git URL that separate with :/
- Ruby: Call uniq on unreachable git URIs
- Python: Handle files that can't be encoded to UTF-8
- Improve file encoding in changelog fetching
- Pass signoff_details to MessageBuilder, not author_details
- Put emoji tighter together when prefixing with multiple
- Better mention sanitizing (handle codeblocks)
- JS: Handle creds used by multiple scopes in npmrc builder
- .NET: Handle v2 responses which don't specify a base
- Add libgeos-dev to Dockerfile
- Python: Sanitize poetry files before adding more details
- JS: Handle npmrc files with carriage returns in them
- Python: Correctly set Poetry sources from config variables (include a name)
- JS: Handle a bad body response from a custom registry
- Python: Raise helpful errors for unreachable git dependencies
- Go 1.12 support
- Handle deleted target branch when updating a PR
- If Bitbucket times out when getting commits, silence the error
- Add retries to Bitbucket client, and change initialize signature
- Python: Bump cython from 0.29.9 to 0.29.10
- Dep: Pass a dummy ref and branch
- Keep existing tag prefix when looking for local_tag_for_latest_version
- JS: Handle bad peer requirements
- Only consider first line when checking if commit prefixes should be capitalized
- Don't rely on dependabot[bot] name
- Python: Allow unchanged files in RequirementReplacer if req is unchanged
- Handle 451s instead of 403s from GitHub for blocked repos
- Handle blocked repositories when fetching commits and release notes
- Raise a BranchProtected error for protected branches (rather than silencing)
- Handle failed attempts to update protected branches
- Handle Octokit::UnavailableForLegalReasons errors when attempting to fetch changelogs
- Python: Remove private source checking from Pipenv and Poetry resolvers (done in LatestVersionFinder)
- Python: Include pyproject source in IndexFinder
- Python: Raise PrivateSourceTimedOut for timeouts in LatestVersionFinder
- Retry failures to fetch git repo in GitHub PR creator
- Cargo: Raise a resolvability error for submodule cloning issues
- Elm: Allow normal Ruby requirements in Elm::Requirement class
- Gradle: Raise DependencyFileNotFound error for missing dependency script plugins
- Python: Handle environment variables passed in place of basic auth details
- JS: Protect against non-string versions in package.json
- Terraform: Handle sub-dir reference in querystring
- Gradle: Ignore dependency script paths that need value interpolation
- Python: Preserve operator spacing
- Python: Remove duplication between RequirementReplacer and RequirementFileUpdater
- Python: Preserve whitespace in requirement.txt updates
- JS: Bump semver from 6.1.0 to 6.1.1 in /npm_and_yarn/helpers
- Extract issue linking logic into a separate class
- Python: Bump cython from 0.29.7 to 0.29.9 in /python/helpers
- Add php7.3-tidy to dockerfile
- Retry labeling failures caused by a race on the GitHub side
- Elixir: Better file sanitization
- Gradle: Ignore failure to fetch script plugins from submodules
- Python: Better python version error detection
- Python: Mark dependencies specified in a dev file as development dependencies
- Terraform: Handle unparseable files
- Gradle: Handle dynamic versions with minimum patch
- Python: Don't parse comments as part of index URL
- Python: Use configured git when using Poetry
- Ruby: Handle unevaluatable ruby versions
- JS: Bump tar from 2.2.1 to 2.2.2 in /npm_and_yarn/helpers
- Python: Handle unreachable git dependencies when using Poetry
- More retries for PR creation failures
- Elm: Raise a resolvability error for old versions of Elm
- JS: Bump semver from 6.0.0 to 6.1.0 in /npm_and_yarn/helpers
- Python: Don't accidentally replace extra declarations with locked versions
- Maven: Ignore unfetchable parents when finding repositories
- Raise an identifiable error if GitHub 500s during git metadata lookup
- Elixir: Cowardly fix for a mixfile updating issue
- Python: Run check_original_requirements_resolvable using correct Python version
- Maven: Ignore unfetchable parents
- Python: Bump poetry from 0.12.14 to 0.12.16
- Make Source#url dependant on hostname
- Allow custom headers to be passed to pull request creator
- Python: Don't fetch large .txt files
- Update dependencies label colour
- Bump dep
- JS: Ignore quotes in npmrc when looking for registry
- Python: Handle missing references for Poetry dependencies
- PHP: Update to minimal secure version for security updates
- Elixir: Sanitize config_path out of mixfiles
- Java: Handle branch not found errors in MetadataFinder
- Bundler: Update lockfiles which have tricky default gem handling
- JS: Bump @dependabot/yarn-lib from 1.15.2 to 1.16.0 in /npm_and_yarn/helpers
- Python: Bump pip-tools from 3.6.1 to 3.7.0 in /python/helpers
- Ruby: Better default when replacing file text
- JS: Handle packages without a name
- JS: Sanitize spaces in filenames
- Gradle: Fix VersionFinder for plugins that check maven.google.com
- Use service pack to determine existing branches
- Cache that a branch can't be found
- Don't cache a single branch_ref now that branch_exists? takes an argument
- Bundler: Always include spaces after commas
- Use updated branch name when creating PRs
- Python: Revert "Ignore irrelevant pyproject files to avoid pep517 warnings"
- Add longer sleep when creating a commit fails
- Python: Bump pip from 19.1 to 19.1.1 in /python/helpers
- Raise error for unprocessable branch names
- Python: Downgrade Poetry to avoid bug
- Bundler: Use --full-index when checking for updates and updating files
- Docker: Handle v1 dockerhub references
- Rename github_link_proxy to github_redirection_service
- Python: Don't prioritize Python 2 above lower Python 3 versions
- Python: Bump poetry from 0.12.14 to 0.12.15 in /python/helpers
- Python: Use python version indicated by markers in compiled pip-compile files
- Allow a custom GitHub link proxy to be provided to MessageBuilder
- Update Rust specs
- Handle issue linking of issue numbers prefixed with
\#
- Don't sanitize @-mentions in code quotes
- Python: Handle sub-dependencies that are removed from the lockfile during update
- Allow a custom prefix to be passed to BranchNamer
- Gradle: Parse and update plugin versions
- Composer: Handle people putting strange things in their repositories hash/array
- Fix error-related rubocops
- Cargo: Handle private git dependencies that aren't parsed
- Python: Respect Python version specified in runtime.txt
- PHP: Fetch path dependencies specified in a hash (rather than an array)
- Python: Look for .python-version file at top-level, too
- Rust: Handle a resolvability issue
- Rust: Require a unique source (not just source type)
- Upgrade to PHP 7.3
- Python: Use Python 3.7.3 instead of 2.6.8
- Python: Bump poetry from 0.12.13 to 0.12.14 in /python/helpers
- Bump poetry from 0.12.12 to 0.12.13 in /python/helpers
- Update changelog finder to look in GitLab and Bitbucket directories, too
- Convert GitLab API types to match GitHub
- Sanitize all tags in commit messages
- Clean up tag sanitization and details tag creation
- Escape more tags when sanitizing lines
- Replace empty links (caused by rst processing)
- NPM: Remove extraneous git url fix
- Docker: Make self.updated_files_regex case insensitive
- NPM: Preserve indentation of lockfiles
- Python: Update to a specific version when updating Pipenv subdependencies
- Python: Update poetry sub-dependencies to a specific version
- Require minimum file size for changelogs
- Add php7.2-mysql providing pdo-mysql
- Add scope to fallback commit message
- Python: Ignore irrelevant pyproject files to avoid pep517 warnings
- Python: Bump pip from 19.0.3 to 19.1 in /python/helpers
- Python: Bump pip-tools from 3.6.0 to 3.6.1 in /python/helpers (#1120)
- NPM: Handle private registry error '403 Fobidden'
- JS: Handle git dependencies with file-path sub-dependencies
- Rust: Update target-specific dependencies
- Rust: Handle git dependencies changing version to a pre
- JS: Add floor to satisfying_versions in version resolver
- JS: Ignore aliased dependencies in lockfile parser
- Rust: Require a resolvable version, even when updating a library
- Ruby: Include a lower Ruby version in list of possible rubies (in case a < req specified)
- Add sleep before retrying commit creation
- Make commit prefixing more robust
- Pass old commit SHA when updating a PR, and use it to identify the relevant commit
- Composer: Add lowest_security_fix_version to LatestVersionFinder
- Composer: Refactor LatestVersionFinder to be more extensible
- Composer: Move tests for latest version finding to new class
- Composer: Extract latest_version logic into LatestVersionFinder class
- Composer: Stop passing latest_version to RequirementsUpdater (it was unused)
- Rust: Update to lowest fixed version for vulnerable dependencies
- Rust: Pass a single version to RequirementsUpdater
- Python: Handle subdependency resolution checking properly for pip-compile
- Stop using commit compare API endpoint when building commit diffs (it sometimes 500s)
- Python: Add
resolvable?
method to version resolvers, and use in update checkers
- JS: Handle cases where requirements stay identical except for switch to private source
- Ruby: Handle Ruby lock errors correctly in LockfileUpdater
- Ruby: Update versions constant
- Python: Handle lockfile-only updates with an unrelated requirement
- Rust: Tell rustup to use cURL
- Rust: Change ownership of /opt/rust in dev dockerfile
- Rust: Add LatestVersionFinder#lowest_security_fix_version
- Rust: Extract specs for LatestVersionFinder
- Rust: Extract latest version finder logic into separate class
- JS: Handle MyGet format resolved URLs
- Python: Update to lowest fix for security vulnerabilities (all package managers)
- Python: Refactor PipCompileVersionResolver to match other resolvers
- Python: Refactor PoetryVersionResolver to match PipenvVersionResolver
- Python: Refactor PipenvVersionResolver#latest_resolvable_version to take a requirement arg
- Python: Refactor PipenvVersionResolver to make it more extensible
- PHP: Re-remove Xdebug
- Add back x-debug
- JS: Handle package.json files that specify an array of dependencies (not an object)
- Remove xdebug from container
- Rename pipfile resolver to pipenv
- Python: Refactor UpdateChecker to make it more extensible
- Python: Rename PipfileVersionResolver to PipenvVersionResolver
- Python: Update to lowest fixed version for vulnerable requirement.txt versions
- Python: Add lowest_security_fix_version to UpdateChecker::LatestVersionFinder
- Python: Pass security_advisories to LatestVersionFinder
- Add mercurial to Dockerfile
- Ruby: Minor efficiency improvement in LatestVersionFinder
- Python: Refactor LatestVersionFinder to make private methods easier to reuse
- Add tests for Python::UpdateChecker::IndexFinder
- Python: Split index finder logic into separate class
- More simplification of Bundler::UpdateChecker
- Clean up Bundler::UpdateChecker::LatestVersionFinder
- Ruby: Update to minimal version possible for security updates
- Python: Fix handling of comparisons with non-canonical segments
- Python: Support pre-releases in wildcards, and allow Python 3.8-dev
- Composer: Build path dependencies from lockfile even when whole dir is missing
- Require a dependency_name when creating a SecurityAdvisory
- Python: Bump cython from 0.29.6 to 0.29.7
- JS: Don't assume we can upgrade sub-dependencies to a secure version
- JS: Update insecure dependencies to the minimum secure version
- Nuget: support lowercase version attributes
- JS: Pass security advisories to LatestVersionChecker
- JS: Fix update checker for deprecated deps
- Gradle: Upgrade to lowest fixed version if a dependency is vulnerable
- .NET: Upgrade to lowest fixed version if a dependency is vulnerable
- Maven: Upgrade to lowest fixed version if a dependency is vulnerable
- Maven: Cache release checks
- Ignore closed PR errors when updating a PR's branch
- Don't re-cast versions to versions in SecurityAdvisory
- Bump poetry from 0.12.11 to 0.12.12 in /python/helpers
- Add SecurityAdvisory class, used in UpdateCheckers::Base to determine if a version is vulnerable
- NPM: Remove dry-run config setting
- Add UpdateCheckers::Base#vulnerable? method, which checks against security advisories
- Accept a security_advisories argument to UpdateCheckers::Base.new
- JS: Handle build metadata in version strings
- Gradle: Handle commented out lines when updating files
- Python: Handle wildcards in requirements with a non-equality operator
- .NET: Treat dependency names as case-insensitive
- PHP: Bump composer/composer from 1.8.4 to 1.8.5
- Handle deleted target branches when creating a PR
- Python: Use pyenv v1.2.11 in Dockerfile, and update available Python versions
- Nuget: support multiple .sln files
- Git submodules: Raise parser error for trailing slashes in path
- NPM: Fix "premature close" for git dependencies
- Gradle: Better PROPERTY_REGEX
- Python: Raise error for invalid poetry requirements
- Ruby: Ignore Bundler updates if requirement is non-trivial
- Python: Bump pip-tools from 3.5.0 to 3.6.0 in /python/helpers
- NPM: Fix git dependencies with invalid requires
- JS: Handle invalid requirements better, and ignore rogue equal signs
- Docker: Treat RestClient::Exceptions::ReadTimeout exceptions the same as RestClient::Exceptions::OpenTimeout
- Better GitHub link replacement
- Maven: Handle requirements which include underscores
- Ruby: Don't ignore all > requirements in ForceUpdater
- Ruby: Only consider relevant conflicts when unlocking additional deps
- Maven: Include http:// version of central registry in special handling
- Docker: make ECR requests work w/o credentials
- Ruby: Always evaluate files from within a base directory
- Cargo: Handle additional error type that represents an unreachable git repo
- Yarn: ignore platform check
- PHP: Move back to clearer memory limit setting
- NPM: ignore prepare and prepack scripts when installing git dependencies
- Add fallback PHP environment variable
- Docker: Handle invalid file encoding
- Add an automerge label to automerge candidates if one is present
- JS: Look for dependency details in a lockfile that might match this manifest (not any lockfile)
- Revert "Bundler: Include protocol when raising PrivateSourceAuthenticationFailure errors"
- Bump semver from 5.6.0 to 6.0.0 in /npm_and_yarn/helpers
- Maven: Better dot separator regex in PropertyValueFinder
- JS: Don't mistake v-prefixed versions for distribution tags
- Python: Case insensitive check for whether dependency name is in error message
- JS: Ignore 500s from private registries
- .NET: Handle property versions that reference a function
- JS: Handle npm lockfile name substitution in post-processing
- JS: Don't replace package name when generating updated npm lockfile
- Python: Handle environment variables for Gemfury URLs
- Pass empty string token to elixir helper, again
- Ruby: Include protocol when raising PrivateSourceAuthenticationFailure errors
- Elixir: Pass empty string token to elixir helper
- JS: Better registry uniq-ing
- Bundler: Handle resolver returning
nil
for an unchanged git source
- Handle missing token in js registry finder
- Don't attempt to configure git creds that don't have a username or password
- Python: Handle basic auth credentials that include an
@
in the username
- NPM: Optionally build npmrc without credentials
- Bundler: Handle repos without a lockfile where the dep being updated has an implicit pre-release requirement
- Python: Fetch requirement files with lines that start with a comment
- Bump @dependabot/yarn-lib from 1.13.0 to 1.15.2 in /npm_and_yarn/helpers
- Python: Handle yanked dependencies in PoetryVersionResolver
- Python: Better environment variable support in LatestVersionFinder
- Fix rubocop
- Python: Handle environment variables in LatestVersionFinder
- Python: Fix copy-paste error
- Bundler: Handle tricky ruby requirements in a gemspec when generating new lockfiles
- Python: Handle errors due to updating a dep to a version with a Python requirement issue (poetry)
- Add handling for tree creation race to pull request updater
- Handle unexpected previous versions in CommitsFinder
- Bundler: Don't add .rb suffix to require_relative files that already include it
- Python: Don't include dependencies parsed from a req.txt that are also included in Poetry
- Maven: Better file update regex (trust declaration finder more)
- JS: try/catch helper scripts
- Yarn: install specific sub-dependency version
- Composer: Serve resolvability error if required connections are disallowed
- Allow config variables without credentials wherever possible
- Python: Allow credentials to be passed with a token
- Use Bitbucket client in GitCommitChecker
- Use GitLab client when doing commit comparison
- Python: Reorganize FileUpdater#resolver_type to better handle cases where req.txt needs updating
- Python: More marker parsing improvements
- Python: Better handling of markers in requirements.txt
- Composer: Correct name for path deps starting with ../
- Yarn: handle git dependencies with token
- .NET: More sophisticated property value updater
- Maven: Handle repeated dependency declarations with different scopes
- Python: Handle updating Pipfiles which declare a version in a table
- Python: Split Pipfile manifest updater into separate class
- Use GitHub repo name defintion for GitLab and Azure
- PHP: Handle relative paths that are actually from the root
- Rebuild Dockerfile using Ruby 2.6.2
- Ruby: Update list of latest rubies
- Python: Normalise dependency names when looking for them in poetry lockfile
- Do two retries when attempting to fetch git metadata
- Maven: Handle case where declaration_pom_name isn't found
- Python: Handle v-prefixes in versions and requirements
- PHP: Update memory limit setting again
- Python: refactor escaped command string
- Dep: escape command
- Cargo: escape command
- Fix escaped command for composer
- Escape shared helpers run subprocess cmd by default
- Python: Use original manifest instead of original compiled file when unredacting creds if required
- Python: Handle git credentials getting redacted as part of pip-compile install process
- Go: Retry transitory Go resolution issues
- Python: Remove unnecessary install
- Rust: Fetch patched path dependencies
- Use updated (clearer) style in other PHP helper
- Use Dependabot::Clients::GitlabWithRetries.for_source in labeler
- Python: Use 2.7.16
- Python: Use latest pyenv commit to get Python 2.7.16
- Python: Raise a DependencyFileNotResolvable error for unsupported pip-compile constraints
- Python: Use build isolation in FileUpdater
- Assume closing index of 0 if one can't be found
- Add test to ensure build-isolation not required in Python file updater
- Python: Build in isolation when using pip-tools (to prevent errors when using a pyproject.toml)
- Use php7.2-zmq instead of php-zmq
- .NET: Only update pre-release versions to pre-s for the same version
- Docker: Tighter regex for updating version
- Python: Don't escape spaces in pip-compile options
- Gradle: Handle multiple updates to a superstring
- .NET: Raise parser error for unparseable JSON
- Python: escape child process commands
- Stricter regex for Python file correctness
- Python: Better regex for dependency names
- Remove redundant require
- PHP: Remove overzealous use of shellwords
- Gradle: Handle property declarations in namespaces
- Gradle: Minor cleanup (uniq files)
- .NET: Update NuGet packages in global.json
- Docker: Raise custom error when private registries time out fetching tags
- Sign commits on behalf of an org
- Add support_file to DependencyFile#to_h
- Python: Avoid shelling out to Python during file fetching
- JS: Don't shell out to JavaScript during file fetching
- Ruby: Remove all calls to eval from file fetching
- JS: Fix native helper path in development and test
- Cargo: Remove lockfile duplicates
- Revert changes to JS helpers in dev and test env
- Handle 409s from GitHub when constructing commit message
- JS: Use un-built helpers in development and test env
- Short circuit update checking for dependencies being ignored
- NPM: Raise helpful error when lockfile is corrupt
- Bump pip-tools from 3.4.0 to 3.5.0 in /python/helpers
- Bump jest from 24.4.0 to 24.5.0 in /npm_and_yarn/helpers
- Elm: clean up subprocess invocation
- Dep: clean up subprocess invocation
- Composer: clean up subprocess invocation
- Cargo: clean up subprocess invocation
- Go (modules): clean up subprocess invocations
- Prefer non-app github.com token in SharedHelpers.configure_git_credentials
- Handle invalid milestones quietly
- Ignore 404s when attempting to set assignees
- JS: Bump npm from 6.8.0 to 6.9.0 in /npm_and_yarn/helpers
- Handle tags that match our version regex but don't have valid versions
- Bundler: Handle marshall errors
- Composer: Install php7.2-gmp
- Bundler: Bump rubygems from 3.0.2 to 3.0.3
- JS: Bump eslint from 5.14.1 to 5.15.1 in /npm_and_yarn/helpers
- Go (modules): handle another case of module path mismatches
- Minor version bump to signify that JS refactor (included in v0.95.85) is a breaking change, as it requires an update to the Dockerfile as well as the gem
- Fix gitignore for npm and yarn helpers
- JS: Ignore URL-style versions in npm lockfiles in NpmAndYarn::FileParser::LockfileParser
- Ruby: Handle marshal dump errors more gracefully
- Composer: Automatically retry transitory errors in VersionResolver
- Add php-zmq to Dockerfile
- JS: Simplify helper usage to only one script (#988)
- Better tag comparison in CommitsFinders
- Ruby: Handle circular dependencies at the latest version
- Terraform: Parse
git@github.com:
module sources
- JS: Fetch numeric version for git dependencies with a semver requirement
- Python: Handle .zip or .whl suffices in LatestVersionFinder
- Python: Bump cython from 0.29.5 to 0.29.6 in /python/helpers
- Prefer refs to versions when generating compare URLs for git updates
- Python: Raise a resolvability error for Python version conflicts when Python version is user-defined
- Go (modules): switch back to mastermind/vsc now 1.13 is out
- Ruby: Fix gemspec sanitizer, and update test to have a Gem::Version
- Ruby: Alternative approach to sanitizing version constants in gemspecs
- Ruby: Only sanitize versions when they appear in strings
- JS: Treat projects with invalid names as non-library
- Python: handle fetching whl files dependencies
- Ruby: Handle more gemspec sanitization
- Ruby: More gemspec sanitization
- PHP: Build path dependencies from lockfile if not fetchable
- Go (modules): prevent all pseudo version updates
- Dockerfile: Add bzr to the Dockerfile
- NPM: Fix lockfile for git deps with semver version
- Handle TomlRB::ValueOverwriteError everywhere we handle TomlRB::ParseError
- Rust: Handle TomlRB::ValueOverwriteError errors in FileParser
- Rust: Handle parse errors in unprepared files in VersionResolver
- Retry GitLab 502s everywhere
- Ruby: Handle pre-releases with numeric parts in the pre-release specifier
- Fix handling of docker dependencies in ChangelogFinder
- Maven: Treat dependencies that specify their scope as
test
as development dependencies
- JS: Fix peer dependency updates for libraries
- JS: Return a version instance from UpdateChecker#latest_resolvable_version_with_no_unlock when version is numeric
- JS: Handle non-JSON responses from private registries when checking git deps
- JS: Handle duplicate peer dependency error
- Fix changelog fetching with a suggested changelog URL and no source
- PHP: Automatically retry transitory errors in lockfile updater
- Ruby: Better requirement string parsing
- Python: Fix python version installed check
- Use Ruby 2.6.1
- Python: Be explicit about the python version being installed
- Python: Better Python version handling for Pipenv
- Python: List supported versions, and error if using an unsupported one
- Bump pyenv, Go and Elixir versions in Dockerfile
- Go (modules): tighten up error regex
- Go (modules): Handle module path mismatch errors
- NPM: Fix missed lerna peer dependency update
- Reduce robocop config spread and cover root files
- Python: Use user's defined Python version when compiling pip-compile files
- Retry GitHub races when creating a commit from a new tree
- Python: Treat install_requires dependencies as production dependencies
- Ruby: Don't mistake support files for evaled gemfiles
- Go (modules): handle missing sub-dependency error
- Ruby: Implement suggested_changelog_url, based on changelog_uri in gemspec
- Add suggested_changelog_url method to MetadataFinder::Base, that is passed to ChangelogFinder
- Python: Bump pip from 19.0.2 to 19.0.3 in /python/helpers
- NPM: Sanitise extra trailing slash from private registries
- Python: Don't repeatedly parse Pipfile.lock
- Python: Fetch poetry path dependencies
- Python: Only parse large lockfiles once
- Ruby: Handle another gem not found error case
- JS: Actually special case DefinitelyTyped
- JS: Don't update source from git to registry just because version isn't a SHA
- JS: Include a leading
*
as a semver indicator - Python: Bump pip-tools from 3.3.2 to 3.4.0 in /python/helpers
- Ruby: Allow gemspec dependencies to have a source (in case it's git)
- Cargo: fix git credential helper issue
- .NET, Ruby and Rust: Fix directory handling for deeply nested file fetching
- Reverse commits when building a monorepo compare URL
- JS: Better special casing for gatsby
- Python: Look in project_urls for homepage
- PHP: Use the global variable $memory when freeing it
- Rust: Handle non-existent packages
- Simpler tag sorting for finding most appropriately named tag
- Better commit fetching for monorepos
- Always prefer commits URL with path for monorepos
- NPM: Fix lockfile for git dependencies using tags
- Better lowest_tag_satisfying_previous_requirements lookup
- Fetch git tags from git upload pack, rather than APIs, in CommitsFinder
- Speed up GitCommitChecker tag processor
- JS: Add special cases for Gatsby and DefinitelyTyped repos
- NPM: Speed up sub-dependency updates for big lerna projects using npm
- Composer: Bump friendsofphp/php-cs-fixer from 2.14.1 to 2.14.2 in /composer/helpers
- JS: Include details of directory in source if included in repository object
- Append directory to source URL when reliable
- Include directory details in commits URL if reliable
- Make source attributes editable, and add Source#url_with_directory method
- JS: Only assign a single credential to a scope in npmrc builder
- Ruby: Update version requirement at the same time as updating git tag
- JS: Parse full nexus private repository URLs from lockfile entries for scoped dependencies
- JS: Better handling of incorrect credentials for a private registry
- Better commit comparison links for dependencies without a previous version
- Fetch files from symlinked directories if fetching submodules
- Go (modules): more detailed error messages for unresolvable dependencies due to git errors, and for go.sum checksum mismatches.
- NPM: Prefer offline cache and turn off audits
- Go (modules): detect and handle missing/invalid dependency specified with pseudo version
- Cargo: Include all unreachable git dependencies when raising GitDependenciesNotReachable
- Fix time taken measurement for shell cmds
- Add git_repo_reachable? method to GitCommitChecker
- Cargo: Handle unreachable git dependencies
- Another @-mention sanitization improvement (better regex)
- JS: Bump npm from 6.7.0 to 6.8.0 in /npm_and_yarn/helpers
- Cleaner mention sanitizing (use a zero width character)
- Better sanitization of @mentions when wrapped in a link
- Update issue tag regex
- Add optional dependency on Pandoc that allows us to convert rst files
- PHP: Handle integer versions in composer.lock
- Add .gitignore
- Base: Convert directory to proper path before using it in file fetchers
- Python: Dig into source URL looking for reference to dependency name
- Gradle: Handle $rootDir variable in dependency script plugins
- Common: include bin files in dependabot-common packaged gem
- Require common in dry run script
- Sanitize @-mentions that are prefixed with a dash
- Python: Don't try to update 'empty' requirements.txt files as part of a Pipfile update
- PHP: Bump composer/composer from 1.8.3 to 1.8.4 in /composer/helpers
- Python: Check source project_url for a GitHub link in MetadataFinder
- Better branch naming when updating multiple deps
- JS: Handle registries that don't escape slashes in dependency names except at /latest
- Gradle: Fetch plugin script files, and update them
- PHP: Handle another error
- Python: Bump pip from 19.0.1 to 19.0.2 in /python/helpers
- Python: Bump cython from 0.29.4 to 0.29.5 in /python/helpers
- Rust: Fix method name typo
- Rust: Fix over-eager manifest file updating
- JS: Better handling of multiple git requirements
- Bundler: fix gemspec since 1ddf668
- Go (modules): handle vanity urls that return non-200 responses
- Bundler: remove unnecessary helpers
- Paginate through GitLab labels
- Python: Make post version comparison logic more explicit
- Python: Fix bug in post release version comparison
- Ruby: Handle assignment to hash attributes in sanitizer
- Fix common gemspec
- Python: Handle post-release versions properly
- PHP: Handle version requirements with a trailing dot
- Move shared code to a new
dependabot-common
gem - Bump gitlab from 4.8 to 4.9
- Align GitLab PR creator with generic options
- Handle target branches that are a substring
- Python: Fetch vendored .zip files
- Correct relative links from GitHub release notes
- Cargo: Better spec construction
- Docker: Handle tags with both a prefix and a suffix
- Cargo: More specific details of dependency being updated
- Add php-mongodb to Dockerfile
- Raise normal error when submodule source isn't supported
- JS: Look for login form redirects, not 404s, when checking packages on npmjs.com
- Fetch files that are nested in submodules if asked
- Clean up file fetcher base class
- Better name for language label details
- Add class attribute_reader to Labeler
- Ruby: Move bundler monkey patches
- Python: Bump cython from 0.29.3 to 0.29.4 in /python/helpers
- Add bundler to omnibus
- Reorg bundler
- JS: Better detection of whether an npm registry needs auth
- Increase max retries for GitHub client
- Python: Bump hashin from 0.14.4 to 0.14.5 in /python/helpers
- Go: Retry resolvability errors in parser
- Python: Handle Poetry solver problems
- Add workaround for GitHub bug during PR creation
- PHP: Bump composer/composer from 1.8.2 to 1.8.3 in /composer/helpers
- Python: Bump hashin from 0.14.2 to 0.14.4 in /python/helpers
- .NET: Handle Nuget sources that don't return a ProjectUrl
- JS: Return a NpmAndYarn::Version, not a string, for git semver dependencies
- PHP: Bump composer/composer from 1.8.0 to 1.8.2 in /composer/helpers
- Gradle: Handle tabs when looking for repositories
- JS: Parse the semver version, rather than the git SHA, for git reqs with a semver specification
- Python: Handle Apache Airflow 1.10.x installs with pip-compile
- Maven: Update dot separator regex
- Python: Fix sanitization and remove puts calls
- Python: Sanitize # symbols in pyproject.toml files
- Python: Bump pip-tools from 3.3.1 to 3.3.2 in /python/helpers
- Maven: Handle case where property value can't be found in MetadataFinder
- Maven: Substitute properties in the URL when fetching a parent POM file
- Python: Handle fetching gzipped path dependencies
- Python: Handle Poetry sub-deps that should be removed from the lockfile
- JS: Fix bug when updating npm@5 lockfile w/ npm@6.6.0
- Merge branch 'fix-js-helper-location'
- Log when CIRCLE_COMPARE_URL isn't set
- Rubocop
- Fix JS helper location
- Merge branch 'hex-build-script-fix'
- Fix hex build script
- Revert "Revert "Make hex helpers obey install_dir""
- Python: Bump pip from 18.1 to 19.0.1 in /python/helpers
- Python: Bump pip-tools from 3.1.0 to 3.3.1 in /python/helpers
- Python: Fix for post-processing compiled files with reordered indices
- JS: Bump npm from 6.6.0 to 6.7.0 in /npm_and_yarn/helpers
- Make python helpers obey install_dir
- Make npm_and_yarn build script obey install_dir
- Python: Use poetry update [dep-name] --lock when updating Poetry files
- Ruby: CGI escape credentials before passing to Bundler
- PHP: Clean Composer programmatically install
- Rust: Raise PathDependenciesNotReachable errors, rather than DependencyFileNotFound errors
- JS (npm): Fix invalid from for git sub-dependencies
- Reduce "running as root" warnings with Docker image
- Update .gitignore
- Update gitignore for npm_and_yarn helpers move
- .NET, Elixir and Python: Better handling of version with build/local part
- JS: Simplify npm_and_yarn helpers to yarn workspaces
- JS: Bump npm from 6.5.0 to 6.6.0 in /npm_and_yarn/helpers/npm
- JS: Handle sub-dep version resolution errors
- Python: Bump cython from 0.29.2 to 0.29.3 in /python/helpers
- Python: Bump hashin from 0.14.1 to 0.14.2 in /python/helpers
- JS: Add support for Yarn git semver
- PHP: Always pass to json_encode for secure output
- PHP: Switch to a real helper bin file
- .NET: Handle build versions
- Add php7.2-apcu to Dockerfile
- Python: Fetch cascading requirement.in files
- Better commit subject truncation
- Docker: Handle AWS auth errors
- Raise NoHistoryInCommon error if it blocks PR creation
- JS: Stop registering the wrong version class
- JS: Memoize lockfile updates
- JS: Only include relevant dependency files when updating files
- JS: Reorganise into npm_and_yarn directory
- Elixir: require fully released version of jason
- Remove possibly redundant check that npm lockfile has changed
- JS: Add error context when no files where updated
- Update license to 2.0
- Fix README typo
- Dep: Ignore indirect dependencies in latest_resolvable_version_with_no_unlock
- Dep: Ignore indirect dependencies more robustly
- .NET: Even longer timeout
- Handle git to registry PRs for libraries in PR message builder
- Fix typo
- Rust: Handle old version of resolution failure error (for when toolchain specified)
- Use Elixir 1.8.0
- PHP: Handle registries that 404 on /packages.json
- Docker: Simplify updated_digest fetching, and retry DockerRegistry2::NotFound on tags
- Rust: Handle no latest_version when updating a library
- NPM: Handle package name with invalid characters
- Python: Bump poetry from 0.12.10 to 0.12.11 in /python/helpers
- Reorg dep
- .NET: Handle wildcard requirements without any digits
- Handle 403 forbidden responses from Bitbucket
- Ruby: Handle fetching gemspecs which specify a path
- Require composer from omnibus
- Update README for refactor install instructions
- PHP: Handle blank responses from registries
- Add composer to Dockerfile.ci and loadpath in dry-run
- Add missing requires
- PHP reorg
- Change subprocess IO.popen to Open3.capture2
- Add error context when helper subprocesses fail
- Ruby: Add Ruby 2.6.0 to list of rubies in RubyRequirementSetter
- Handle git dependencies when creating PR message for libraries
- JS: Handle ~ and ^ version requirements with blank minor.patch version
- Better handling of directories in changelog finder
- Elixir reorg
- PHP: Raise resolvability issue when working with local VCS errors
- Bump @dependabot/yarn-lib from 1.12.3 to 1.13.0 in /helpers/yarn
- Handle Bitbucket 401s during changelog lookup
- Handle Bitbucket 401s during commit lookup
- Cargo: If a file is both a support_file and a dependency file, treat as a dependency file only
- Cargo: Handle aliased dependencies better in file preparer
- Ruby: Handle subdependency updates when the subdep gets removed
- PHP: Cowardly ignore of stefandoorn/sitemap-plugin error we can't figure out
- PHP: Serve resolution error for non-https requests when they're disallowed
- PHP: Improve memory limit handling in PHP helper
- Better GitHub issue sanitization
- Gradle: Handle packaging types in versions
- Elixir: Handle whitespace before commas when updating mixfiles
- Python: Order additional hashes alphabetically when updating pip-compile files
- Docker: Reduce number of calls to Dockerhub when determining latest version
- Yarn: de-duplicate indirect dependencies
- Handle empty versions properly when a build or local version is possible
- Go (dep): Handle unreachable vanity URLs in parser
- .NET: Extend timeout for .NET repos
- Maven: More tests for versions that use multiple properties
- Maven: Handle properties with a suffix better
- Reduce the number of layers in the docker image
- Register GoModules::Requirement class
- Add go_modules package to Rakefile
- Go (modules): reorg
- JS: Handle requirements with an || when bumping versions
- Raise RepoNotFound errors when creating PRs
- Python: Don't treat post-releases as pre-releases
- Python: Augment hashes from pip-compile if necessary
- Bump rubygems and bundler versions
- Revert "Patch Rubygems requirement equality"
- Bump rubygems and bundler versions
- Ruby: Less strict requirement comparison
- Add TODO to Python pip_compile file updater