Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add parsing of MSBuild SDK dependencies (NuGet) #2849

Merged
merged 10 commits into from
Nov 16, 2021
Merged

Add parsing of MSBuild SDK dependencies (NuGet) #2849

merged 10 commits into from
Nov 16, 2021

Conversation

Zastai
Copy link
Contributor

@Zastai Zastai commented Dec 12, 2020

This adds the three ways to specify an MSBuild SDK reference inside a project file, including test cases for each (parsing and updating).

Intended to fix #2839

Note: I'm new to Ruby, but do have access to the JetBrainz IDEs, which has helped. So please forgive novice code issues.

This adds the three ways to specify an MSBuild SDK reference inside a
project file, including test cases for each.
This should cover all three forms and complete #2839.
Tests are included.

For the specification in the Sdk attribute of the Project element,
this results in replacements like "Foo.Bar/1.1.1" -> "Foo.Bar/1.2.3".
There are short/generic enough to have the potential for false
positives. Perhaps this case needs to be handled at the file_updater
level instead, so that it can register a change of
'Sdk="Number.One/1.0.0;Number.Two/1.0.0"' to
'Sdk="Number.One/1.1.1;Number.Two/2.2.2"' in one go.
@Zastai Zastai marked this pull request as ready for review December 13, 2020 01:15
@Zastai Zastai requested a review from a team as a code owner December 13, 2020 01:15
@Zastai
Copy link
Contributor Author

Zastai commented Dec 13, 2020

Hmm - looks like I missed that while the actual tests pass, the coverage is complaining about a 0.02% drop.
Will see what I can do about that.

@Zastai
Copy link
Contributor Author

Zastai commented Dec 13, 2020

Not a lot, it seems. Well, I could remove two existing-but-unused methods (declaration_nodes in the two finders), but that has nothing to do with what this PR is about, so seems like the wrong way to go.

@Zastai
Copy link
Contributor Author

Zastai commented Jan 21, 2021

Would be nice to get some feedback on this...

@jurre
Copy link
Member

jurre commented Jan 29, 2021

Thanks for doing this work @Zastai, I'll try to make some time next week to thoroughly review this and get a bit more familiar with MSBuild SDK references. Just wanted to let you know that we appreciate the contribution.

@jurre jurre self-assigned this Jan 31, 2021
@japj
Copy link

japj commented Feb 5, 2021

Hello, great to see this (I recently “discovered” dependabot).
We have been building our own MSBuild Sdk for a while now and we actually use a different way to specify the sdk version (that is documented in the link you provided https://docs.microsoft.com/en-us/visualstudio/msbuild/how-to-use-project-sdk)

The global.json can have an msbuild-sdks section that can be modified to “upgrade” the sdk for all csproj files that use that sdk:

{
    "msbuild-sdks": {
        "My.Custom.Sdk": "5.0.0",
        "My.Other.Sdk": "1.0.0-beta"
    }
}

so in that case, just modifying the global.json is enough.
Could you perhaps add that behavior to this PR?

@japj
Copy link

japj commented Feb 5, 2021

Sorry, I just read #2839 where you mention that global.json support is already in?

@Zastai
Copy link
Contributor Author

Zastai commented Feb 5, 2021

That was the plan - but then I found that global.json already had that behaviour:

project_sdks = parsed_global_json.fetch("msbuild-sdks", {})

@Zastai
Copy link
Contributor Author

Zastai commented Apr 17, 2021

@jurre Any update?

@Zastai
Copy link
Contributor Author

Zastai commented Aug 13, 2021

@jurre
It has now been 8 months since I created this PR. Would be nice to get this properly reviewed.

@Zastai
Copy link
Contributor Author

Zastai commented Nov 11, 2021

We're rapidly approaching this PR's one year anniversary...
Any chance of a review, @jurre?

Copy link
Member

@jurre jurre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall these changes look good, I have made some mostly superficial suggestions regarding readability and rubyisms.

I am not super familiar with how the newly added functionality is typically used in NuGet so I'm having somewhat of a hard time reviewing for correctness.

I think @xlgmokha has some more experience on this so I would love to get his eyes on this as well.

Do you happen to have a sample project I could test this end-to-end on?

Apologies for the slow response on this on my part, it definitely fell through the cracks a couple of times and going to try to land this ASAP.

Comment on lines 162 to 163
declaring_file.content.scan(regex).each do |string|
xml = string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
declaring_file.content.scan(regex).each do |string|
xml = string
declaring_file.content.scan(regex).each do |xml|

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I'm having to revert this - string needs to be used unchanged afterwards, while xml potentially gets modified.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fwiw string will also get modified:

irb(main):004:0> string = "foo"
irb(main):005:0> xml = string
irb(main):006:0> xml << "x"
=> "foox"
irb(main):007:0> string
=> "foox"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would if I used <<, but I use xml += and it's my understanding that that creates a new string.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah that's correct, but looking at the code we never refer to string after xml is changed, at least not now that the code is extracted to parse_element. Anyway, it's not really important I guess

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do in sdk_strings: strings << string; that's why parse_element() retains the +=.

@Zastai
Copy link
Contributor Author

Zastai commented Nov 11, 2021

I should be able to make a recipe for setting up an otherwise-empty project with each form of reference, if that suits.
All it would need is an installed .NET SDK (or .NET Core SDK).

This also reverts a previous incorrect change.
With this, rubocop is happy and the tests still pass.
@Zastai
Copy link
Contributor Author

Zastai commented Nov 11, 2021

I think I addressed all your remarks, @jurre.

Sample projects are present as fixtures, but in order to set up a repo for "real" testing, here are the recipes.

Recipes

Each recipe starts from an empty directory and sets up a dependency on an old version of an SDK package I maintain (MetaBrainz.Build.Sdk).
Dependabot should suggest an update for it.

A. Using global.json (already supported by dependabot)

  1. Create a .csproj file (name can be chosen freely) containing
    <Project Sdk="MetaBrainz.Build.Sdk">
    </Project>
    
  2. Create a global.json file containing
    {
      "msbuild-sdks": {
        "MetaBrainz.Build.Sdk" : "1.0.0"
      }
    }
    

B. Using a version specifier in the Project tag (1)

  1. Create a .csproj file (name can be chosen freely) containing
    <Project Sdk="MetaBrainz.Build.Sdk/1.0.0">
    </Project>
    

C. Using a version specifier in the Project tag (2)

This is the same case as B, but it checks for support for multiple SDK specifications.

  1. Create a .csproj file (name can be chosen freely) containing
    <Project Sdk="Microsoft.NET.Sdk;MetaBrainz.Build.Sdk/1.0.0">
    </Project>
    

D. Using an Sdk tag

  1. Create a .csproj file (name can be chosen freely) containing
    <Project>
    
      <Sdk Name="MetaBrainz.Build.Sdk" Version="1.0.0" />
    
    </Project>
    

E. Using an Sdk attribute on an Import tag

  1. Create a .csproj file (name can be chosen freely) containing
    <Project>
    
      <Import Sdk="MetaBrainz.Build.Sdk" Project="Defaults.props" Version="1.0.0" />
      <Import Project="CSharp.props" Version="1.0.0" Sdk="MetaBrainz.Build.Sdk" />
    
      <Target Name="Dummy" />
    
    </Project>
    

@Zastai
Copy link
Contributor Author

Zastai commented Nov 15, 2021

Bit confused that tests are failing on a part of Dependabot not touched by this PR (it tries to use pandoc which is not installed).
Is CI broken on main/master or something?

@jurre
Copy link
Member

jurre commented Nov 15, 2021

Bit confused that tests are failing on a part of Dependabot not touched by this PR (it tries to use pandoc which is not installed). Is CI broken on main/master or something?

I don't see this failures you're referring to (maybe they were fixed after a retry). I do see a few linting errors for nuget that we'll need to address, and there are a few test suites that are unfortunately sometimes flaky, if a suite other than nuget fails in this PR I can retry/fix it on main though.

@Zastai
Copy link
Contributor Author

Zastai commented Nov 15, 2021

That's strange; I don't see it now either - only a style check. I'll push an update for that to see if that fixes the checks.

@Zastai
Copy link
Contributor Author

Zastai commented Nov 15, 2021

Ah I see it now. I updated my fork, and it looks like that updated the CI workflow to include a scheduled run, which triggered and failed. Looks like I had best disable Actions on my fork.

@xlgmokha
Copy link
Contributor

I think @xlgmokha has some more experience on this so I would love to get his eyes on this as well.

LGTM. I'm not sure where/why pandoc is used but I'll take a peek. Otherwise... :shipit:

@xlgmokha
Copy link
Contributor

It looks like a new version of pandoc-ruby was released recently that includes a change in behaviour that is triggering a failure in the test suite. This repo doesn't seem to include a version controlled Gemfile.lock so the resolved version changed and caused this failure. I'll try to get this fixed up in the main branch so that we can get these changes released.

xlgmokha added a commit that referenced this pull request Nov 15, 2021
A new version of [pandoc-ruby](https://rubygems.org/gems/pandoc-ruby/versions/2.1.5) was recently released
that changes the behaviour of how the `pandoc` executable is invoked.
[src](xwmx/pandoc-ruby@2.1.4...2.1.5).

/cc #2849
@xlgmokha
Copy link
Contributor

I'm working on a fix in #4412 that should restore the common build to a healthier state. Unfortunately, that means we'll need to update this branch which is something I don't have access to do.
@Zastai Do you mind pulling in the latest when #4412 is merged? I'll take care of the rest.

@Zastai
Copy link
Contributor Author

Zastai commented Nov 15, 2021

Yeah, no worries - ping me here when it lands and I'll pull in main.

@Zastai
Copy link
Contributor Author

Zastai commented Nov 16, 2021

@xlgmokha Main merged; hopefully that will allow all the checks to pass.


def parse_element(string, name)
xml = string
xml += "</#{name}>" unless string.end_with?("/>")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: could this be abused by an XML injection attack?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not know. It has been a long time since I created the PR, but I think I copied what was already there for other processing (like PackageReference).

@xlgmokha xlgmokha merged commit aab1321 into dependabot:main Nov 16, 2021
@xlgmokha
Copy link
Contributor

Thank you for your contribution @Zastai.

@Zastai Zastai deleted the msbuild-sdk-references branch November 16, 2021 12:41
@landongrindheim landongrindheim mentioned this pull request Nov 16, 2021
AlekhyaYalla added a commit to GiriB/dependabot-core that referenced this pull request Nov 29, 2021
* v0.162.0

* handle support files with dir macro in umbrellas

* bin/dry-run.rb exits outside a developer shell

* Update README

* Prefer checking user over touching a file

* Support basic Kotlin apply, add tests

* Escape paths passed to VendorUpdater

Paths in packages could be constructed to perform command, when not
properly escaped those could be executed.

```
(byebug) `file -b --mime-encoding t&&[email protected]&&.go`
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to 0.0.0.0 port 80: Connection refused
"cannot open `t' (No such file or directory)\n"
```

```
(byebug) `#{Dependabot::SharedHelpers.escape_command("file -b --mime-encoding t&&[email protected]&&.go")}`
"cannot open `t&&[email protected]&&.go' (No such file or directory)\n"
```

* Bump golang from 1.17 to 1.17.1

* build(deps): bump github.com/dependabot/gomodules-extracted

Bumps [github.com/dependabot/gomodules-extracted](https://github.com/dependabot/gomodules-extracted) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/dependabot/gomodules-extracted/releases)
- [Commits](dependabot/gomodules-extracted@v1.4.1...v1.4.2)

---
updated-dependencies:
- dependency-name: github.com/dependabot/gomodules-extracted
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix  `labels': Unsupported provider bitbucket

Bitbucket doesn't yet supports PR labels.
dependabot throught this issue whenever I try to use it with bitbucket 
labeler.rb:241:in `labels': Unsupported provider bitbucket (RuntimeError)

* Fix minor typos in changelog

* v0.162.1

* Support Gradle files with no top level build.gradle file

* Treat tokens after underscore as numeric if possible

* Simplify string processing

* Ignore replaced dependencies

* v0.162.2

* Add support for gradlePluginPortal()

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.0.6 to 27.2.4.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md)
- [Commits](jestjs/jest@v27.0.6...v27.2.4)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Handle .tar path dependency

* Fix indentation

* build(deps): bump composer/composer in /composer/helpers/v1

Bumps [composer/composer](https://github.com/composer/composer) from 1.10.22 to 1.10.23.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](composer/composer@1.10.22...1.10.23)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 2.8.0 to 3.0.0.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v2.8.0...v3.0.0)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump friendsofphp/php-cs-fixer in /composer/helpers/v2

Bumps [friendsofphp/php-cs-fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) from 3.0.0 to 3.2.1.
- [Release notes](https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases)
- [Changelog](https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v3.2.1/CHANGELOG.md)
- [Commits](PHP-CS-Fixer/PHP-CS-Fixer@v3.0.0...v3.2.1)

---
updated-dependencies:
- dependency-name: friendsofphp/php-cs-fixer
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add issue template config with Dependabot contact links

* Fix elm tests

The version resolver fetches the latest version from the public
registry, and since we shell out to `elm` for this, it's currently hard
to stub out.

Our test fixture did not have the latest version yet and would cause our
tests to fail.

Ideally we'd rely on both the version_checker and resolver using
the same source that we stub, but unfortunately with the way our tests
are set up makes that hard. Fortunately these don't change often, so I
suggest we live with the pain for now.

* Fix Poetry unreachable git deps error

Since python-poetry/poetry-core#202 poetry now
uses a slightly different (safer) git command, and this caused the
regex matching we do on the error output to now fail.

This fixes up the regex, and just to be safe ensures it'll keep working
with the old version as well.

The test that was failing was:
`python/spec/dependabot/python/update_checker/poetry_version_resolver_spec.rb:179`

* build(deps-dev): bump prettier in /npm_and_yarn/helpers

Bumps [prettier](https://github.com/prettier/prettier) from 2.3.2 to 2.4.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@2.3.2...2.4.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Gradle: Prefer method call over instance variable access in file fetcher

* build(deps): bump poetry from 1.1.7 to 1.1.11 in /python/helpers

Bumps [poetry](https://github.com/python-poetry/poetry) from 1.1.7 to 1.1.11.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/1.1.11/CHANGELOG.md)
- [Commits](python-poetry/poetry@1.1.7...1.1.11)

---
updated-dependencies:
- dependency-name: poetry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump composer/composer in /composer/helpers/v2

Bumps [composer/composer](https://github.com/composer/composer) from 2.1.3 to 2.1.9.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](composer/composer@2.1.3...2.1.9)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pip-tools from 6.2.0 to 6.3.0 in /python/helpers

Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md)
- [Commits](jazzband/pip-tools@6.2.0...6.3.0)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump wheel from 0.36.2 to 0.37.0 in /python/helpers

Bumps [wheel](https://github.com/pypa/wheel) from 0.36.2 to 0.37.0.
- [Release notes](https://github.com/pypa/wheel/releases)
- [Changelog](https://github.com/pypa/wheel/blob/master/docs/news.rst)
- [Commits](pypa/wheel@0.36.2...0.37.0)

---
updated-dependencies:
- dependency-name: wheel
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.93 to 0.12.99.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Commits](phpstan/phpstan@0.12.93...0.12.99)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump friendsofphp/php-cs-fixer in /composer/helpers/v1

Bumps [friendsofphp/php-cs-fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) from 2.19.0 to 2.19.2.
- [Release notes](https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases)
- [Changelog](https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/3.0/CHANGELOG.md)
- [Commits](PHP-CS-Fixer/PHP-CS-Fixer@v2.19.0...v2.19.2)

---
updated-dependencies:
- dependency-name: friendsofphp/php-cs-fixer
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* v0.163.0

* remove trailing whitespaces

* Recommend `git reset` when cloning repository on Windows fails

`git restore --source=HEAD :/` which is currently suggested by Git does not work,
it is unable to restore the files, see git-for-windows/git#3411.

* build(deps): bump pip-tools from 6.3.0 to 6.3.1 in /python/helpers

Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.3.0 to 6.3.1.
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md)
- [Commits](jazzband/pip-tools@6.3.0...6.3.1)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump jest in /npm_and_yarn/helpers

Bumps [jest](https://github.com/facebook/jest) from 27.2.4 to 27.2.5.
- [Release notes](https://github.com/facebook/jest/releases)
- [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md)
- [Commits](jestjs/jest@v27.2.4...v27.2.5)

---
updated-dependencies:
- dependency-name: jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pip from 21.1.3 to 21.2.4 in /python/helpers

Bumps [pip](https://github.com/pypa/pip) from 21.1.3 to 21.2.4.
- [Release notes](https://github.com/pypa/pip/releases)
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@21.1.3...21.2.4)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump flake8 from 3.9.2 to 4.0.0 in /python/helpers

Bumps [flake8](https://github.com/pycqa/flake8) from 3.9.2 to 4.0.0.
- [Release notes](https://github.com/pycqa/flake8/releases)
- [Commits](PyCQA/flake8@3.9.2...4.0.0)

---
updated-dependencies:
- dependency-name: flake8
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 7.32.0 to 8.0.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/master/CHANGELOG.md)
- [Commits](eslint/eslint@v7.32.0...v8.0.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump golang.org/x/mod in /go_modules/helpers

Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.5.0 to 0.5.1.
- [Release notes](https://github.com/golang/mod/releases)
- [Commits](golang/mod@v0.5.0...v0.5.1)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Upgrade OTP to latest minor: 23.3.4.5

* Python: Upgrade pyenv to 2.1.0

This also adds Python 3.10.0, 3.7.12, 3.6.15

* Bump Terraform from 1.0.6 to 1.0.8

https://github.com/hashicorp/terraform/blob/v1.0/CHANGELOG.md#108-september-29-2021

* build(deps): bump pip-tools from 6.3.1 to 6.4.0 in /python/helpers

Bumps [pip-tools](https://github.com/jazzband/pip-tools) from 6.3.1 to 6.4.0.
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/master/CHANGELOG.md)
- [Commits](jazzband/pip-tools@6.3.1...6.4.0)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump flake8 from 4.0.0 to 4.0.1 in /python/helpers

Bumps [flake8](https://github.com/pycqa/flake8) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/pycqa/flake8/releases)
- [Commits](PyCQA/flake8@4.0.0...4.0.1)

---
updated-dependencies:
- dependency-name: flake8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* update Elixir from 1.12.2 -> 1.12.3

* update erlang solutions from 1.0 to 2.0

* v0.163.1

* Add license to image and gemspec

The dependabot-* gems on rubygems currently have the license set as 'nonstandard' and do not include a license file.

* Add license to gem build directory

* Set license back to Nonstandard

Rubygems only recognizes licenses on the spdx license list, and the Prosperity Public License 2.0.0 is not one of them.

* Allow passing target_project_id to Gitlab pr creator and updater

* Revert "Add license to gem build directory"

This reverts commit 05aa6ee.

* Update specs

Validate target_project_id passed correctly

Fix request expectation

* Move target_project_id to provider_metadata

* Treat GHES hosted sources as github sources

When a dependency is hosted on GHES, previously it was not treated as a
GitHub source, meaning that we would not check for releases/changelogs
etc when requesting Metadata for the PR.

This fixes that, by first parsing the URL, and then making a request to
`<host>/status`, and checking for a `X-GitHub-Request-Id` header, which
we return from GitHub Enterprise Server.

* Revert "v0.163.1"

This reverts commit 2103fbb.

* v0.164.0

* Add TagsCreationForbidden Exception to Azure Client

* Make labeler optional in Azure

* Add labels_required param to PR creator

* Fix indentation

* Ensure we cleanup tmp directories after use

* Only check auth for github.com

* v0.164.1

* feat: specify timeouts per spawned process

* style: fix linter errors

* test: update glass assertions

* test: ensure the proper command is generated

* feat: trap SIGHUB and flush error to stdout

* refactor: collapse multi line conditional

* style: fix linter errors

* refactor: extract class to build shell command

* style: fix linter errors

* fix: ensure min of 1 minute and max of 30 minutes per op

* refactor: make timeout_seconds a private method

* [Gradle] add settings_file to fetched_files

* [Gradle] add settings files to SUPPORTED_BUILD_FILE_NAMES

* [Gradle] update tests

* refactor: use Comparable#clamp

* [Gradle] add tests for FileParser

* [Gradle] fix implementation

* v0.165.0

* Bump to go 1.17.3

There were some minor fixes to the `go` command in 1.17.2/1.17.3... 

I don't think any of them directly affect dependabot, but it
doesn't hurt to bump this and makes it so the next person has a smaller
diff to look at when they consider updating.

* Move composer-not-found fixture from decommissioned dependabot.com

* Ignore errors from Source enterprise check and ignore known failures

We check if a potential Source is GitHub enterprise by making a request
to a `/status` endpoint against the root URL and checking some headers.

We've observed this check failing in some cases when the source is not
enterprise, and we get rate limited, or otherwise the request fails with
an error.

In this case we do not want to block creating a PR, but instead we
should assume the source is not Enterprise.

This also adds a list of known hosts that we come across often that
definitely are not GitHub Enterprise instances, and we ignore those and
don't bother making a request to them.

Co-Authored-By: Barry Gordon <[email protected]>

* Explicitly ignore metadata detection for fuchsia.googlesource.com

We've observed some failures when trying to establish if this might be
an GHES host, since we can be confident it's not, let's not bother
making a request to check.

* v0.166.0

* Apply suggested code tweaks

* Fix variable references

* Refactor code to reduce complexity

This also reverts a previous incorrect change.
With this, rubocop is happy and the tests still pass.

* Improve error handling when `terraform init` fails

We attempt to run `terraform init` once, but when this fails, we still
end up with an unhandled error. Given that there is not much we can do
at this point, communicate that to the user instead, and treat it as a
resolvability error.

At the same time, when `terraform init` fails with an error other than
a private source error, there is no point trying further so we should
raise a resolvability error as well.

* Rescue terraform registry connection errors

* v0.166.1

* Remove labels_required param

* Run YarnUpdate only once for a version requirement

* Fix indent

* Adjust indentation to please rubocop

* fix: remove fixed error message check

A new version of [pandoc-ruby](https://rubygems.org/gems/pandoc-ruby/versions/2.1.5) was recently released
that changes the behaviour of how the `pandoc` executable is invoked.
[src](xwmx/pandoc-ruby@2.1.4...2.1.5).

/cc dependabot#2849

* style: fix linter errors

* Fix

* build(deps-dev): bump friendsofphp/php-cs-fixer in /composer/helpers/v2

Bumps [friendsofphp/php-cs-fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) from 3.2.1 to 3.3.2.
- [Release notes](https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases)
- [Changelog](https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/v3.3.2/CHANGELOG.md)
- [Commits](PHP-CS-Fixer/PHP-CS-Fixer@v3.2.1...v3.3.2)

---
updated-dependencies:
- dependency-name: friendsofphp/php-cs-fixer
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump friendsofphp/php-cs-fixer in /composer/helpers/v1

Bumps [friendsofphp/php-cs-fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) from 2.19.2 to 2.19.3.
- [Release notes](https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases)
- [Changelog](https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/master/CHANGELOG.md)
- [Commits](PHP-CS-Fixer/PHP-CS-Fixer@v2.19.2...v2.19.3)

---
updated-dependencies:
- dependency-name: friendsofphp/php-cs-fixer
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pipenv from 2021.5.29 to 2021.11.15 in /python/helpers

Bumps [pipenv](https://github.com/pypa/pipenv) from 2021.5.29 to 2021.11.15.
- [Release notes](https://github.com/pypa/pipenv/releases)
- [Changelog](https://github.com/pypa/pipenv/blob/main/CHANGELOG.rst)
- [Commits](pypa/pipenv@v2021.5.29...v2021.11.15)

---
updated-dependencies:
- dependency-name: pipenv
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Maven: Correctly handle nested declarations

We've observed errors around pom files that have a nested `plugin`
section inside an outer plugin declaration.

Previously we used a regex to recursively scan the XML document, which
caused the inner `plugin` declarations closing tag to match the regex,
resulting in an incomplete XML section.

To demonstrate, given the following XML:

```xml
<plugins>
  <plugin>
    <configuration>
      <jvmTarget>11</jvmTarget>
      <compilerPlugins>
        <plugin>spring</plugin>
      </compilerPlugins>
    </configuration>
    <groupId>org.jetbrains.kotlin</groupId>
    <artifactId>kotlin-maven-plugin</artifactId>
    <version>${kotlin.version}</version>
  </plugin>
</plugin>
```

The `<plugin>spring</plugin>` declaration would cause a regex match,
resulting in the required information (the `version` in this case) to be
omitted from the XML snippet.

This is resolved by using Nokogiri to traverse the XML instead of using
regular expressions, and selecting the nodes by name.

Co-authored-by: Landon Grindheim <[email protected]>

* v0.167.0

* Remove the dependabot migration issue template

The Dependabot Preview service was shut down on the 3rd of August 2021,
so our path to migration is now closed and the service has been wrapped
up.

This template format is no longer required, any issues for lapsed users
returning to the integrated Dependabot service should just file a standard
bug report.

* Do not freeze file-based Poetry dependency version

Fixes dependabot#4333

* Polish

* Code formatting

* Remove unnecessary quotes

Co-authored-by: Jurre <[email protected]>

* Fix typo

* Special case URL dependencies, add better positive assertions for file and directory dependencies

* Rename expected files in tests

* Rename file back

* build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers

Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 3.0.0 to 4.0.5.
- [Release notes](https://github.com/npm/arborist/releases)
- [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md)
- [Commits](npm/arborist@v3.0.0...v4.0.5)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.99 to 1.2.0.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md)
- [Commits](phpstan/phpstan@0.12.99...1.2.0)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 0.12.93 to 1.2.0.
- [Release notes](https://github.com/phpstan/phpstan/releases)
- [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md)
- [Commits](phpstan/phpstan@0.12.93...1.2.0)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Update some pipenv error handling to match latest version

* Add support for custom commit message trailer

* Pass custom git trailers as hash object

* Remove reliance on `PandocRuby`

PandocRuby has been used to convert RestructuredText (rst), a
markdown-like format widely used in the Python ecosystem, to markdown.
We recently noticed new errors surfacing around Pandoc and started to
investigate.  This led to the discovery that Pandoc was not installed in
the Docker container GitHub is using to run Dependabot against
repositories.

I'm opting to remove this dependency as PandocRuby is effectively
unused.

Note: There is the possibility that some users rely on this
functionality. As has been noted in a recent PR-review, non-Docker usage
of dependabot-core is poorly supported, so this seems unlikely.

* Update tests to reflect our not converting rst's

We stopped relying on `PandocRuby` in a previous commit. This test may
be able to go away, but first I'd like to prove that it's no longer
needed.

* Allow providing env to SharedHelpers.run_shell_command

* Switch to go command to find available module versions

* Handle new error message for bad module paths

go list returns a different error message:
go list -m: malformed module path "pkg-errors": missing dot in first path element

* Enable retracted module test

go list -m properly handles retractions so this test is now passing

* Bump latest go-modules-lib to v3. v2 was invalid.

Prior error:
go list -m: loading module retractions for github.com/dependabot-fixtures/go-modules-lib/[email protected]: version "v2.0.0" invalid: go.mod has non-.../v2 module path "github.com/dependabot-fixtures/go-modules-lib" (and .../v2/go.mod does not exist) at revision v2.0.0

* Handle invalid major version errors

* Remove unused go_modules updatechecker native helper

* Fix linter error

Co-authored-by: Jurre <[email protected]>

* Verify for just message code instead of text

* Fix linter issue

Co-authored-by: Jurre <[email protected]>

* build(deps-dev): bump eslint in /npm_and_yarn/helpers

Bumps [eslint](https://github.com/eslint/eslint) from 8.0.0 to 8.3.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](eslint/eslint@v8.0.0...v8.3.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump pip from 21.2.4 to 21.3.1 in /python/helpers

Bumps [pip](https://github.com/pypa/pip) from 21.2.4 to 21.3.1.
- [Release notes](https://github.com/pypa/pip/releases)
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@21.2.4...21.3.1)

---
updated-dependencies:
- dependency-name: pip
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Remove test around updating unneeded transitive dependency

The behavior around this has changed in pipenv, but it does not seem
documented or even expected.

Essentially, this test was doing the following:

- add the transitive dependency to the Pipfile
- run `pipenv lock`
- check the version of the transitive dependency in the lockfile

Previous versions of pipenv would then remove the transitive dependency
from the lockfile, but it is not clear to me why, as it is present in
the Pipfile at that point. My guess is it would keep the top-level
dependencies cached somehow, but I've not been able to find much.

Either way, if transitive dependencies are _actually_ removed (meaning,
not also present in the manifest file), this should still work just
fine. The test setup is at the least confusing and at the worst wrong,
let's remove it.

* Clarify how env vars are passed to shell commands

Co-Authored-By: Mattt Zmuda <[email protected]>
Co-Authored-By: Landon Grindheim <[email protected]>

* Python: Honour `--strip-extras` flag of `pip-compile`

The `--strip-extras` flag of `pip-compile` is useful to generate
contstraints files (instead of the more traditional requirements files)
from some `constraints.in` file.

Constraints files can't have extras markers on the packages (this
wouldn't make much sense indeed), hence they need to be stripped. Since
`pip-tools` 6.2.0 this is supported by using the `--strip-extras` flag.

This commit adds this as a 'recognized' flag: if it's found in an
existing `foo.txt` file, it will be passed to `pip-compile` when some
`foo.in` file is updated.

See: dependabot#3974 (comment)
See: dependabot#3974 (comment)
See: jazzband/pip-tools#1300 (comment)

* Use github.com for redirect service

* v0.168.0

* python: Update `GIT_DEPENDENCY_UNREACHABLE_REGEX` for pip 21.3.1

* v0.169.0

* Bump minimum to 1.17

This isn't strictly necessary, but since the rest of the infra bumped to 1.17,
might as well bump it here too. Esp since the `go.mod` behavior changed
a bit in `1.17`... so if more libs get added ever, this makes it so `go.mod`/`go.sum`
will follow the new behavior...

* build(deps): bump pipenv in /python/helpers

Bumps [pipenv](https://github.com/pypa/pipenv) from 2021.11.15 to 2021.11.23.
- [Release notes](https://github.com/pypa/pipenv/releases)
- [Changelog](https://github.com/pypa/pipenv/blob/main/CHANGELOG.rst)
- [Commits](pypa/pipenv@v2021.11.15...v2021.11.23)

---
updated-dependencies:
- dependency-name: pipenv
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Dependabot config: ignore npm lib major version updates

These helpers exist to support npm 6, so we require that specific major version and should not update it.

* Update dependabot.yml

Co-authored-by: mo khan <[email protected]>
Co-authored-by: Jurre <[email protected]>
Co-authored-by: Nish Sinha <[email protected]>
Co-authored-by: nirev <[email protected]>
Co-authored-by: Barry Gordon <[email protected]>
Co-authored-by: Barry Gordon <[email protected]>
Co-authored-by: Zbynek Konecny <[email protected]>
Co-authored-by: Jurre Stender <[email protected]>
Co-authored-by: David McIntosh <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Melad Raouf <[email protected]>
Co-authored-by: Zbynek Konecny <[email protected]>
Co-authored-by: Jeroen Bobbeldijk <[email protected]>
Co-authored-by: AlekhyaYalla <[email protected]>
Co-authored-by: Andrew Bredow <[email protected]>
Co-authored-by: Marcono1234 <[email protected]>
Co-authored-by: Tomás Pinho <[email protected]>
Co-authored-by: Parnassius <[email protected]>
Co-authored-by: Philip Ross <[email protected]>
Co-authored-by: Andrejs Cunskis <[email protected]>
Co-authored-by: anatawa12 <[email protected]>
Co-authored-by: Jeff Widman <[email protected]>
Co-authored-by: Tim Van Holder <[email protected]>
Co-authored-by: Landon Grindheim <[email protected]>
Co-authored-by: Landon Grindheim <[email protected]>
Co-authored-by: Phillip Verheyden <[email protected]>
Co-authored-by: Mattt Zmuda <[email protected]>
Co-authored-by: Nicolas Trangez <[email protected]>
Co-authored-by: Lane Seppala <[email protected]>
Co-authored-by: Lane Seppala <[email protected]>
Co-authored-by: Andy Freeland <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support MSBuild SDK packages specified in csproj
4 participants