- JS: Ignore empty files in FileUpdater
- JS: Handle workspace names more robustly
- JS: Support Yarn workspaces
- JS: Fetch and parse workspace package.json files (awaiting FileUpdater change)
- MetadataFinders: Strip out # characters from source URLs
- JS: Sanitize any variables in a package.json before parsing/updating
- Ruby: handle yet more private gem repo failure cases
- Ruby: handle more private gem repo failure cases
- Python: Ignore errors when parsing setup.py (temporary)
- Handle bad GitHub source data links in GitCommitChecker
- Python: Handle setup.py calls better
- Case insensitive Ruby version replacement
- Add support for passing a target branch to create PRs against
- Python: more setup.py handling
- Fix typo
- Handle Python setup.py files that use codec.open
- Attempt to handle setup.py file that include an "open" line
- Sanitize Python requirement branch names
- Handle Python range requirements
- Handle Python requirements that specify a prefix-match
- Handle setup.py file that include a print statement
- Retry Docker timeouts
- Add support for Python libraries (i.e., repos with a setup.py)
- Make repo a required argument to FileParsers
- Ignore custom names for submodule dependencies
- Handle relative URLs for git submodules
- Handle missing Ruby private dependencies
- Allow Rubygems 2.6.13 for now (since Heroku uses it)
- Add homepage links for Python and JavaScript
- Remove Rubygems monkeypatch in favour of required rubygems version
- Require Bundler 1.16.0
- Link to Ruby dependency homepage if source code can't be found
- Refactor GitHub specific logic out of PullRequestCreator
- Add npm require line to FileUpdaters
- Alpha support for npm
- Treat Ruby dependencies which explicitly specify the default source the same as ones that do so implicitly during file parsing
- Pick up files called
releasewhen looking for changelogs
- Handle date-like versions in Dockerfile
- Only update Dockerfile version to pre-release if currently using one
- Better handling of Python dependencies that specify a minor version
- Set private repo config properly in Ruby::Bundler::UpdateCheckers
- Add support for Dockerfiles versions with a suffix (e.g., 2.4.2-slim)
- Look up Python URLs from PyPI description if necessary
- Handle absolute paths in Ruby Gemfiles
- Add temporary ignore for private npm organisation hosted dependencies in UpdateChecker. Once we support passing credentials we'll be able to bump these, but for now we just supress them
- Support private docker registries that use digests
- Link to changelog for Ruby git dependencies where the ref is bumped
- Support updating docker images hosted on a private registry
- Docker registry regex now excludes trailing slash
- Require private Docker registries to specify a port
- BREAKING: Require an array of
credentialsto be passed for FileUpdaters and UpdateCheckers, rather than agithub_access_token.
- Add support for Dockerfiles that specify a digest
- Spec that docker support works when multiple FROM lines are specified
- Bump yarn-lib from 1.1.0 to 1.2.0
- Use monkeypatch for CVE-2017-0903 rather than requiring specific Rubygems version (since Heroku doesn't get support 2.6.14)
- Filter out private JS dependencies during parsing
- Require Rubygems version 2.6.14 to ensure safety from CVE-2017-0903
- Check new git version is resolvable when updating Ruby git tags
- Handle git:// URLs in GitCommitChecker
- Raise a PrivateSourceNotReachable error for private Docker registries
- Fix bad require line for FileFetchers
- Add support of Dockerfiles
- Refactor GitCommitChecker and use it for update-checking submodules
- Better pull request versions when upgrading a tag
- Handle non-GitHub URLs in GitCommitChecker#local_tag_for_version
- Robust handling of quote characters for Ruby::Bundler::GitPinReplacer
- Use GitCommitChecker for fetching the latest commit on a branch (speedup)
- Support bumping Ruby git dependencies that are tagged to a version-like tag
- Don't sanitize python requirement names during parsing. Was causing errors at the FileUpdater stage (since the name no-longer matched the declaration).
- Add error handling for ChildGemfileFinder path evaluation
- Add support for eval_gemfile to Ruby
- Use Excon automatic retries when making get requests. Should considerably reduce timeout errors from NPM, PyPI, etc.
- More robust handling of Ruby dependencies with a git source (handle errors that occur from attempting to remove the git source)
- Don't update Ruby gemfiles which specify their version using a function
- Change: Transition Ruby git sources to Rubygems releases when a branch is specified and its head is behind the release
- Change: Consider possible changelog names in order
- Fix: Only consider files when looking for a changelog
- Refactor: Split up Ruby FileParser. Should have no effect on public APIs
- Handle relative requirements in cascaded Python requirement files properly
- Fetch cascading Python requirement files that aren't specified with a
leading
./
- Fix: Don't error when calculating MetadataFinder commits_url for Ruby git dependencies with an unknown source
- Change: Clearer PR wording for git references switching to releases
- Fix: Add temporary workaround for ::Bundler::Dsl::VALID_KEYS not being defined
- Fix: Remove unnecessary require from PullRequestCreator
- Feature: Support transitioning Ruby git sources to Rubygems releases
- Change: Use naked version when specifying a Ruby version exactly in Gemfile
- Fix: Fix metadata handler for non-GitHub Ruby git sources
- Fix: Handle function calls as gem versions in the Ruby FilePreparer
- Fix: Handle string interpolation in Ruby FileUpdater
- Refactor: Switch to AST parser for updating Ruby requirements in FileUpdater
- Refactor: Remove Gemnasium dependency (we now use Parser for all Ruby parsing)
- Refactor: Extract Ruby UpdateChecker file preparation into separate class
- Refactor: Switch to AST parser for updating Ruby requirements in UpdateChecker
- Add short-circuit fetch_latest_version code for Ruby git dependencies
- Refactor UpdateCheckers::Ruby::Bundler (should have no impact on logic)
- Supress Ruby VersionConflict exceptions caused by an update to a git dependency (since the version conflict is only caused by the attempted update, not by anything wrong with the underlying Gemfile/Gemfile.lock)
- Better commit URLs links for Ruby dependencies that specify a git source
- Handle non-existant git branches for Ruby dependencies
- Add support for upgrading Ruby dependencies that specify a git source
- Yarn 1.0 support
- Improve Python parser so it handles paths with spaces
- Specify required Bundler version is >= 1.16.0.pre
- Set git reference as version for Ruby git dependencies (groundwork for updating Ruby dependencies that specify a git source)
- Better support for Python constraints files, and a general refactor of Python support
- BREAKING: Add source key to dependency requirement attribute, as a required key
- Use requirement source key to ensure default metadata is only fetched when appropriate
- Raise GitDependencyReferenceNotFound errors during Ruby update checking
- Don't create Gemfile requirement for gemspec dependencies
- Don't update Gemfile content during update check if dependency isn't found there
- Handle custom names for submodules, and URLs without a .git suffix
- Fall back to latest_resolvable_version if PHP latest_version shortcut fails
- Better error messaging for unreachable submodules
- Fix typo in submodule checking URL
- Convert git URLs to https in submodule parser
- Use correct git internals URL for authorization checking in Ruby UpdateChecker
- Use git internal transfer protocol when fetching latest version of submodules
- Add shortcut for PHP update_checker version check
- Handle development dependencies for PHP projects
- Add Dependabot::DependencyFileNotParseable error
- Increase memory limit for PHP
- Better titles and branch names for git submodule PRs
- Better commit links for git submodule PRs
- Handle submodule URLs that resolve to a 404
- Add support for git submodules
- Handle non-utf-8 characters in Gemfile resolution error messages
- Handle branch deletion during update flow (return nil, rather than erroring)
- Manually set Bundler root during file update (thanks @gotjosh)
- Use Bundler 1.16.0 (pre-release 2)
- Use Bundler 1.16.0 (pre-release 1)
- Fix HTTP request that checks whether a git dependency is accessible
- Handle Ruby Gemfile requirements with multiple components
- Handle non-numberic Python versions better (ignore them instead of erroring)
- Don't include pre-releases in Python latest_version (unless on one)
- Use rubygems changelog URL when available
- Fetch more tags when finding metadata
- Handle path-based JS dependencies
- Handle optional JS dependencies
- Raise a DependencyFileNotResolvable error if the lockfile is missing a gem
- Handle inaccessible git dependencies that resolve to a redirect
- Simpler, better Gemfile sanitizing in UpdateCheckers::Ruby
- Add dependencies label in separate API call
- Create "dependencies" label during PR creation, if it doesn't already exist
- Add "dependencies" label to pull requests
- Prune out Ruby specs from the wrong platform during parsing
- Compare Ruby development requirements to the latest resolvable version
- More robust check on whether Ruby Gemspec file needs updating
- Handle Ruby case of Gemfile not importing its gemspec
- Exclude platform-specific dependencies from Ruby FileParser
- Handle pre-release version in requirement updates
- Minor PR wording improvement
- Better key symbolizing on Dependency (handle ActionController::Params)
- BREAKING: use arrays of hashes for
Dependency#requirementsandDependency#previous_requirements, so we can store metadata about each requirement (e.g., which file it came from).
- Allow Ruby updates for repos which only contain a Gemfile (or where the dependency only appears in the Gemfile)
- Link to release notes index when more appropriate than specific release
- Handle gemspecs that bracket their dependencies
- Check all requirements are binding when creating updated requirements
- Better pull request text when updating libraries
- Patch Bundler to use HTTPS instead of SSH for git sources hosted on GitHub
- Use updated gemspec content when calculating new lockfile version (Ruby)
- Handle dev dependencies differently for gemspecs
- Always use latest_version if updating a gemspec dependency
- Handle Ruby file updates where a non-Gemfile dependency has been updated in the lockfile
- Clearer error message for FileFetchers::Ruby::Bundler
- Handle Gemfile and gemspec case where a gem only appears in the later
- Add
.updated_files_regexto all FileUpdaters - Remove
.required_filesfrom all FileFetchers - Add
.required_files_in?andrequired_files_messageto all FileFetchers - Remove all
Ruby::Gemspecclasses entirely. Gem bumping behaviour now handled inRuby::Bundler
- Ensure blank strings aren't provided as arguments to Dependency.new
- Big refactor of
bundlerandgemspecflows to almost combine them. Hopefully no impact on functionality. Releasing to test in the wild.
- Update bundler FileParser to handle gemspecs
- Update equality matchers to ranges in UpdateCheckers::Ruby::Gemspec
- Parse JavaScript files which only have dev dependencies
- Fix UpdateCheckers::Ruby::Gemspec (oops)
- Fix: convert version to string before splitting in UpdateChecker
- Add
requirementandprevious_requirementattributes toDependency
- Better FileUpdaters::Gemspec regex (catch add_runtime_dependency declarations)
- Extend aggressive gemspec sanitization to Bundler
- More aggressive gemspec sanitizing
- Use original quote character when updating Ruby gemspecs
- Clearer text for library pull requests
- More robust gemspec declaration regex
- BREAKING: Return strings from Dependency#version, not Gem::Version objects
- FEATURE: Add support for Ruby libraries (i.e., gems)
- Don't add RUBY VERSION to the Gemfile.lock if it wasn't previously present
- Sanitize path-based gemspecs to remove fine requirements
- Handle Ruby indexes that only implement the old Rubygems index
- Raise helpful message for Ruby private sources without auth details
- Serve a DependencyFileNotResolvable error for bad git branches
- Handle requirement.txt files that have cascading requirements
- Handle requirement.txt files that have path-based dependencies
- Handle 404s from Rubygems in UpdateChecker
- Skip PHP dependencies with non-numberic versions during file parsing
- BREAKING: Return
Gem::Versionobjects from Dependency#version, not strings
- Ignore Python packages which can't be found at PyPI
- Handle deleted branches in PullRequestUpdater
- Handle Gemfiles that load in a .ruby-version file
- Move Python parser code into Python helper
- Fetch old commit message when updating a PR. Previously we would try to rebuild the commit message from the PR message, but that often caused us to include extra, irrelevant details.
- Ensure git dependencies aren't updated as a result of https change
- Avoid using SSH to fetch dependencies - always use HTTPS. Ensures the GitHub credentials we pass to Bundler are used.
- Use Bundler settings to handle GitHub credentials
- Robust support for https auth details
- Revert handling git auth details for https specifications
- More robust file URL generation
- Notify about all unreachable git dependencies at once
- Handle git auth details for https specifications
- BREAKING: renamed GitCommandError and PathBasedDependencies errors
- Set path in Ruby File Updater, to fix path based dependencies (v2)
- Set path in Ruby File Updater, to fix path based dependencies
- Raise PathBasedDependencies error at file fetcher time for bad paths
- Only hit Rubygems once for each latest_version lookup
- Handle path-based Ruby dependencies, if possible
- Correctly list path-based dependencies
- Replace less than matcher (and <= matcher) with ~> during file updates
- Handle Ruby version constraints for dependencies Dependabot itself relies on
- Bump yarn (fixes non-deterministic lockfile generation)
- Cache
commitin file fetcher, and ensure files fetched are for that commit
- BREAKING: Drop Dependabot::Repo in favour of just passing the repo's name
- Better tag/release lookup: handle completely unprefixed tags/releases
- FIX: Honour Ruby version when determining latest resolvable version
- FIX: Improved Bundler bug workaround, with specs
- FIX: Work around Bundler bug when doing Ruby update checks
- FIX: Pass GitHub credentials as
x-access-tokenpassword. This allows us to clone private repos using app access tokens, whilst maintaining support for doing so using OAuth tokens.
- Clean version strings in JavaScript parser
- FIX: Require Octokit and Gitlab where used
- Full support for Bitbucket changelogs and commit comparisons
- Full support for GitLab changelogs, release notes, and commit comparisons
- Link to GitLab dependency sources, too
- BREAKING: drop support for Ruby 2.3
- Link to Bitbucket dependency sources (and lay groundwork for changelogs etc.)
- Improve commit comparison URL generation (handle arbitrary prefixes)
- Handle npm packages with an old 'latest' tag
- Strip leading 'v' prefix from PHP version strings
- Return fetched dependency file contents as UTF-8
- Don't blow up when deps are missing from yarn.lock
- Ignore JS prerelease versions
- Use HTTPS when talking to the NPM registry
- Handle PHP composer.json files that specify a PHP version / extensions
- Minor improvement to GitHub release finding (finds unnamed releases)
- Update pull request titles to include from-version
- Add short-circuit lookup for update checkers
- Rename to dependabot-core
- Fix PHP issues from initial beta test (#61)
- Add support for PHP (Composer) projects
- Even better version pattern updating for JS
- Better version pattern updating for JS
- Make yarn run in non-interactive mode
- BREAKING: Organise by package manager, not language (#55)
- BREAKING: Refactor error handling (#54)
- Don't change yarn.lock version comments (#53)
- Ignore exotic (git, path, etc) JavaScript dependencies (#52)
- Raise a bespoke error for Ruby path sources (#51)
- Back out CocoaPods support, since it pins ActiveSupport to < 5 (#50)
- Look for any release ending with the dependency version (#49)
- Slightly shorter branch names (#43)
- Do JavaScript file updating in JavaScript (#41)
- Include details of the directory (if present) in the PR name (#40)
- Raise Bump::VersionConflict if a conflict stops us getting a gem version (#38)
- Use folders for branch names, and namespace under language and directory (#39)
- Extract the correct versions of JavaScript dependencies in the parser (#36)
- Consider resolvability when calculating latest_version in Ruby (#35)
- BREAKING: require
github_access_tokenwhen creating an UpdateChecker
- Allow
pr_message_footerargument to be passed toPullRequestCreator(#32)
- BREAKING: Make language a required attribute for Bump::Dependency (#29)
- Handle PR creation races gracefully (#31)
- Minor improvement to PR text
- Better JavaScript and Python metadata finding
- Exposed
.required_filesmethod on dependency file fetchers
- Escape scoped package names in MetadataFinders::JavaScript (#27)
- Look for JavaScript GitHub link in most recent releases first (#28)
- Don't discard DependencyFile details when updating (#24)
- Support fetching dependency files from a specified directory (#23)
- BREAKING: Rename Node to JavaScript everywhere (#22)
- Store the failed git command on GitCommandError (#21)
- BREAKING: Rename Bump::FileUpdaters::VersionConflict (#20)
- Add DependencyFileNotEvaluatable error (#17)
- Stop updating RUBY VERSION and BUNDLED WITH details in Ruby lockfiles (#18)
- Handle public git sources gracefully (#19)
- Add PullRequestUpdate class (see #15)
- Raise a Bump::DependencyFileNotFound error if files can't be found (see #16)
- Handle 404s for Rubygems when creating PRs (see #13)
- Set backtrace on errors raised in a forked process (see #11)
- Ignore Ruby version specified in the Gemfile (for now) (see #10)
- Support non-Rubygems sources (so private gems can now be bumped) (see #8)
- Handle all exceptions in forked process (see #9)
- Follow redirects in Excon everywhere (fixes #4)
- Initial extraction of core logic from https://github.com/gocardless/bump