0.16.0

NEW

• #527: New server component to run outside Azure DevOps Pipelines.

FIXES

• #540: Remove use of blank method in filtering

Other

• Bump dependabot-* from 0672e3b to f8c48ef

Full Changelog: 0.15.0...0.16.0

0.15.0

BREAKING:

• #522, #524: Migrate from Docker Hub to GitHub Container Registry.
• #488: Security only updates fail when there are no credentials for GitHub.

FIXES:

• #483: Update examples and clarify which Github token should be used.
• #506, #526: Support all known types of registries correctly, when transforming them to extra credentials.
• #489: Switch fetching of vulnerabilities to use Octokit instead of the graphql-client dependency.
• #491: Also check for the path in the pull request title when deciding if to abandon.

Other

• #523: Remove ActiveSupport aligning with dependabot/dependabot-core#6667

New Contributors

• @skibish made their first contribution in #483
• @HumanPrinter made their first contribution in #491

Full Changelog: 0.14.1...0.15.0

0.14.1

Fixes

• #482: Closing pull requests should be false by default in the task.

What's Changed

• #478: Support selecting update identifiers in the pipeline.
• Added dev container for extension by @WhiteOlivierus in #474
• Added test for convertPlaceholder regex by @WhiteOlivierus in #473

New Contributors

• @WhiteOlivierus made their first contribution in #474

Full Changelog: 0.14.0...0.14.1

0.14.0

Happy new year to you who readeth thy release notes

BREAKING

• #462: Explicit inputs are no longer supported.
• #463: Specifying DEPENDABOT_EXTRA_CREDENTIALS in the pipeline is no longer supported. Instead use the registries node in the .github/dependabot.yml configuration file.
• #464: Specifying DEPENDABOT_IGNORE_CONDITIONS in the pipeline is no longer supported. Instead use the ignore node in the .github/dependabot.yml configuration file.
• #465: Specifying DEPENDABOT_ALLOW_CONDITIONS in the pipeline will emit a warning. Instead use the allow node in the .github/dependabot.yml configuration file.

NEW

• #467: Added support for vendor option which results in cloding of repository contents. Cloning is now also done for npm and terraform updates.

Fixes

• #470: Filter out nil/blank and empty values in security advisories
• #471: Use version class for package manager to check satisfaction when closing PRs.

Full Changelog: 0.13.2...0.14.0

0.13.2

What's Changed

• #450: Fix variables names in pull_request_approve and get_with_token methods

Full Changelog: 0.13.1...0.13.2

0.13.1

What's Changed

• #447: Improve logic in checking PR title before abandoning
• #448: Make abandoning PRs optional but enabled by default

Full Changelog: 0.13.0...0.13.1

0.13.0

BREAKING

• #429: Remove support for configuration files in the .azuredevops folder.

NEW

• #430 and #434: Security updates using GitHub's GraphQL.
• #443: Abandon pull requests that are no longer needed.
• #444: Support dependabot.yml file when using targetRepositoryName input.
• #438: Instrument HTTP calls using logs for better visibility.

FIXED

• #436 and #435: Zero is valid for open-pull-requests-limit and the value should always be passed to the container.
• #433: Skip update when a peer dependency should be updated.
• #431: UpdateChecker should respond to requirements_update_strategy.
• #428: Fix handling of reviewers.
• #440: Standardize API version for REST API to version 6.
• #439: Use strings (enums) instead of integers for mergeStrategy.
• #441: Replace userEntitlements API with connectionData hence always have the correct user identifier.
• #442: Limit fetched pull requests to those for the current user (token owner).

Full Changelog: 0.12.1...0.13.0

0.12.1

What's Changed

Fix auto-completion and auto-approval by removing argument names on calls to azure_client.pull_request_approve(...) and azure_client.pull_request_auto_complete(...).

Full Changelog: 0.12.0...0.12.1

0.12.0

BREAKING

• #416: DEPENDABOT_LABELS is no longer read from the pipeline variables. Labels are only supported in the configuration file.
• #425: The task no uses Node 16 or later instead of Node 10.
• GIT_AUTHOR_EMAIL and GIT_AUTHOR_NAME renamed to DEPENDABOT_AUTHOR_EMAIL and DEPENDABOT_AUTHOR_NAME respectively.

NEW

• #427: Support for reviewers and assignees specified in the configuration file.
• #419: Skip creating and updating all PRs via the skipPullRequests input or DEPENDABOT_SKIP_PULL_REQUESTS env. This is useful for testing.
• #426: Log conflicting dependencies, if any, when an update is not possible.

FIXES

• #423: Use root directory to fetch configuration file in Ruby hence solve issues with ignores.

Worth a mention

• #407 and #412: Bump dependabot-core and dependabot-omnibus from 0.214.0 to 0.215.0.
• #415 and #417: Reduce env passed from task extension to docker container by omitting default and empty values.
• #422 and #424: Add more logs in Ruby for easier debugging and executional awareness.

Full Changelog: 0.11.2...0.12.0

0.11.2

What's Changed

• #407 and #408: Bump dependabot-core and dependabot-omnibus from 0.213.0 to 0.214.0.
• The extension is now included in the release assets. This is useful if you want to install from a file where allowed.

Full Changelog: 0.11.1...0.11.2