wemake-services / kira-dependencies Goto Github PK

View Code? Open in Web Editor NEW

102.0 4.0 19.0 482 KB

🐿 Kira's micro-bot to update project dependencies

Home Page: https://dependabot.com

License: MIT License

Ruby 100.00%

kira-bot wemake-services bot gitlab gitlab-bot rsdp gitlab-ci dependabot

kira-dependencies's Introduction

Kira Dependencies Bot

Gitlab bot to continuously update your dependency versions. Friendly fork of dependabot-script. The main difference is that the script's source is adjusted to work with RSDP process.

Part of the @kira bots family.

Installation

We recommend to copy this project to your Gitlab. And then setup individual CI schedules for each project that you want to enable.

Configuration

Global

This is a global configuration that you should setup inside your CI variables.

KIRA_GITLAB_PERSONAL_TOKEN - personal access token for your bot user
GITLAB_HOSTNAME - (optional) Gitlab domain name, defaults to gitlab.com
KIRA_GITHUB_PERSONAL_TOKEN - Github personal access token to avoid hitting rate limit

Per schedule

This configuration is best to be setup inside CI schedule's environment.

PACKAGE_MANAGER_SET - magic variable, package managers to be updated, eg: npm pip docker
DEPENDABOT_PROJECT_PATH - project to be updated, eg: wemake-services/kira-dependencies
DEPENDABOT_DIRECTORY - directory to look for package file, defaults to /
DEPENDABOT_SOURCE_BRANCH - (optional) Source branch for merge requests, defaults to project default branch
DEPENDABOT_ASSIGNEE_GITLAB_ID - (optional) Gitlab user id to assign to merge requests
DEPENDABOT_GITLAB_APPROVE_MERGE - (optional) setup to true if you want our bot to approve your merge requests
DEPENDABOT_GITLAB_AUTO_MERGE - (optional) setup to true if you want to auto merge this request
DEPENDABOT_MAX_MERGE_REQUESTS - (optional) setup the number of max openened merge requests you want.
DEPENDABOT_EXTRA_CREDENTIALS - (optional) JSON of extra credential config, for example a private registry authentication (For example FontAwesome Pro: [{"type":"npm_registry","token":"<redacted>","registry":"npm.fontawesome.com"}])
DEPENDABOT_IGNORED_VERSIONS - (optional) JSON of versions which should be ignored during update. The expected format is {"vendor/package": [">0.1.0", ">0.2.0"]}. It mirrors functionality of ignored_updates in dependabot.

Per package manager

DEPENDABOT_UPDATE_STRATEGY - (optional) change how each package manager updates your dependency versions, see list of allowed values here
DEPENDABOT_EXCLUDE_REQUIREMENTS_TO_UNLOCK - (optional) exclude certain dependency updates requirements for each package manager, see list of allowed values here. Useful if you have lots of dependencies and the update script too slow. Example: own all to only use the none version requirement
KIRA_FAIL_ON_EXCEPTION - (optional) setup to true if you want the job to fail if an exception occurs

kira-dependencies's People

Contributors

Stargazers

Watchers

Forkers

lorvent nenros roconnorr bpatram rhurling ahivert tobiashuste mgrundkoetter ultrastark tranquility baseballlover723 mente slumbering normo connoryates dcbrainorg b1rdex fadeddexofan atrigub

kira-dependencies's Issues

Handle auto merging of MRs with merge-conflicts

Hi guys, I'm running into an issue when setting auto-merge (DEPENDABOT_GITLAB_AUTO_MERGE) to true. Here is an example of what I see in the runner when running:

Parsing dependencies information
  - Updating gatsby (from 2.11.3)… submitted
  - Updating gatsby-image (from 2.2.4)… submitted
 set to be accepted
  - Updating gatsby-link (from 2.2.0)… submitted
 set to be accepted
  - Updating gatsby-plugin-manifest (from 2.2.0)… submitted
 set to be accepted
  - Updating gatsby-plugin-react-helmet (from 3.1.0)… submitted
 set to be accepted
  - Updating gatsby-plugin-sass (from 2.1.0)… submitted
 set to be accepted
  - Updating gatsby-plugin-sharp (from 2.2.1)… submitted
 set to be accepted
  - Updating gatsby-plugin-typescript (from 2.1.0)… submitted
 set to be accepted
  - Updating gatsby-plugin-typography (from 2.3.0)… submitted
 set to be accepted
  - Updating gatsby-source-filesystem (from 2.1.1)… submitted
 set to be accepted
  - Updating gatsby-transformer-sharp (from 2.2.0)… submitted
 set to be accepted
  - Updating react (from 16.8.6)… submitted
 set to be accepted
  - Updating react-bootstrap (from 1.0.0-beta.9)…/builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/request.rb:54:in `validate': Server responded with code 405, message: 405 Method Not Allowed. Request URI: https://gitlab.com/api/v4/projects/slewsystems%2Fpublic%2Dwebsite/merge_requests/300/merge (Gitlab::Error::MethodNotAllowed)
	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/request.rb:46:in `block (2 levels) in <class:Request>'
	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/client/merge_requests.rb:121:in `accept_merge_request'
	from ./update.rb:176:in `block in <main>'
	from ./update.rb:89:in `each'
	from ./update.rb:89:in `<main>'
 submitted
ERROR: Job failed: exit code 1

You'll notice the last package ends up failing with a Gitlab::Error::MethodNotAllowed error. I believe this is due to the fact that that MR has merge conflicts that prevent it from being auto-merged. This seems to happen when other dependabot MRs are opened and then merged before others. Merge conflicts occur in the package.json and yarn.lock files.

In short here is the sequence of events that I think cause this issue:

Dependabot runs
Opens a MR for dependency A
- This starts it's pipeline to run
Opens a MR for dependency B
- This starts it's pipeline to run
MR for dependency A finishes
MR for dependency A is merged
MR for dependency B now has a merge conflict (due to dependency A being merged)
- Results in Gitlab::Error::MethodNotAllowed when attempting to auto-merge

I'm not exactly sure what the solution is here sadly. I haven't done much research but maybe #82 might come into play here to help? I think in the very least the script should handle this error gracefully and continue to open MRs for the rest of dependencies. Maybe at the end we loop back to any error'd out MRs and rebase them and try again?

The version of Ruby used by the script is not pinned to 2.7.1 and the script doesn't launch with Ruby 2.7.5

$ bundle install -j $(nproc) --path vendor
[DEPRECATED] The `--path` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local path 'vendor'`, and stop using this flag
Your Ruby version is 2.7.5, but your Gemfile specified 2.7.1

I think the version of ruby should be pinned (and upgraded) to avoid this kind issue.

I'm not familiar with Ruby and won't be able to fix it in the next days, will see if I can do it next year if it's not fixed before.

PS: if it can help, one of my coworker has already fixed a similar issue: 72b9df8

timeout when updating existing npm merge requests

I am using latest kira-dependencies on a onpremise gitlab 15.1.
The npm_and_yarn job fails due to timeout when it update an existing merge request.
When I look in gitlab access log, there is

168.119.xxx.xxx - - [11/Aug/2022:06:43:21 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:21 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:21 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:22 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:22 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:22 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:22 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:22 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93
168.119.xxx.xxx - - [11/Aug/2022:06:43:22 +0000] "GET /api/v4/projects/myCompany%2FmyProject/merge_requests?state=opened&search=%22Bump%20babylonjs%22&in=title&with_merge_status_recheck=true HTTP/1.1" 200 3457 "" "Gitlab Ruby Gem 4.19.0" 6.93

Thus, I think that there should be an issue with the break condition at https://github.com/wemake-services/kira-dependencies/blob/master/update.rb#L175

Authentication maven privat repo

Hello.
dependabot can read from private mvn repo (we use artifactory).
We try configure by DEPENDABOT_EXTRA_CREDENTIALS parameter
like
[{"type":"mvn","username":"xxxx","password":"xxxxxx","registry":"xxxxxxx"}]
and
[{"type":"mvn","token":"xxxxx","registry":"xxxx"}]

But without results

Error in console

dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker/version_finder.rb:62:in versions': The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): https://xxxx.xxx.xxxx/artifactory/xxxxxxx-release (Dependabot::PrivateSourceAuthenticationFailure) from /home/gitlab-runner/builds/xxxxxx/0/xxxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker/version_finder.rb:27:in latest_version_details'
from /home/gitlab-runner/builds/xxxxxx/0/xxxxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker.rb:105:in latest_version_details' from /home/gitlab-runner/builds/xxxxx/0/xxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker.rb:15:in latest_version'
from /home/gitlab-runner/builds/xxxxxx/0/xxxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-common-0.108.25/lib/dependabot/update_checkers/base.rb:198:in numeric_version_up_to_date?' from /home/gitlab-runner/builds/xxxx/0/x/dependxxxxencies-bot/vendor/ruby/2.6.0/gems/dependabot-maven-0.108.25/lib/dependabot/maven/update_checker.rb:89:in numeric_version_up_to_date?'
from /home/gitlab-runner/builds/xxxxx/0/x/dependxxxencies-bot/vendor/ruby/2.6.0/gems/dependabot-common-0.108.25/lib/dependabot/update_checkers/base.rb:155:in version_up_to_date?' from /home/gitlab-runner/builds/xxxx/0/xxxxx/dependencies-bot/vendor/ruby/2.6.0/gems/dependabot-common-0.108.25/lib/dependabot/update_checkers/base.rb:27:in up_to_date?'
from ./update.rb:102:in block in <main>' from ./update.rb:91:in each'
from ./update.rb:91:in `

'
Fetching maven dependency files for xxxxt/xxxxx

Token and login/password worked (testing by curl)
Can we use kira for resolve dependency with private maven repo (artifactory)?

connect_write timeout reached

I used this repo to deploy private gitlab，gitlab-ci often reported connection timeout，the Dependent packages report timeouts are random。Sometimes dependent on the following image will be updated successfully.

What is possible?

Old MRs not closed

First off, Dependabot for Gitlab is awesome! However over time it seems it does not auto-close existing PRs that are no longer applicable. See example below:

I would expect older PRs to upgrade the dependency to be closed as new ones are made. I believe this is the behavior of Dependabot for GitHub. I am not sure if this repo is the one that manages that behavior however.

Gitlab auto merge failures

There seems to have been a regression introduced in #133 after upgrading the gitlab gem. Since that PR has been merged I've been having my kira-dependencies CI jobs fail in gitlab with the following issue:

/builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/request.rb:54:in `validate': Server responded with code 400, message: assignee_ids is invalid. Request URI: https://gitlab.com/api/v4/projects/slewsystems%2Fpi67%2Fpi67%2Dwebserver/merge_requests (Gitlab::Error::BadRequest)
127 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/request.rb:46:in `block (2 levels) in <class:Request>'
128 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/client/merge_requests.rb:89:in `create_merge_request'
129 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.114.1/lib/dependabot/clients/gitlab_with_retries.rb:67:in `public_send'
130 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.114.1/lib/dependabot/clients/gitlab_with_retries.rb:67:in `block in method_missing'
131 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.114.1/lib/dependabot/clients/gitlab_with_retries.rb:82:in `retry_connection_failures'
132 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.114.1/lib/dependabot/clients/gitlab_with_retries.rb:64:in `method_missing'
133 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.114.1/lib/dependabot/pull_request_creator/gitlab.rb:136:in `create_merge_request'
134 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.114.1/lib/dependabot/pull_request_creator/gitlab.rb:45:in `create'
135 	from /builds/slewsystems/kira-dependencies/vendor/ruby/2.6.0/gems/dependabot-common-0.114.1/lib/dependabot/pull_request_creator.rb:74:in `create'
136 	from ./update.rb:165:in `block in <main>'
137 	from ./update.rb:92:in `each'
138 	from ./update.rb:92:in `<main>'

The Gitlab gem was changed from version 4.9 to 4.12.

I am using the following env vars:

DEPENDABOT_GITLAB_AUTO_MERGE=true
DEPENDABOT_PROJECT_PATH=slewsystems/pi67/pi67-webserver
PACKAGE_MANAGER_SET=npm
KIRA_GITHUB_PERSONAL_TOKEN=... (omitting)
KIRA_GITLAB_PERSONAL_TOKEN=... (omitting)

New installs fail since octokit 4.17.0 was yanked

Version 4.17.0 of octokit was yanked from rubygems so all new installs fail with the following error:
Your bundle is locked to octokit (4.17.0), but that version could not be found in any of the sources listed in your Gemfile. If you haven't changed sources, that means the author of octokit (4.17.0) has removed it. You'll need to update your bundle to a version other than octokit (4.17.0) that hasn't been removed in order to install.

See octokit release tag: https://github.com/octokit/octokit.rb/releases/tag/v4.17.0

Getting Error in GitLab CI 403

Getting Error in CI

$ bundle exec ruby ./update.rb
Fetching composer dependency files for yo/tasklog
Parsing dependencies information
  - Updating laravel-notification-channels/telegram (from 0.0.6)…/builds/yo/dependabot/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/request.rb:54:in `validate': Server responded with code 403, message: 403 Forbidden. Request URI: https://gitlab.com/api/v4/projects/yo%2Ftasklog/repository/branches (Gitlab::Error::Forbidden)
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/request.rb:46:in `block (2 levels) in <class:Request>'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/gitlab-4.12.0/lib/gitlab/client/branches.rb:81:in `create_branch'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.16/lib/dependabot/clients/gitlab_with_retries.rb:67:in `public_send'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.16/lib/dependabot/clients/gitlab_with_retries.rb:67:in `block in method_missing'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.16/lib/dependabot/clients/gitlab_with_retries.rb:82:in `retry_connection_failures'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.16/lib/dependabot/clients/gitlab_with_retries.rb:64:in `method_missing'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.16/lib/dependabot/pull_request_creator/gitlab.rb:87:in `create_branch'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.16/lib/dependabot/pull_request_creator/gitlab.rb:40:in `create'
	from /builds/yo/dependabot/vendor/ruby/2.6.0/gems/dependabot-common-0.113.16/lib/dependabot/pull_request_creator.rb:73:in `create'
	from ./update.rb:165:in `block in <main>'
	from ./update.rb:92:in `each'
	from ./update.rb:92:in `<main>'

Here is the Example: https://gitlab.com/yo/dependabot/-/jobs/336074178

List new configuration options

invalid byte sequence in US-ASCII (ArgumentError)

Got the following error on a yarn dependabot job :

/usr/local/bundle/gems/dependabot-npm_and_yarn-0.117.6/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb:339:in `start_with?': invalid byte sequence in US-ASCII (ArgumentError)

an option to make MRs only for insecure deps

Hello,
dependabot says it can check for insecure deps.

is there anyway, we can do same here with kira?

we have a php/laravel application where we use old versions intentionally, it is making MRs for latest versions which could break application.

so i want to know, if there is any way to achieve what i want i.e. let bot create MRs only for security vulnerabilities.

thanks

Ability to run CI for multiple projects

Is there any option to run multiple projects in single CI

Any play around in DEPENDABOT_PROJECT_PATH

package.json not always updated for monorepo with Lerna

Many thanks for this script 👍 !

I have a lerna monorepo and the MRs do not always include updates for the package.json files. The dependencies seems to be tracked correctly and the package-lock.json files are always updated.

For example:

Here only one package.json got updated, although both packages have exactly the same version. The other was not updated.

For other dependencies I get only updates on the package-lock.json only.
For some other dependency everything got updated correctly.

Any ideas? Should I report this upstream?

why it is keep updating package even when there is no new update

Hello,
Lately I am seeing my jobs taking lot of time, upon noticing...i see that a package whose version not updated (after a PR is made already with latest version), it is still over-writing that existing MR.

lets say, my package.json has 50 deps and 20 deps have updates and MRs were created for them already.

everyday i run gitlab CI for it and everyday it is updating all those 20 MRs eventhough they are already created.

is there any way to stop it?

thanks

How to authenticate with docker registry?

I am unsure on how to authenticate with the Docker Registry.

Conditionally approve requests

bundle install error in image

Looks like https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md#v01410-12-april-2021 broke kira. Got an error message of

/builds/kira-dependencies/vendor/ruby/2.6.0/cache/aws-partitions-1.444.0.gem
An error occurred while installing aws-partitions (1.444.0), and Bundler cannot
continue.
Make sure that `gem install aws-partitions -v '1.444.0' --source
'https://rubygems.org/'` succeeds before bundling.
In Gemfile:
  dependabot-omnibus was resolved to 0.141.0, which depends on
    dependabot-bundler was resolved to 0.141.0, which depends on
      dependabot-common was resolved to 0.141.0, which depends on
        aws-sdk-codecommit was resolved to 1.42.0, which depends on
          aws-sdk-core was resolved to 3.113.1, which depends on
            aws-partitions

Strange NoMethodError

We use kira-dependencies in self-hosted GitLab. It works well, but for one repository it yields a strange error:

�[0KRunning with gitlab-runner 13.10.0 (54944146)
�[0;m�[0K  on infra-gitlab-runner-68856b776d-lx5qw 4SqrWnSc
�[0;m�[0K  feature flags: FF_GITLAB_REGISTRY_HELPER_IMAGE:true
�[0;msection_start:1627837305:prepare_executor
�[0K�[0K�[36;1mPreparing the "kubernetes" executor�[0;m
�[0;m�[0KUsing Kubernetes namespace: gitlab-runners
�[0;m�[0KUsing Kubernetes executor with image dependabot/dependabot-core ...
�[0;msection_end:1627837305:prepare_executor
�[0Ksection_start:1627837305:prepare_script
�[0K�[0K�[36;1mPreparing environment�[0;m
�[0;mWaiting for pod gitlab-runners/runner-4sqrwnsc-project-292-concurrent-0slnzq to be running, status is Pending
Waiting for pod gitlab-runners/runner-4sqrwnsc-project-292-concurrent-0slnzq to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper svc-0]"
	ContainersNotReady: "containers with unready status: [build helper svc-0]"
Running on runner-4sqrwnsc-project-292-concurrent-0slnzq via infra-gitlab-runner-68856b776d-lx5qw...
section_end:1627837318:prepare_script
�[0Ksection_start:1627837318:get_sources
�[0K�[0K�[36;1mGetting source from Git repository�[0;m
�[0;m�[32;1mFetching changes with git depth set to 50...�[0;m
Initialized empty Git repository in /builds/infra/Dependabots/kira-dependencies/.git/
�[32;1mCreated fresh repository.�[0;m
�[32;1mChecking out ff5302ea as master...�[0;m

�[32;1mSkipping Git submodules setup�[0;m
section_end:1627837318:get_sources
�[0Ksection_start:1627837318:restore_cache
�[0K�[0K�[36;1mRestoring cache�[0;m
�[0;m�[32;1mChecking cache for default...�[0;m
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted.�[0;m 
�[32;1mSuccessfully extracted cache�[0;m
section_end:1627837319:restore_cache
�[0Ksection_start:1627837319:step_script
�[0K�[0K�[36;1mExecuting "step_script" stage of the job script�[0;m
�[0;m�[32;1m$ bundle install -j $(nproc) --path vendor�[0;m
[DEPRECATED] The `--path` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local path 'vendor'`, and stop using this flag
Fetching gem metadata from https://rubygems.org/
Fetching gem metadata from https://rubygems.org/...........
Fetching aws-eventstream 1.1.1
Fetching minitest 5.14.4
Fetching jmespath 1.4.0
Fetching concurrent-ruby 1.1.9
Fetching public_suffix 4.0.6
Fetching zeitwerk 2.4.2
Fetching ast 2.4.2
Fetching aws-partitions 1.471.0
Installing ast 2.4.2
Installing aws-eventstream 1.1.1
Installing aws-partitions 1.471.0
Installing zeitwerk 2.4.2
Installing jmespath 1.4.0
Using bundler 2.2.20
Installing minitest 5.14.4
Fetching citrus 3.0.2
Fetching commonmarker 0.22.0
Fetching http-accept 1.7.0
Fetching unf_ext 0.0.7.7
Installing public_suffix 4.0.6
Fetching mime-types-data 3.2021.0225
Installing concurrent-ruby 1.1.9
Installing http-accept 1.7.0
Installing citrus 3.0.2
Fetching netrc 0.11.0
Installing commonmarker 0.22.0 with native extensions
Installing mime-types-data 3.2021.0225
Fetching excon 0.82.0
Installing netrc 0.11.0
Fetching multi_xml 0.6.0
Installing unf_ext 0.0.7.7 with native extensions
Fetching unicode-display_width 1.7.0
Installing multi_xml 0.6.0
Fetching racc 1.5.2
Installing unicode-display_width 1.7.0
Installing excon 0.82.0
Fetching faraday-em_http 1.0.0
Fetching faraday-em_synchrony 1.0.0
Fetching faraday-excon 1.1.0
Installing faraday-em_http 1.0.0
Installing faraday-em_synchrony 1.0.0
Installing faraday-excon 1.1.0
Fetching faraday-net_http 1.0.1
Fetching faraday-net_http_persistent 1.1.0
Fetching multipart-post 2.1.1
Fetching ruby2_keywords 0.0.4
Installing racc 1.5.2 with native extensions
Fetching pandoc-ruby 2.1.4
Installing faraday-net_http_persistent 1.1.0
Installing faraday-net_http 1.0.1
Fetching parseconfig 1.0.8
Fetching aws-sigv4 1.2.3
Installing multipart-post 2.1.1
Installing ruby2_keywords 0.0.4
Fetching parser 3.0.1.1
Installing pandoc-ruby 2.1.4
Fetching addressable 2.7.0
Installing parseconfig 1.0.8
Installing aws-sigv4 1.2.3
Fetching toml-rb 2.0.1
Fetching mime-types 3.3.1
Fetching terminal-table 1.8.0
Installing toml-rb 2.0.1
Installing mime-types 3.3.1
Installing terminal-table 1.8.0
Fetching i18n 1.8.10
Installing addressable 2.7.0
Fetching tzinfo 2.0.4
Fetching faraday 1.4.3
Fetching aws-sdk-core 3.115.0
Installing i18n 1.8.10
Installing parser 3.0.1.1
Fetching httparty 0.18.1
Installing tzinfo 2.0.4
Installing faraday 1.4.3
Fetching activesupport 6.1.4
Installing httparty 0.18.1
Fetching nokogiri 1.11.7 (x86_64-linux)
Installing aws-sdk-core 3.115.0
Fetching sawyer 0.8.2
Fetching gitlab 4.17.0
Installing activesupport 6.1.4
Installing sawyer 0.8.2
Installing gitlab 4.17.0
Fetching octokit 4.21.0
Installing octokit 4.21.0
Fetching unf 0.1.4
Fetching aws-sdk-ecr 1.42.0
Fetching aws-sdk-codecommit 1.42.0
Installing nokogiri 1.11.7 (x86_64-linux)
Installing unf 0.1.4
Installing aws-sdk-ecr 1.42.0
Installing aws-sdk-codecommit 1.42.0
Fetching domain_name 0.5.20190701
Installing domain_name 0.5.20190701
Fetching http-cookie 1.0.4
Installing http-cookie 1.0.4
Fetching rest-client 2.1.0
Installing rest-client 2.1.0
Fetching docker_registry2 1.10.0
Installing docker_registry2 1.10.0
Fetching dependabot-common 0.156.1
Installing dependabot-common 0.156.1
Fetching dependabot-bundler 0.156.1
Fetching dependabot-github_actions 0.156.1
Fetching dependabot-cargo 0.156.1
Fetching dependabot-dep 0.156.1
Fetching dependabot-elm 0.156.1
Fetching dependabot-composer 0.156.1
Fetching dependabot-docker 0.156.1
Fetching dependabot-git_submodules 0.156.1
Installing dependabot-git_submodules 0.156.1
Installing dependabot-elm 0.156.1
Installing dependabot-docker 0.156.1
Installing dependabot-cargo 0.156.1
Installing dependabot-dep 0.156.1
Installing dependabot-github_actions 0.156.1
Installing dependabot-composer 0.156.1
Installing dependabot-bundler 0.156.1
Fetching dependabot-go_modules 0.156.1
Fetching dependabot-maven 0.156.1
Fetching dependabot-hex 0.156.1
Fetching dependabot-npm_and_yarn 0.156.1
Fetching dependabot-nuget 0.156.1
Fetching dependabot-python 0.156.1
Fetching dependabot-terraform 0.156.1
Installing dependabot-go_modules 0.156.1
Installing dependabot-maven 0.156.1
Installing dependabot-hex 0.156.1
Installing dependabot-nuget 0.156.1
Installing dependabot-terraform 0.156.1
Installing dependabot-python 0.156.1
Fetching dependabot-gradle 0.156.1
Installing dependabot-npm_and_yarn 0.156.1
Installing dependabot-gradle 0.156.1
Fetching dependabot-omnibus 0.156.1
Installing dependabot-omnibus 0.156.1
Bundle complete! 1 Gemfile dependency, 69 gems now installed.
Bundled gems are installed into `./vendor`
Post-install message from httparty:
When you HTTParty, you must party hard!
�[32;1m$ bundle exec ruby ./update.rb�[0;m
warning: parser/current is loading parser/ruby27, which recognizes
warning: 2.7.3-compliant syntax, but you are running 2.7.1.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
/builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/gitlab-4.17.0/lib/gitlab/paginated_response.rb:24:in `method_missing': undefined method `default_branch' for #<Gitlab::PaginatedResponse:0x000055a3fac7e040> (NoMethodError)
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/clients/gitlab_with_retries.rb:51:in `fetch_default_branch'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/file_fetchers/base.rb:443:in `default_branch_for_repo'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/file_fetchers/base.rb:71:in `commit'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/file_fetchers/base.rb:360:in `_full_specification_for'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/file_fetchers/base.rb:175:in `_fetch_repo_contents'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/file_fetchers/base.rb:160:in `repo_contents'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/file_fetchers/base.rb:103:in `fetch_file_if_present'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-bundler-0.156.1/lib/dependabot/bundler/file_fetcher.rb:64:in `gemfile'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-bundler-0.156.1/lib/dependabot/bundler/file_fetcher.rb:30:in `fetch_files'
	from /builds/infra/Dependabots/kira-dependencies/vendor/ruby/2.7.0/gems/dependabot-common-0.156.1/lib/dependabot/file_fetchers/base.rb:65:in `files'
	from ./update.rb:94:in `<main>'
Fetching bundler dependency files for 
section_end:1627837334:step_script
�[0Ksection_start:1627837334:cleanup_file_variables
�[0K�[0K�[36;1mCleaning up file based variables�[0;m
�[0;msection_end:1627837334:cleanup_file_variables
�[0K�[31;1mERROR: Job failed: command terminated with exit code 1
�[0;m

I try to run it on kira-dependencies repository to bump dependabot version.

npm & yarn doesn't follow semantic versioning in package.json

Steps to reproduce

Project with package.json that specifies dependency update type with minor release max for example: "jest": "^25.5.4"
Run kira-dependencies with PACKAGE_MANAGER_SET = npm

Expected result

kira-dependencies will only create merge requests for jest that have minor releases

Actual result

kira-dependencies creates a merge request for the major releases

Background

I'm not familiar with dependabot and I couldn't find anything about how to handle allowed updates for kira-dependencies. It is important for me that there are no merge requests for major releases as they may require code changes due to breaking changes.

Ignore specific versions?

TL;DR basically the same as in dependabot/dependabot-script#375

Is there a possibility to specify versions which should be ignored by dependabot? dependabot with .config/dependabot.yml has ignored_updates. I'm aware that config file is not supported by this script, but I'm wondering whether it's already provided but not documented.

PS If you can point me where it's being propagated to dependabot-core I can try to do it myself, but don't expect good quality of my contributions though :-/

github rate limit error

Hello,
when i use composer check, it is throwing error like below

Parsing dependencies information
  - Updating laravel/framework (from 5.7.21)…/builds/lorvent/kira-dependencies/vendor/ruby/2.6.0/gems/octokit-4.14.0/lib/octokit/response/raise_error.rb:16:in `on_complete': GET https://api.github.com/repos/laravel/framework/contents/: 403 - API rate limit exceeded for xxx.xxx.xxx.xxx. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) // See: https://developer.github.com/v3/#rate-limiting (Octokit::TooManyRequests)
	from /builds/lorvent/kira-dependencies/vendor/ruby/2.6.0/gems/faraday-0.15.4/lib/faraday/response.rb:9:in `block in call'
	from /builds/lorvent/kira-dependencies/vendor/ruby/2.6.0/gems/faraday-0.15.4/lib/faraday/response.rb:61:in `on_complete'
	from /builds/lorvent/kira-dependencies/vendor/ruby/2.6.0/gems/faraday-0.15.4/lib/faraday/response.rb:8:in `call'
...

any help is appreciated.

Add a note about dependabot-script

Thinks about Merge Trains

https://docs.gitlab.com/ee/ci/merge_request_pipelines/pipelines_for_merged_results/merge_trains/index.html

I am not sure how it works, because I have not tried it yet.

do no update dev dependencies

Hello

is there any way to update only main dependencies but not dev dependencies?

often dev packages are being updated continously and i am afraid of bumping their versions as they may break things.

ex: gulp, webpack related packages in package.json

thanks.

Some Gitlab features are broken after #171

DEPENDABOT_GITLAB_APPROVE_MERGE and DEPENDABOT_GITLAB_AUTO_MERGE do not work anymore after #171. They use the now undefined variable g:

kira-dependencies/update.rb

Line 215 in 207a506

g.approve_merge_request(source.repo, pull_request.iid)