Warning
🚧 Work in progress; dependabot@V2 is still under development and this document may change without notice up until general availability (GA).
V2 is a complete re-write of the Dependabot task; It aims to:
- Resolve the numerous private feed/registry authentication issues that currently exist in V1;
- More closely align the update logic with the GitHub-hosted Dependabot service;
The task now uses Dependabot CLI to perform dependency updates, which is the [currently] recommended approach for running Dependabot. See extension task architecture for more details on the technical changes and impact to the update process.
Warning
It is strongly recommended that you complete (or abandon) all active Depedabot pull requests created in V1 before migrating to V2. Due to changes in Dependabot dependency metadata, V2 pull requests are not compatible with V1 (and vice versa). Migrating to V2 before completing existing pull requests will lead to duplication of pull requests.
Security-only updates (i.e. open-pull-requests-limit: 0) incur a slight performance overhead due to limitations in Dependabot CLI, detailed in dependabot/cli#360. To work around this, vulnerable dependencies will first be discovered using an "ignore everything" update job; After which, security advisories for the discovered dependencies will be checked against the GitHub Advisory Database before finally performing the requested security-only update job.
Currently the securityAdvisoriesFile task input is not supported, but is expected to be supported in the near future.
Dependabot CLI requires Go (1.22+) and Docker (with Linux containers). If you use Microsoft-hosted agents, we recommend using the ubuntu-latest image, which meets all task requirements. For self-hosted agents, you will need to install Go 1.22+.
Renamed to match Dependabot Core/CLI terminology. The input value remains unchanged. See configuring experiments for more details.
Due to the design of Dependabot CLI, the update process can no longer be interrupted once the update has started. Because of this, the update will now continue on error and summarise all error at the end of the update process.
This was a customisation/workaround specific to the V1 update script that can no longer be implemented with Dependabot CLI as it is not an official configuration option.
This is no longer required as the [custom] Dependabot Updater image is no longer used.
Due to the containerised design of Dependabot CLI, environment variables can no longer be passed from the task to the updater process. All Dependabot config must now set via dependabot.yaml or as task inputs. See changes to environment variables below for more details.
The following environment variables are now configured using pipeline system variables:
| Environment Variable | → | Pipeline Variable |
|---|---|---|
DEPENDABOT_DEBUG |
→ | System.Debug |
The following environment variables are now configured using task inputs:
| Environment Variable | → | Task Input |
|---|---|---|
DEPENDABOT_AUTHOR_EMAIL |
→ | authorEmail |
DEPENDABOT_AUTHOR_NAME |
→ | authorName |
DEPENDABOT_UPDATER_OPTIONS |
→ | experiments |
The following environment variables have been removed entirely; the feature is no longer supported:
| Removed Environment Variable | Reason |
|---|---|
DEPENDABOT_PR_NAME_PREFIX_STYLE |
Feature is not supported; It is not an official configuration |
DEPENDABOT_COMPATIBILITY_SCORE_BADGE |
Feature is not supported; It is not an official configuration |
DEPENDABOT_MESSAGE_HEADER |
Feature is not supported; It is not an official configuration |
DEPENDABOT_MESSAGE_FOOTER |
Feature is not supported; It is not an official configuration |
DEPENDABOT_SIGNATURE_KEY |
Feature is not supported; It is not an official configuration |
DEPENDABOT_JOB_ID |
Set automatically by extension |
Before removing the preview flag from V2 task.json, we need to:
- Add "superseded by X" close reason when PR is closed during a PR update
- Add documentation for required permissions and PAT scopes
- Add support for 'securityAdvisoriesFile' task input
- Add unit tests for V2 utils scripts
- General code tidy-up (check all "TODO" comments)
- Investigate https://zod.dev/