dependabot / dependabot-core

Welcome to the public home of Dependabot :dependabot:. Table of Contents • What is Dependabot-Core? • How to run Dependabot • Contributing to Dependabot • Reporting Issues and Feature Requests • Submitting Pull Requests • New Ecosystems • Development Guide • Getting a Development Environment Running • Debugging Problems • Running Tests • Profiling • Architecture and Code Layout • Trademarks • Notes for Project Maintainers --- What is Dependabot-Core? Dependabot-Core is the library at the heart of Dependabot security / version updates. Use it to generate automated pull requests updating dependencies for projects written in Ruby, JavaScript, Python, PHP, Dart, Elixir, Elm, Go, Rust, Java, Julia, and .NET. It can also update git submodules, Docker files, Opentofu, Terraform files and Pre-Commit hooks. Features include: • Check for the latest version of a dependency *that's resolvable given a project's other dependencies* • Generate updated manifest and lockfiles for a new dependency version • Generate PR descriptions that include the updated dependency's changelogs, release notes, and commits How to run Dependabot Most people are familiar with the Dependabot service that runs on GitHub.com and GitHub Enterprise. Enabling that is as simple as checking a configuration file in to your repository's directory. However, if you want to run a custom version of Dependabot or run it on another platform, you're not left out in the cold. This repo provides the logic necessary for hosting your own standalone Dependabot. It currently supports opening Pull Requests against repositories hosted on GitHub, Github Enterprise, Azure DevOps, GitLab, BitBucket, and AWS CodeCommit. Dependabot-Core is a library, so you'll need an entrypoint script of some kind. Here are a few examples to help you get started. >**Note:** If you're looking to run Dependabot locally for development/debugging purposes, see the Development Guide. Dependabot CLI The open-source Dependabot CLI is our recommended entrypoint for standalone use cases. We use it in production here at GitHub, and advanced users can also leverage it to run a self-hosted version of Dependabot within their own projects / CI systems. It creates dependency diffs but does not create PRs. So you will need to wire that up yourself. To aid with that, we created the example-cli-usage repo which demonstrates how to turn those diffs into actual PR's. Write your own Ruby-based tool Alternatively, because Dependabot-Core is a Ruby library, you can write your own ruby-based wrapper that leverages the Dependabot-core code. The tricky bit is Dependabot assumes it's running in an isolated, throw-away environment so you'll need to handle all that yourself. For example protecting against security risks of arbitrary code execution exfiltrating credentials, ensuring the appropriate version of Go or Python or whatever language you need is available, and handling when Dependabot makes changes to its runtime environment. Dependabot on CI In an environment such as GitHub where Dependabot runs in a container, if you want to change your build or installation process depending on whether it's running within the context of the Dependabot container, you can check the existence of the environment variable. Contributing to Dependabot Reporting issues and Feature Requests 👋 Want to give us feedback on Dependabot, or contribute to it? That's great - thank you so much! Reproducible Example Most bug reports should be accompanied by a link to a public repository that reproduces the problem. Bug reports that cannot be reproduced on a public repo using the CLI tool or dry-run script may be closed as "cannot reproduce". No "+1" Comments Our issue tracker is quite active, and as a result there's a good chance someone already filed the same issue. If so, please upvote that issue, because we use 👍 reactions on issues as one signal to gauge the impact of a feature request or bug. However, please do not leave comments that contribute nothing new to the discussion. For details, see https://go.dev/wiki/NoPlusOne. This is open source, if you see something you want fixed, we are happy to coach you through contributing a pull request to fix it. Don't file issues about Security Alerts or Dependency Graph The issue-tracker is meant solely for issues related to Dependabot's updating logic. Issues about security alerts or Dependency Graph should instead be filed as a Code Security discussion. A good rule of thumb is that if you have questions about the _diff_ in a PR, it belongs here. Disclosing Security Issues If you believe you have found a security vulnerability in Dependabot, please review our security policy for details about disclosing them to the GitHub Bug Bounty program, so we can work to resolve the issue before it is disclosed publicly. Submitting Pull Requests Want to contribute to Dependabot? That's great - thank you so much! Contribution workflow: • Fork the project. • Get the development environment running. • Make your feature addition or bug fix. • Add tests for it. This is important so we don't break it in a future version unintentionally. • Send a pull request. The tests will run on it automatically, so don't worry if you couldn't get them running locally. Please refer to the CONTRIBUTING guidelines for more information. New Ecosystems If you're interested in contributing support for a new ecosystem, please refer to the contributing guidelines for more information. Development Guide Getting a Development Environment Running The first step to debugging a problem or writing a new feature is getting a development environment going. We provide a custom Docker-based developer shell that bakes in all required dependencies. In most cases this is the best way to work with the project. The developer shell uses volume mounts to incorporate your local changes to Dependabot's source code. This way you can edit locally using your favorite editor and the changes are…