Jeff Widman
Jeff Widman
### Is there an existing issue for this? - [X] I have searched the existing issues ### Code improvement description _jurre created a new cleaner way to create/manage feature flags...
`composer` supports an `outdated` command which we may potentially be able to leverage to see which libraries are outdated. The output has sections for both direct and transitive deps, and...
Filing a ticket so this discussion doesn't get lost: https://github.com/dependabot/dependabot-core/pull/4694#pullrequestreview-876085556
The go test fixtures hardcode various versions of go in their `go.mod` files. However, as new releases of `go` land, ideally the tests run against multiple permutations... ie, dependabot running...
Supporting old versions is nice, but adds an engineering cost... especially for drive-by committers like myself. It'd be helpful to have clearly state minimum supported versions, such as "We default...
I saw this comment: https://github.com/dependabot/dependabot-core/blob/9c090f6fe573aa3b6b05d20920c7c48f5f00403f/python/lib/dependabot/python/update_checker.rb#L109-L115 However, `pip` now ships with a real resolver: https://pyfound.blogspot.com/2020/11/pip-20-3-new-resolver.html I'm not familiar enough with the underlying Dependabot code to know if there's really a potential...
Copied from our internal issue tracker since it's `dependabot-core` specific: > Deferred from https://github.com/dependabot/dependabot-core/pull/2552 > > In [this method](https://github.com/dependabot/dependabot-core/blob/bundler-2-spike/common/lib/dependabot/shared_helpers.rb/#L81) we return `JSON.parse(content-from-shelled-out-command` to the calling code. > > As part...
I noticed this TODO in our code: https://github.com/dependabot/dependabot-core/blob/252cb9a123e82391995797fdac45cb8b6f49cbe7/bundler/lib/dependabot/bundler/file_updater/lockfile_updater.rb#L261 I also extracted some additional notes from our internal issue tracker: - Remove `sanitized_lockfile_body` from `Dependabot::Bundler::FileUpdater::LockfileUpdater` - We anticipate the `BUNDLED WITH`...
An `npm` project is allowed to have multiple versions of the same dependency in the tree. When parsing the dependency we consolidate the different versions using the [DependencySet](https://github.com/dependabot/dependabot-core/blob/252cb9a123e82391995797fdac45cb8b6f49cbe7/common/lib/dependabot/file_parsers/base/dependency_set.rb). This retains...
Almost all the examples previously had `daily`. However, we've heard from users that this often creates a little too much noise, so we changed the default in the `.github/dependabot.yaml` template...