From 09e695c30a4ecf82e85bd224e52c6f654ba0bd21 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 07:15:36 +0300
Subject: [PATCH 01/10] Bump the sentry group in /updater with 2 updates
(#1289)
---
updater/Gemfile | 2 +-
updater/Gemfile.lock | 10 +++++-----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/updater/Gemfile b/updater/Gemfile
index 68d9db52..440679f1 100644
--- a/updater/Gemfile
+++ b/updater/Gemfile
@@ -21,7 +21,7 @@ gem "opentelemetry-instrumentation-faraday", "~> 0.24"
gem "opentelemetry-instrumentation-http", "~> 0.23"
gem "opentelemetry-instrumentation-net_http", "~> 0.22"
gem "opentelemetry-sdk", "~> 1.5"
-gem "sentry-opentelemetry", "~> 5.18"
+gem "sentry-opentelemetry", "~> 5.19"
gem "sentry-ruby", "~> 5.17"
gem "terminal-table", "~> 3.0.2"
diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock
index 70ffc0af..68188682 100644
--- a/updater/Gemfile.lock
+++ b/updater/Gemfile.lock
@@ -23,7 +23,7 @@ GEM
bigdecimal (3.1.8)
citrus (3.0.2)
commonmarker (0.23.10)
- concurrent-ruby (1.3.3)
+ concurrent-ruby (1.3.4)
crack (1.0.0)
bigdecimal
rexml
@@ -327,10 +327,10 @@ GEM
sawyer (0.9.2)
addressable (>= 2.3.5)
faraday (>= 0.17.3, < 3)
- sentry-opentelemetry (5.18.2)
+ sentry-opentelemetry (5.19.0)
opentelemetry-sdk (~> 1.0)
- sentry-ruby (~> 5.18.2)
- sentry-ruby (5.18.2)
+ sentry-ruby (~> 5.19.0)
+ sentry-ruby (5.19.0)
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
simplecov (0.22.0)
@@ -397,7 +397,7 @@ DEPENDENCIES
rubocop-performance (~> 1.21.0)
rubocop-rspec (~> 2.29.1)
rubocop-sorbet (~> 0.8.1)
- sentry-opentelemetry (~> 5.18)
+ sentry-opentelemetry (~> 5.19)
sentry-ruby (~> 5.17)
simplecov (~> 0.22.0)
terminal-table (~> 3.0.2)
From 2d9549bd47dee60a7a8e1a42b52708c480fb2f22 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 07:15:56 +0300
Subject: [PATCH 02/10] Bump Azure.Extensions.AspNetCore.DataProtection.Keys in
the azure group (#1284)
---
server/Tingle.Dependabot/Tingle.Dependabot.csproj | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/Tingle.Dependabot/Tingle.Dependabot.csproj b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
index 253418ef..7b8faa01 100644
--- a/server/Tingle.Dependabot/Tingle.Dependabot.csproj
+++ b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
@@ -17,7 +17,7 @@
-
+
From cffb99dc3ec43c6024a0b896dc4a7617f7cf0c9b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 07:16:07 +0300
Subject: [PATCH 03/10] Bump azure-pipelines-task-lib from 4.15.0 to 4.16.0 in
/extension (#1283)
---
extension/package-lock.json | 10 +++++-----
extension/package.json | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/extension/package-lock.json b/extension/package-lock.json
index a3381fae..19f1dbf9 100644
--- a/extension/package-lock.json
+++ b/extension/package-lock.json
@@ -10,7 +10,7 @@
"license": "MIT",
"dependencies": {
"axios": "1.7.3",
- "azure-pipelines-task-lib": "4.15.0",
+ "azure-pipelines-task-lib": "4.16.0",
"js-yaml": "4.1.0"
},
"devDependencies": {
@@ -1311,16 +1311,16 @@
}
},
"node_modules/azure-pipelines-task-lib": {
- "version": "4.15.0",
- "resolved": "https://registry.npmjs.org/azure-pipelines-task-lib/-/azure-pipelines-task-lib-4.15.0.tgz",
- "integrity": "sha512-Y72FjLTE2CAM9KrBXzc6vjelTBCpdYb2NkyFB0hwksTrhA3q8nsF680dofuTeXztQ94UTpkK27hpgSHnqYf5ZA==",
+ "version": "4.16.0",
+ "resolved": "https://registry.npmjs.org/azure-pipelines-task-lib/-/azure-pipelines-task-lib-4.16.0.tgz",
+ "integrity": "sha512-hjyDi5GI1cFmS2o6GzTFPqloeTZBeaTLOjPn/H3CVr0vV/MV+eYoWszVe9kn7XnRSiv22j3p4Rhw/Sy4v1okxA==",
"license": "MIT",
"dependencies": {
"adm-zip": "^0.5.10",
"minimatch": "3.0.5",
"nodejs-file-downloader": "^4.11.1",
"q": "^1.5.1",
- "semver": "^5.1.0",
+ "semver": "^5.7.2",
"shelljs": "^0.8.5",
"uuid": "^3.0.1"
}
diff --git a/extension/package.json b/extension/package.json
index 81e386d5..2b3169c6 100644
--- a/extension/package.json
+++ b/extension/package.json
@@ -26,7 +26,7 @@
"homepage": "https://github.com/tinglesoftware/dependabot-azure-devops#readme",
"dependencies": {
"axios": "1.7.3",
- "azure-pipelines-task-lib": "4.15.0",
+ "azure-pipelines-task-lib": "4.16.0",
"js-yaml": "4.1.0"
},
"devDependencies": {
From 2b3b3db868e2fba8e6de843b3bcd35d3344bf192 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 04:17:18 +0000
Subject: [PATCH 04/10] Bump @types/node in /extension in the js-ts-types group
(#1281)
---
extension/package-lock.json | 16 ++++++++--------
extension/package.json | 2 +-
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/extension/package-lock.json b/extension/package-lock.json
index 19f1dbf9..47376745 100644
--- a/extension/package-lock.json
+++ b/extension/package-lock.json
@@ -16,7 +16,7 @@
"devDependencies": {
"@types/jest": "29.5.12",
"@types/js-yaml": "4.0.9",
- "@types/node": "22.2.0",
+ "@types/node": "22.4.0",
"@types/q": "1.5.8",
"jest": "29.7.0",
"ts-jest": "29.2.4",
@@ -1145,13 +1145,13 @@
"dev": true
},
"node_modules/@types/node": {
- "version": "22.2.0",
- "resolved": "https://registry.npmjs.org/@types/node/-/node-22.2.0.tgz",
- "integrity": "sha512-bm6EG6/pCpkxDf/0gDNDdtDILMOHgaQBVOJGdwsqClnxA3xL6jtMv76rLBc006RVMWbmaf0xbmom4Z/5o2nRkQ==",
+ "version": "22.4.0",
+ "resolved": "https://registry.npmjs.org/@types/node/-/node-22.4.0.tgz",
+ "integrity": "sha512-49AbMDwYUz7EXxKU/r7mXOsxwFr4BYbvB7tWYxVuLdb2ibd30ijjXINSMAHiEEZk5PCRBmW1gUeisn2VMKt3cQ==",
"dev": true,
"license": "MIT",
"dependencies": {
- "undici-types": "~6.13.0"
+ "undici-types": "~6.19.2"
}
},
"node_modules/@types/q": {
@@ -3926,9 +3926,9 @@
}
},
"node_modules/undici-types": {
- "version": "6.13.0",
- "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.13.0.tgz",
- "integrity": "sha512-xtFJHudx8S2DSoujjMd1WeWvn7KKWFRESZTMeL1RptAYERu29D6jphMjjY+vn96jvN3kVPDNxU/E13VTaXj6jg==",
+ "version": "6.19.6",
+ "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.6.tgz",
+ "integrity": "sha512-e/vggGopEfTKSvj4ihnOLTsqhrKRN3LeO6qSN/GxohhuRv8qH9bNQ4B8W7e/vFL+0XTnmHPB4/kegunZGA4Org==",
"dev": true,
"license": "MIT"
},
diff --git a/extension/package.json b/extension/package.json
index 2b3169c6..5777a486 100644
--- a/extension/package.json
+++ b/extension/package.json
@@ -32,7 +32,7 @@
"devDependencies": {
"@types/jest": "29.5.12",
"@types/js-yaml": "4.0.9",
- "@types/node": "22.2.0",
+ "@types/node": "22.4.0",
"@types/q": "1.5.8",
"jest": "29.7.0",
"ts-jest": "29.2.4",
From 5b2951c1253b2420f441353be047fa4eee427c33 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 07:18:18 +0300
Subject: [PATCH 05/10] Bump the tingle group with 3 updates (#1287)
---
server/Tingle.Dependabot/Tingle.Dependabot.csproj | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/server/Tingle.Dependabot/Tingle.Dependabot.csproj b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
index 7b8faa01..7861a3c9 100644
--- a/server/Tingle.Dependabot/Tingle.Dependabot.csproj
+++ b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
@@ -36,9 +36,9 @@
-
-
-
+
+
+
From 572a49f9ce153f5240e5886a1897aa8b1408df0b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 04:19:08 +0000
Subject: [PATCH 06/10] Bump axios from 1.7.3 to 1.7.4 in /extension (#1282)
---
extension/package-lock.json | 8 ++++----
extension/package.json | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/extension/package-lock.json b/extension/package-lock.json
index 47376745..08b996fb 100644
--- a/extension/package-lock.json
+++ b/extension/package-lock.json
@@ -9,7 +9,7 @@
"version": "1.0.0",
"license": "MIT",
"dependencies": {
- "axios": "1.7.3",
+ "axios": "1.7.4",
"azure-pipelines-task-lib": "4.16.0",
"js-yaml": "4.1.0"
},
@@ -1300,9 +1300,9 @@
"integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q=="
},
"node_modules/axios": {
- "version": "1.7.3",
- "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.3.tgz",
- "integrity": "sha512-Ar7ND9pU99eJ9GpoGQKhKf58GpUOgnzuaB7ueNQ5BMi0p+LZ5oaEnfF999fAArcTIBwXTCHAmGcHOZJaWPq9Nw==",
+ "version": "1.7.4",
+ "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.4.tgz",
+ "integrity": "sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw==",
"license": "MIT",
"dependencies": {
"follow-redirects": "^1.15.6",
diff --git a/extension/package.json b/extension/package.json
index 5777a486..d772eb84 100644
--- a/extension/package.json
+++ b/extension/package.json
@@ -25,7 +25,7 @@
},
"homepage": "https://github.com/tinglesoftware/dependabot-azure-devops#readme",
"dependencies": {
- "axios": "1.7.3",
+ "axios": "1.7.4",
"azure-pipelines-task-lib": "4.16.0",
"js-yaml": "4.1.0"
},
From 5a2b4298e34193a2707283fa1bd33bc39dac34c0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 07:19:50 +0300
Subject: [PATCH 07/10] Bump the microsoft group with 8 updates (#1286)
---
.../Tingle.Dependabot.Tests.csproj | 4 ++--
server/Tingle.Dependabot/Tingle.Dependabot.csproj | 12 ++++++------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/server/Tingle.Dependabot.Tests/Tingle.Dependabot.Tests.csproj b/server/Tingle.Dependabot.Tests/Tingle.Dependabot.Tests.csproj
index b6bba131..c900f267 100644
--- a/server/Tingle.Dependabot.Tests/Tingle.Dependabot.Tests.csproj
+++ b/server/Tingle.Dependabot.Tests/Tingle.Dependabot.Tests.csproj
@@ -12,8 +12,8 @@
-
-
+
+
diff --git a/server/Tingle.Dependabot/Tingle.Dependabot.csproj b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
index 7861a3c9..2fd9a03c 100644
--- a/server/Tingle.Dependabot/Tingle.Dependabot.csproj
+++ b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
@@ -25,13 +25,13 @@
-
-
-
+
+
+
-
-
+
+
@@ -44,7 +44,7 @@
-
+
From a39610d707dbee2322dabae7c321bfb0846619b4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 04:24:13 +0000
Subject: [PATCH 08/10] Bump Tingle.PeriodicTasks from 1.5.0 to 1.5.1 (#1288)
---
server/Tingle.Dependabot/Tingle.Dependabot.csproj | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/Tingle.Dependabot/Tingle.Dependabot.csproj b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
index 2fd9a03c..6f23dce2 100644
--- a/server/Tingle.Dependabot/Tingle.Dependabot.csproj
+++ b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
@@ -39,7 +39,7 @@
-
+
From 015b452cae189c57fb386ca34f54ffeb869c06e6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 19 Aug 2024 04:25:15 +0000
Subject: [PATCH 09/10] Bump the event-bus group with 2 updates (#1285)
---
server/Tingle.Dependabot/Tingle.Dependabot.csproj | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/Tingle.Dependabot/Tingle.Dependabot.csproj b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
index 6f23dce2..4092ab23 100644
--- a/server/Tingle.Dependabot/Tingle.Dependabot.csproj
+++ b/server/Tingle.Dependabot/Tingle.Dependabot.csproj
@@ -34,8 +34,8 @@
-
-
+
+
From 2b6ad4d1ea2226a49e8ad9a42051c59ea16e9687 Mon Sep 17 00:00:00 2001
From: Rhys Koedijk
Date: Mon, 19 Aug 2024 20:54:17 +1200
Subject: [PATCH 10/10] Sync dependabot-updater with v0.268.0 (#1266)
---
updater/bin/update_script_vnext.rb | 9 +--
.../api_clients/azure_api_client.rb | 4 +-
...te_all_dependencies_synchronous_command.rb | 72 +++++++++++++++----
3 files changed, 60 insertions(+), 25 deletions(-)
diff --git a/updater/bin/update_script_vnext.rb b/updater/bin/update_script_vnext.rb
index 36b10c8e..bfe37c52 100644
--- a/updater/bin/update_script_vnext.rb
+++ b/updater/bin/update_script_vnext.rb
@@ -15,14 +15,7 @@
begin
TingleSoftware::Dependabot::Commands::UpdateAllDependenciesSynchronousCommand.new(
- job: TingleSoftware::Dependabot::Job.new(
- # Override Dependabot updater options (feature flags) required by this job
- experiments: {
- # Required for correctly detecting existing PRs when refreshing group dependency updates.
- # Without this, Dependabot::DependencyGroup.matches_existing_pr? will always return false for group updates.
- "dependency_has_directory" => true
- }
- )
+ job: TingleSoftware::Dependabot::Job.new
).run
rescue ::Dependabot::RunFailure
exit 1
diff --git a/updater/lib/tinglesoftware/dependabot/api_clients/azure_api_client.rb b/updater/lib/tinglesoftware/dependabot/api_clients/azure_api_client.rb
index 3d8748af..041e73cf 100644
--- a/updater/lib/tinglesoftware/dependabot/api_clients/azure_api_client.rb
+++ b/updater/lib/tinglesoftware/dependabot/api_clients/azure_api_client.rb
@@ -426,8 +426,8 @@ def pull_request_updated_dependencies_property_data(dependency_change)
{
"dependency-name" => dep.name,
"dependency-version" => dep.version,
- "directory" => dependency_change.grouped_update? ? dep.directory : nil,
- "dependency-removed" => dep.removed? ? true : nil
+ "dependency-removed" => dep.removed? ? true : nil,
+ "directory" => dep.directory
}.compact
end
if dependency_change.grouped_update?
diff --git a/updater/lib/tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command.rb b/updater/lib/tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command.rb
index f3295e59..9687aafc 100644
--- a/updater/lib/tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command.rb
+++ b/updater/lib/tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command.rb
@@ -74,29 +74,31 @@ def log_what_we_found
def log_found_dependency_files
::Dependabot.logger.info(
- "Found #{dependency_files.count} #{job.package_manager} dependency reference files:"
+ "Found #{dependency_snapshot.all_dependency_files.count} #{job.package_manager} dependency reference files:"
)
- dependency_files.select.each do |f|
+ dependency_snapshot.all_dependency_files.select.each do |f|
::Dependabot.logger.info(" - #{f.directory}#{File::SEPARATOR}#{f.name}")
end
end
def log_found_dependencies
::Dependabot.logger.info(
- "Found #{dependency_snapshot.dependencies.count(&:top_level?)} top-level dependencies:"
+ "Found #{dependency_snapshot.all_dependencies.count(&:top_level?)} top-level dependencies:"
)
- dependency_snapshot.dependencies.select(&:top_level?).each do |d|
+ dependency_snapshot.all_dependencies.select(&:top_level?).each do |d|
::Dependabot.logger.info(" - #{d.name} (#{d.version}) #{job.vulnerable?(d) ? '(VULNERABLE!)' : ''}")
end
::Dependabot.logger.info(
- "Found #{dependency_snapshot.dependencies.count { |d| !d.top_level? }} transitive dependencies:"
+ "Found #{dependency_snapshot.all_dependencies.count { |d| !d.top_level? }} transitive dependencies:"
)
- dependency_snapshot.dependencies.reject(&:top_level?).each do |d|
+ dependency_snapshot.all_dependencies.reject(&:top_level?).each do |d|
::Dependabot.logger.info(" - #{d.name} (#{d.version}) #{job.vulnerable?(d) ? '(VULNERABLE!)' : ''}")
end
end
def log_found_dependency_groups
+ return unless dependency_snapshot.groups.any?
+
::Dependabot.logger.info(
"Found #{dependency_snapshot.groups.count} dependency group(s):"
)
@@ -107,6 +109,8 @@ def log_found_dependency_groups
end
def log_found_open_pull_requests
+ return unless job.open_pull_requests.any?
+
::Dependabot.logger.info("Found #{job.open_pull_requests.count} open pull requests(s):")
job.open_pull_requests.select.each do |pr|
::Dependabot.logger.info(" - ##{pr['pullRequestId']}: #{pr['title']}")
@@ -128,7 +132,7 @@ def update_all_existing_pull_requests # rubocop:disable Metrics/PerceivedComplex
# Refocus our job towards updating this single PR, using the CURRENT snapshot of the dependecneis
job.for_pull_request_update(
dependency_group_name: dependency_group_name,
- dependency_names: dependency_snapshot.dependencies
+ dependency_names: dependency_snapshot.all_dependencies
.select { |d| dependency_names.include?(d.name) }
.select { |d| job.allowed_update?(d) }
.map(&:name)
@@ -156,7 +160,7 @@ def update_all_dependencies
end
def dependencies_allowed_to_update
- dependency_snapshot.dependencies.select { |d| job.allowed_update?(d) }
+ dependency_snapshot.all_dependencies.select { |d| job.allowed_update?(d) }
end
def run_updates_for(job)
@@ -222,19 +226,52 @@ def create_file_fetcher(directory: nil)
::Dependabot::FileFetchers.for_package_manager(job.package_manager).new(**args)
end
- def dependency_files
- @dependency_files ||= (job.source.directories || [job.source.directory]).flat_map do |dir|
- ::Dependabot.logger.info(
- "Searching for #{job.package_manager} dependency reference files in '#{dir}', this can take a while..."
- )
+ def dependency_files_for_multi_directories
+ return @dependency_files_for_multi_directories if defined?(@dependency_files_for_multi_directories)
+
+ has_glob = T.let(false, T::Boolean)
+ directories = Dir.chdir(job.repo_contents_path) do
+ job.source.directories.map do |dir|
+ next dir unless glob?(dir)
+
+ has_glob = true
+ dir = dir.delete_prefix("/")
+ Dir.glob(dir, File::FNM_DOTMATCH).select { |d| File.directory?(d) }.map { |d| "/#{d}" }
+ end.flatten
+ end.uniq
+
+ @dependency_files_for_multi_directories = directories.flat_map do |dir|
ff = with_retries { file_fetcher_for_directory(dir) }
- files = ff.files
+
+ begin
+ files = ff.files
+ rescue ::Dependabot::DependencyFileNotFound
+ # skip directories that don't contain manifests if globbing is used
+ next if has_glob
+
+ raise
+ end
+
files
+ end.compact
+
+ if @dependency_files_for_multi_directories.empty?
+ raise ::Dependabot::DependencyFileNotFound, job.source.directories.join(", ")
end
+
+ @dependency_files_for_multi_directories
+ end
+
+ def dependency_files
+ return @dependency_files if defined?(@dependency_files)
+
+ @dependency_files = with_retries { file_fetcher.files }
+ @dependency_files
end
def base64_dependency_files
- dependency_files.map do |file|
+ files = job.source.directories ? dependency_files_for_multi_directories : dependency_files
+ files.map do |file|
base64_file = file.dup
base64_file.content = Base64.encode64(file.content) unless file.binary?
base64_file
@@ -251,6 +288,11 @@ def with_retries(max_retries: 2)
raise
end
end
+
+ def glob?(directory)
+ # We could tighten this up, but it's probably close enough.
+ directory.include?("*") || directory.include?("?") || (directory.include?("[") && directory.include?("]"))
+ end
end
end
end