title: Dependabot author: mo (xlgmokha) (he/him) date: 2021-11-17
Dependabot
=----------------------------------------------------------------------=
------------------------------------------------------------------------
------------------------------------------------------------------------
------------------------------------------------------------------------
------------------------------------------------------------------------
------------------------------------------------------------------------
---------------------------------*@@@@@@@-------------------------------
--------------------------------:*@@@@@@@-------------------------------
--------------------------------:#@@@@@@@-------------------------------
---------------------------------+%%%%@@@-------------------------------
--------------------------------------*@@=------------------------------
----------------*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*----------------
---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=---------------
---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=---------------
---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=---------------
---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=---------------
--------------:-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-:--------------
-------------+%%@@@@@@@@@@@@%+--+@@@@@@@@@@@@%+--#@@@@@@%%+-------------
-------------#@@@@@@@@%=-=#*-::=*@@@@@@%=-+#+-:-=#@@@@@@@@#-------------
-------------#@@@@@@@@@+-:-:-=#@@@@@@@@%=-:-:-=#@@@@@@@@@@#-------------
-------------#@@@@@@@@@@%+-=#@@@@@@@@@@@@%+-=#@@@@@@@@@@@@#-------------
-------------#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#-------------
-------------=+*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*+=-------------
--------------:-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-:--------------
---------------=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=---------------
----------------#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#----------------
------------------===============------===============------------------
---------------------------------*####*---------------------------------
--------------------------------#@@@@@@#--------------------------------
--------------------------------@@@@@@@@--------------------------------
-------------------------------+@@@@@@@@+-------------------------------
-------------------------------%@@@@@@@@%-------------------------------
-------------------------------%@@@@@@@@%-------------------------------
--------------------------------+@@@@@@+--------------------------------
--------------------------------:-#@@#-:--------------------------------
=----------------------------------==----------------------------------=
Based on a true story.
$ whoami
mo khan @xlgmokha
Senior Software Engineer
Dependabot
LfCCtt11fffLttftfttt11ttL08888888888
tfLCCLLLCLft1tttttttfG8@@@88@@@@@@@8
CCCCCCCLtiiiii11111itLG8@8@88888008@
CCCCCGf;;;iiiii11tt11i1tLGfttt111ii1
CCCCGf;ii;;;;;i1fft1;:,:ift1111iff11
CCCGL::;,,,,,,::;1fi:,:;:;Lftt11ffff
CCCGi,:,::,:,.,,:itf1:;;:1CL11111tt1
CCCGi,::,.:1;,,;iitfCLt11fG0Lffff1tt
CCCCf:::;::::;iii1tffLCLftfLGLt1iii1
LLLC1::it1t1tt1;i;,,;i,:1i;i1L1,...:
LLLLf::;11t11i;;:.,,::;tft;:;tt. .
ffffL1::;;;;::;;;;;;;;i1tti;;1fi;ii1
tttttt;:::::,,,,::::;;i1tfffi1fC8088
1111tit1::::::::,:::;;::;ttftttiCGG0
iiii;;i;i;:,::::::::::;i1tttft1if0G0
ti;::;;;i11;,,,::::;;;;;;iiii11;f0G0
ffft1fCCCG0Cfi:::::,,::;;;;:;;:;CGG0
;fGGG0000GGCGLi;:::::;;;;::::,:CGCG0
Agenda
-
What is Dependabot?
-
Dependabot on dotcom
-
Dependabot on GHES
-
Community
-
Help Wanted
I talk fast. Try to keep up. π
What is Dependabot?
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "daily"
|
|
V
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -78,7 +78,7 @@ GEM
minitest (5.14.4)
- net-hippie (1.0.0)
+ net-hippie (1.1.1)
nio4r (2.5.8)
Map of Dependabot (dotcom)
--------------
||-------------|
|| $ git push |-o-o-o-o-
|| | o
--------------- |
\ 000000000000 \ o
\ 000000000000 \ |
\ \ \ \ o
---------------- |
o-o-o-o-o-o-o-o-o-
|
o
------|----------------------------
| v GitHub DC |
| ---------- |
| | dotcom | |
| ---------- |
| | ----------- |
| |- webhooks, --> | π€-api | |
| hyro -----|----- |
-------------------------|---------
|
-------------------------|--------- ---------------
| AWS | | |->-|... |
| --------|------ | | ---------------
| ----------| SQS Queue | | | ---------------
| |V |(o,x,o,o,x,...)| | |>--| pypi.org |
| V| --------------- | | ---------------
| || | | ---------------
| -------- | |-->| rubygems.org|
| |π€-updater|\ | | ---------------
| --------\||\ <- The | | ---------------
| \________\||| ~magic~ danger | |->-| npmjs.org |
| \ \|| happens | | ---------------
| \-----|---| here. | |
|----------|----------------------| |
| |
|--------------------------
Dependabot - Runtime (dotcom)
|
V
__|___
|-<-() SQS )
V ------
|
---------------V----------------------------------
| ec2-metal | |
| V |
| -------|------ |
| | job runner | | --------------
| -------------- | |->|... |
| / \----------------------- | | --------------
| | | docker | | |->|pypi.org |
| | | -------------------- | | | --------------
| (export env) | | π€-proxy ->->->->-|->|rubygems.org|
| | | -|------------------ | | | --------------
| | ---|------------------- | |->|npmjs.org |
| | A | --------------
| -----------------------|----- |
| | firecracker vm A |\ |
| | | ||\ |
| | ------------- A |||\ |
| | | job guest | | |||| |
| | ------------- A |||| |
| | | | | |||| |
| | ---------------------A---- |||| |
| | | docker | | |||| |
| | | -------------------|-- | |||| |
| | | | π€-updater | | |||| |
| | | ---------------------- | |||| |
| | |------------------------- |||| |
| ------------------------------||| |
--------------------------------------------------
Map of Dependabot (GHES)
--------------
||-------------|
|| $ git push |-o-o-o-o-
|| | o
--------------- |
\ 000000000000 \ o
\ 000000000000 \ |
\ \ \ \ o
---------------- |
o-o-o-o-o-o-o-o-o-
|
o
------|----------------------------
| v GitHub DC |
| ---------- ---------- |
| | dotcom | | Actions | |
| ---------- -----A----- |
| | -----|----- |
| |- webhooks, --> | π€-api | |
| hyro ----------- |
-----------------------------------
Dependabot - Runtime (GHES)
-----------------------
| dependabot/action |
| |
| ----------------- |
| | docker | |
| | | | --------------
| | -------------- | | |->|... |
| | | π€-updater | | | | --------------
| | ----------|--- | | |->|pypi.org |
| | ----------V--- | | | --------------
| | | π€-proxy --|-------->|rubygems.org|
| | -------------- | | | --------------
| -----------------| | |->|npmjs.org |
|--------------------- --------------
Dependabot - Community
-------------------------- ------------------------
| π€-updater (private) | | π€-core (public OSS)|
-------------------------- ------------------------
| /bin | | /bin |
| - run.sh fetch|update | | - dry-run.rb |
| /lib | | /bundler |
| - fetch.rb | | - file_fetcher |
| - update.rb | | - file_parser |
| Gemfile | | - file_updater |
| - dependabot-omnibus |----> | - update_checker |
| - dependabot-bundler | | /npm |
| - dependabot-npm | | /python |
| - dependabot-python | | /... |
| - dependabot-... | | |
-------------------------- ------------------------
dependabot/dependabot-core is a public repo that accepts community contributions.
- 50+ Open Pull Requests
- 700+ Open Issues
- 140+ Contributors
- Supports:
- Azure
- BitBucket
- GitHub
- GitLab
- 15+ supported eco-systems
- Used by 56 Public Repos
- Oldest Open PR (2018)
https://github.com/dependabot/dependabot-core
Dependabot - Community Contributions
γ’ gh repo clone dependabot/dependabot-core
γ’ cd dependabot-core
γ’ ./bin/docker-dev-shell
> image dependabot/dependabot-core-development already exists
=> running docker development shell
[dependabot-core-dev] $
Dependabot - Community Contributions
γ’ gh repo clone dependabot/dependabot-core
γ’ cd dependabot-core
γ’ ./bin/docker-dev-shell
> image dependabot/dependabot-core-development already exists
=> running docker development shell
[dependabot-core-dev] $ ./bin/dry-run.rb go_modules cli/cli
Dependabot - Community Contributions
γ’ gh repo clone dependabot/dependabot-core
γ’ cd dependabot-core
γ’ ./bin/docker-dev-shell
> image dependabot/dependabot-core-development already exists
=> running docker development shell
[dependabot-core-dev] $ ./bin/dry-run.rb go_modules cli/cli
=> cloning into /home/dependabot/dependabot-core/tmp/cli/cli
=> parsing dependency files
=> updating 34 dependencies: github.com/AlecAivazis/survey/v2, github.com/MakeNowJust/heredoc, github.com/briandowns/spinner, github.com/charmbracelet/glamour, github.com/cli/browser, github.com/cli/oauth, github.com/cli/safeexec, github.com/cpuguy83/go-md2man/v2, github.com/creack/pty, github.com/gabriel-vasile/mimetype, github.com/google/go-cmp, github.com/google/shlex, github.com/gorilla/websocket, github.com/hashicorp/go-version, github.com/henvic/httpretty, github.com/itchyny/gojq, github.com/kballard/go-shellquote, github.com/mattn/go-colorable, github.com/mattn/go-isatty, github.com/mgutz/ansi, github.com/muesli/reflow, github.com/muesli/termenv, github.com/muhammadmuzzammil1998/jsonc, github.com/opentracing/opentracing-go, github.com/shurcooL/githubv4, github.com/skratchdot/open-golang, github.com/sourcegraph/jsonrpc2, github.com/spf13/cobra, github.com/spf13/pflag, github.com/stretchr/testify, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, gopkg.in/yaml.v3
=== github.com/AlecAivazis/survey/v2 (2.3.2)
=> checking for updates 1/34
=> latest available version is 2.3.2
=> latest allowed version is 2.3.2
(no update needed as it's already up-to-date)
=== github.com/MakeNowJust/heredoc (1.0.0)
=> checking for updates 2/34
=> latest available version is 1.0.0
=> latest allowed version is 1.0.0
(no update needed as it's already up-to-date)
Dependabot - Debugging Private Registries
Debugging issues related to private registries is difficult.
Weβre working on it. github/dependabot-updates/pull/1956