v0.370.0

What's Changed

• Bump OpenTelemetry gems to latest versions by @JamieMagee in #14676
• Clean-up of XCode Swift PM feature flag by @AbhishekBhaskar in #14680
• Extends github-actions updater to support wider CalVer format by @lorengordon in #14678
• feat: Support Poetry v2 requires-poetry version constraint by @markhallen in #14684
• Improve support for PEP 621 and PEP 508 by @robaiken in #14652
• Add *.lscache to nuget/.gitignore by @JamieMagee in #14688
• Fix python bump versions strategy for range requirements by @AbhishekBhaskar in #14666
• Fix python library detection for projects not published on PyPI by @AbhishekBhaskar in #14709
• Nix: update pinned tag refs and versioned branch refs in flake.nix by @JamieMagee in #14710
• feat: Install Poetry requires-plugins before running Poetry commands by @markhallen in #14707
• Fix revision updates not being grouped by @dmitry-pogodin-tracebit in #14653
• Poetry Dynamic dependency handling by @robaiken in #14706
• test: Verify Poetry v2 lock file groups/markers handling by @markhallen in #14724
• v0.370.0 by @dependabot-core-action-automation[bot] in #14738

New Contributors

• @dmitry-pogodin-tracebit made their first contribution in #14653

Full Changelog: v0.369.0...v0.370.0

v0.369.0

What's Changed

• Allow updates for sub-dependencies in XCode SwiftPM projects by @AbhishekBhaskar in #14619
• bun: Add --ignore-scripts to bun install/update commands by @RyPeck in #14373
• feat: centralize semver-aware cooldown calculation by @markhallen in #14600
• Add tests for Pythons Native Helpers by @robaiken in #14646
• Bump nix from 2.34.1 to 2.34.5 by @JamieMagee in #14657
• Fix corepack fallback for private npm registries by @thavaahariharangit in #14654
• Regression added to bun --ignore scripts changes by @thavaahariharangit in #14641
• Handle terraform registry 404s gracefully by @jurre in #14556
• Add support for JSR (jsr.io) registry in npm_and_yarn by @Copilot in #14647
• feat: handle hybrid Poetry v2 dependency updates by @markhallen in #14658
• feat: add cooldown filter for github_actions using existing git_commit_checker and available_latest_version_tag by @v-HaripriyaC in #14621
• v0.369.0 by @dependabot-core-action-automation[bot] in #14663

New Contributors

• @RyPeck made their first contribution in #14373
• @v-HaripriyaC made their first contribution in #14621

Full Changelog: v0.368.0...v0.369.0

v0.368.0

What's Changed

• Add package manager detection and enhance NoChangeError logging by @robaiken in #14539
• Fix Incorrect Compare Link in Generated PR Body by @thavaahariharangit in #14531
• Include PR title and body in update_pull_request API calls by @Copilot in #14492
• Load nix ecosystem in updater setup by @JamieMagee in #14548
• Fix invalid update to Pre-Commit dependencies with mixed versioning schemes by @AbhishekBhaskar in #14538
• Fix crash with terraform modules using host:port sources by @jurre in #14541
• Upgrade Erlang OTP major version to 27 by @vbalazs in #14485
• fix broken pip-compile test by @jakecoffman in #14562
• fix python fetching when environment markers present by @jakecoffman in #14559
• Preserve npm workspace manifest updates in PR files by @thavaahariharangit in #14542
• bundler cooldown feature; Remove GPR special-casing, add fallback for registries that don't support the necessary API endpoint by @jeffwidman in #14551
• Bump brace-expansion from 1.1.11 to 1.1.13 in /bun/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14565
• Bump brace-expansion in /npm_and_yarn/helpers by @dependabot[bot] in #14558
• Bump brace-expansion from 1.1.12 to 1.1.13 in /npm_and_yarn/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14564
• Bump brace-expansion from 1.1.11 to 1.1.13 in /npm_and_yarn/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14563
• nix: fix permission denied on /nix/var/nix/db/big-lock by @JamieMagee in #14568
• fix: Handle Excon::Error::Socket in RegistryClient and PackageDetailsFetcher by @markhallen in #14557
• hex: add regression test for Hex.Repo.get_public_key/1 tuple order by @Copilot in #14407
• fix Python update when the same dependency appears multiple times with different extras by @jakecoffman in #14578
• feat: update Xcode pbxproj for Swift SPM by @markhallen in #14587
• fix(conda): don't treat compound version constraints as fully qualified specs by @thavaahariharangit in #14586
• [python][pip-compile] Fix constraint files (-c) in .in files not being fetched by @Copilot in #14588
• Fix pre-commit tag prefix matching for monorepos with mixed tag prefixes by @AbhishekBhaskar in #14582
• Add support for update-types in allow block by @Copilot in #12925
• pip: Warn when ownership changes by @martincostello in #14235
• terraform: handle private/unresolvable providers during lockfile updates by @jurre in #14585
• Fix Python MetadataFinder leaking private package names to public PyPI by @jurre in #14590
• Promote Nix ecosystem from beta to GA by @JamieMagee in #14597
• Fix allow update-types filtering for individual dependency updates by @kbukum1 in #14598
• v0.368.0 by @dependabot-core-action-automation[bot] in #14604

New Contributors

• @vbalazs made their first contribution in #14485

Full Changelog: v0.367.0...v0.368.0

v0.367.0

What's Changed

• Fix rev handling for quoted values in pre-commit configs by @robaiken in #14486
• Add top level permissions to images-latest workflow by @truggeri in #14479
• Maven: Ignore repositories from profiles that are not activated by @yeikel in #14154
• Add support for versions using git revision suffixes for Maven and Gradle by @yeikel in #13998
• Bump npm to 11.8.0 by @yeikel in #14141
• uv: Fix extras normalization mismatch in pyproject.toml updates by @awinogradov in #14419
• Remove unused corepack references from the bun ecosystem by @thavaahariharangit in #14483
• Fetch release notes for the Gradle Wrapper by @yeikel in #14132
• Fix XCode SwiftPM issues with pinned dependencies and multiple sources error during PR generation by @AbhishekBhaskar in #14495
• Bump flatted from 3.3.1 to 3.4.2 in /bun/helpers by @dependabot[bot] in #14490
• Bump flatted from 3.3.1 to 3.4.2 in /npm_and_yarn/helpers by @dependabot[bot] in #14489
• Add latest_release and latest_tag methods to PackageLatestVersionFinder by @kbukum1 in #14502
• Initial nix support by @JamieMagee in #14498
• fix(uv): grapher not preferring lockfile by @jakecoffman in #14518
• hook up uv to the smoke tests by @jakecoffman in #14519
• Fix Xcode SwiftPM update job errors by @AbhishekBhaskar in #14512
• Add top level permissions to workflows by @truggeri in #14501
• fix(python): Dependency name correct when extras are present by @jakecoffman in #14476
• Convert npm and yarn helpers to TypeScript & enforce prettier by @jasonpaulos in #14493
• Poetry grapher generates lockfiles to determine versions in pyproject by @jakecoffman in #14524
• Fix XCode SwiftPM version range requirement update error by @AbhishekBhaskar in #14522
• Add support for npm overrides and sub-dependency updates by @robaiken in #14530
• enable direct update of centrally managed transitive package by @brettfo in #14532
• v0.367.0 by @dependabot-core-action-automation[bot] in #14537

New Contributors

• @awinogradov made their first contribution in #14419

Full Changelog: v0.366.0...v0.367.0

v0.366.0

What's Changed

• Add scanned_manifests_path metadata to snapshots by @brrygrdn in #14406
• Fix regex pattern in pre-commit file parser and file-updater by @AbhishekBhaskar in #14429
• Handle unhandled uv errors prefixed with CPython interpreter info by @thavaahariharangit in #14433
• Handle Docker API version mismatch in script/build by @thavaahariharangit in #14436
• Remove avoid_duplicate_updates_package_json FF from dependabot-core by @Copilot in #14428
• Avoid sheering off directories by using manifest_file.directory by @brrygrdn in #14439
• Fix: Bundler ignore rules now suppress path_dependencies_not_reachable errors during file fetching by @Copilot in #14435
• Extend Swift UpdateChecker to support Xcode-managed SwiftPM projects by @AbhishekBhaskar in #14411
• Extend Swift file updater to support xcode swiftpm dependency update by @AbhishekBhaskar in #14394
• strip extras from Python PURLs in DG payload by @jakecoffman in #14462
• only try to create pr if update operations were performed by @brettfo in #14463
• additional unparseable file message by @brettfo in #14464
• fix(github_actions): use most specific version tag when updating comments by @jeffwidman in #14461
• fix(uv): strip extras from dependency names in PURL generation by @Copilot in #14468
• Update corepack to 0.34.6 by @yeikel in #14371
• Bump maven from 3.9.12 to 3.9.14 in /maven by @dependabot[bot] in #14446
• honor update-types in grouped/ungrouped updater by @brettfo in #14475
• feat: add .xcworkspace support for xcode swiftpm by @markhallen in #14459
• fix(hex): correct tuple order for Hex.Repo.get_public_key response by @georgeguimaraes in #14380
• Bump patch-package from 8.0.0 to 8.0.1 in /npm_and_yarn/helpers by @dependabot[bot] in #14445
• Fix "Multiple sources!" error for case-variant Terraform/OpenTofu provider declarations by @Copilot in #14434
• v0.366.0 by @dependabot-core-action-automation[bot] in #14481

New Contributors

• @georgeguimaraes made their first contribution in #14380

Full Changelog: v0.365.0...v0.366.0

v0.365.0

What's Changed

• add Poetry grapher by @jakecoffman in #14362
• fix: poetry grapher should prefer poetry.lock for relevant_dependency_file by @Copilot in #14378
• Fix elm Elm19LatestVersionFinder to respect ignore conditions by @kbukum1 in #14372
• Bump System.Text.Json from 9.0.11 to 10.0.3 by @dependabot[bot] in #14388
• Bump library/golang from 1.26.0-bookworm to 1.26.1-bookworm in /go_modules by @dependabot[bot] in #14385
• Bump @npmcli/arborist from 9.3.0 to 9.4.0 in /npm_and_yarn/helpers in the npm-dependencies group by @dependabot[bot] in #14321
• Bump eslint from 10.0.2 to 10.0.3 in /npm_and_yarn/helpers in the dev-dependencies group by @dependabot[bot] in #14384
• Bump the all-actions group across 1 directory with 6 updates by @dependabot[bot] in #14393
• Bump xunit.v3 from 3.0.0 to 3.2.2 by @dependabot[bot] in #14389
• Bump @pnpm/dependency-path from 5.1.3 to 1001.1.10 in /npm_and_yarn/helpers in the pnpm-dependencies group by @dependabot[bot] in #14322
• Upgrade uv to v0.10.9 by @edgarrmondragon in #14381
• Bump library/rust from 1.93.1-bookworm to 1.94.0-bookworm in /cargo by @dependabot[bot] in #14383
• bazel: Remove Label() scanning from .bzl file fetching by @redsun82 in #14395
• python:block constraints update that conflicts by @thavaahariharangit in #14375
• Bump silent/tests go.mod to Go 1.26 by @jeffwidman in #14401
• Replace gh release download with go install for Dependabot CLI by @jeffwidman in #14400
• feat: Add Swift FileParser support for Xcode-managed SwiftPM projects by @markhallen in #14360
• Extract TitleBuilder for PR title composition by @kbukum1 in #14285
• gradle: fix wrapper updater crash when only some wrapper files define checksum by @pedromfmachado in #14399
• Extract pre-commit dependency version from comment in PR description by @AbhishekBhaskar in #14403
• Maven: skip unresolvable properties by @yeikel in #14344
• fix(npm_and_yarn): prevent path traversal and make temp dependency file writes deterministic by @thavaahariharangit in #14405
• Test ARM64 Docker builds in CI by @Copilot in #14396
• fix(npm_and_yarn): pass private registry env vars to corepack fallback by @thavaahariharangit in #14413
• don't fail if nuget feed returns unexpected 404 by @brettfo in #14409
• Add Pipenv support to Python DependencyGrapher by @Copilot in #14402
• v0.365.0 by @dependabot-core-action-automation[bot] in #14422

New Contributors

• @redsun82 made their first contribution in #14395
• @pedromfmachado made their first contribution in #14399

Full Changelog: v0.364.0...v0.365.0

v0.364.0

What's Changed

• Fix flaky Composer UpdateChecker test: mock VersionResolver instead of stubbing PHP subprocess HTTP calls by @Copilot in #14266
• feat: Add PR message formatting for dependency-name groups by @markhallen in #14289
• refactor: Remove group_by_dependency_name feature flag by @markhallen in #14292
• Add uv dependency grapher by @Nishnha in #14295
• Bump octokit from 7.2.0 to 10.0.0 in /updater by @dependabot[bot] in #14241
• Bump sentry-ruby from 5.23.0 to 5.28.1 in /updater by @dependabot[bot] in #14242
• Bump gitlab from 5.1.0 to 6.1.0 in /updater by @dependabot[bot] in #14240
• Bump sentry-opentelemetry and sentry-ruby in /updater by @dependabot[bot] in #14308
• Bump terminal-table from 3.0.2 to 4.0.0 in /updater by @dependabot[bot] in #14239
• Bump the dev-dependencies group across 2 directories with 1 update by @dependabot[bot] in #14311
• Bump the prod-dependencies group across 2 directories with 4 updates by @dependabot[bot] in #14310
• Bump minimatch from 3.0.4 to 3.1.5 in /npm_and_yarn/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14305
• Bump minimatch from 3.1.2 to 3.1.5 in /bun/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14287
• Bump lodash from 4.17.21 to 4.17.23 in /bun/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14017
• Bump lodash from 4.17.21 to 4.17.23 in /npm_and_yarn/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #13993
• Bump minimatch from 3.1.2 to 3.1.5 in /npm_and_yarn/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14303
• Bump minimatch from 3.1.2 to 3.1.5 in /bun/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #14299
• Bump lodash from 4.17.21 to 4.17.23 in /bun/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #13996
• Bump lodash from 4.17.21 to 4.17.23 in /npm_and_yarn/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested by @dependabot[bot] in #13995
• Bump Microsoft.Web.Xdt from 3.2.0 to 3.2.3 by @dependabot[bot] in #14252
• Bump the all-actions group with 3 updates by @dependabot[bot] in #14316
• Bump System.CommandLine from 2.0.0-beta6.25358.103 to 2.0.3 by @dependabot[bot] in #14319
• Bump regclient/regctl from v0.11.1 to v0.11.2 in /docker in the regclient group by @dependabot[bot] in #14317
• Bump Microsoft.Build.Tasks.Core and Microsoft.Build.Utilities.Core by @dependabot[bot] in #14187
• Bump dotnet-sdk from 9.0.302 to 9.0.303 in /nuget/helpers/lib/NuGetUpdater by @dependabot[bot] in #12666
• Bump Newtonsoft.Json from 13.0.3 to 13.0.4 by @dependabot[bot] in #14253
• Bump minimatch in /bun/helpers by @dependabot[bot] in #14312
• Bump minimatch in /npm_and_yarn/helpers by @dependabot[bot] in #14304
• Update Composer to the latest 2.9 version (2.9.5) by @T2L in #14267
• Bump library/rust from 1.93.0-bookworm to 1.93.1-bookworm in /cargo by @dependabot[bot] in #14177
• Bump library/golang from 1.25.7-bookworm to 1.26.0-bookworm in /go_modules by @dependabot[bot] in #14179
• Bump ajv from 6.12.6 to 6.14.0 in /npm_and_yarn/helpers by @dependabot[bot] in #14244
• Bump ajv from 6.12.6 to 6.14.0 in /bun/helpers by @dependabot[bot] in #14245
• Bump golang.org/x/mod from 0.27.0 to 0.33.0 in /go_modules/helpers by @dependabot[bot] in #14178
• Bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 in /maven/lib/dependabot/maven by @dependabot[bot] in #13233
• Bump prettier from 3.7.4 to 3.8.1 in /npm_and_yarn/helpers in the dev-dependencies group by @dependabot[bot] in #14180
• Bump the dev-dependencies group across 1 directory with 2 updates by @dependabot[bot] in #14315
• Bump js-yaml from 3.14.1 to 3.14.2 in /npm_and_yarn/helpers by @dependabot[bot] in #13613
• Bump the pnpm-dependencies group in /npm_and_yarn/helpers with 2 updates by @dependabot[bot] in #10361
• Update ESLint configuration file to new format by @bohdanhusak in #13785
• Bump eslint from 9.39.1 to 10.0.0 in /npm_and_yarn/helpers by @dependabot[bot] in #14182
• Bump pip-tools from 7.4.1 to 7.5.0 in /python/helpers in the pip-tools group by @dependabot[bot] in #12770
• Bump gradle from 8.14.3-jdk21-ubi-minimal to 9.0.0-jdk21-ubi-minimal in /gradle by @dependabot[bot] in #13971
• Bump globals from 16.5.0 to 17.4.0 in /npm_and_yarn/helpers by @dependabot[bot] in #14325
• Fetch pre-commit additional dependencies language field from hook source repository by @AbhishekBhaskar in #14300
• fix(npm_and_yarn): avoid group refresh NoChangeError for non-pnpm support-file updates by @thavaahariharangit in #14331
• Set smoke test max parallelism to 10 by @JamieMagee in #14307
• Bump System.ComponentModel.Composition from 9.0.7 to 10.0.3 by @dependabot[bot] in #14326
• fix(go_modules): normalize Azure DevOps module paths to include /_git/ by @thavaahariharangit in #14302
• Bump System.Threading.Tasks.Dataflow from 9.0.13 to 10.0.3 by @dependabot[bot] in #14329
• Bump System.Security.Cryptography.Pkcs from 9.0.7 to 10.0.3 by @dependabot[bot] in #14327
• Fix GitHub Actions SHA-pinned refs being downgraded when mixed with tag refs by @jurre in #14349
• Fix ignore option for gitsubmodule by @etan-status in #14352
• cargo: Bypass Cargo credential providers, rely on proxy for registry auth by @jeffwidman in #14340
• bundler: use replaces_base credential for gemspec-only deps by @jeffwidman in #14348
• Bump NuGet.Client submodule from release-6.12.x to release-6.14.x by @JamieMagee in #14343
• nuget: switch NuGetUpdater target framework to net10.0 by @JamieMagee in #14345
• Disable scheduled CI workflow in forks by @martincostello in #14314
• Remove beta ecosystems feature flag for pre-commit by @AbhishekBhaskar in #14341
• Enhance Docker update checker to handle non-semver tags by @jpinz in #14337
• Remove enable_shared_helpers_command_timeout feature flag by @Copilot in #14125
• cargo: strip credential-provider from .cargo/config.toml via TOML parsing by @jeffwidman in #14359
• Remove enable_record_ecosystem_meta feature flag by @Copilot in #14353
• feat: Extend Swift FileFetcher for Xcode-managed SwiftPM (.xcodeproj) support by @markhallen in #14332
• v0.364.0 by @dependabot-core-action-automation[bot] in #14366

New Contributors

• @T2L made their first contribution in #14267

Full Changelog: v0.363.0...v0.364.0

v0.363.0

What's Changed

• fix: fall back to older versions when pnpm trust downgrade blocks latest by @thavaahariharangit in #14213
• Implement metadata finder for pre-commit by @AbhishekBhaskar in #14222
• Bump Microsoft.Extensions.FileSystemGlobbing from 9.0.7 to 10.0.3 by @dependabot[bot] in #14190
• Bump the all-actions group across 1 directory with 3 updates by @dependabot[bot] in #14216
• Bump nokogiri from 1.18.9 to 1.19.1 in /updater by @dependabot[bot] in #14226
• Bump the dev-dependencies group across 1 directory with 11 updates by @dependabot[bot] in #14185
• add support for hex aliases by @efcasado in #14225
• Validate that the dependabot ref namespace is available by @yeikel in #14218
• Bump the prod-dependencies group across 1 directory with 24 updates by @dependabot[bot] in #14233
• Bump rspec-its from 1.3.0 to 2.0.0 in /updater by @dependabot[bot] in #13387
• Bump Microsoft.Extensions.FileProviders.Abstractions from 9.0.7 to 10.0.3 by @dependabot[bot] in #14189
• Fix required_ruby_version in placeholder gemspec by @JamieMagee in #14243
• Fix FileUpdater error for pnpm catalog dependencies fetched from parent directories by @Copilot in #14255
• Bump the all-actions group with 2 updates by @dependabot[bot] in #14249
• Bump sigstore/cosign/cosign from v3.0.4 to v3.0.5 in /docker in the regclient group by @dependabot[bot] in #14250
• Exclude JSON files from changelog detection by @Copilot in #14206
• Add support for version comments in pre-commit configuration by @robaiken in #14260
• Use DG ecosystem in snapshot metadata by @brrygrdn in #14259
• Update dockerfile to import images of dependent ecosystems by @AbhishekBhaskar in #14229
• fix: Prevent per-directory individual PRs when group-by-name deps are rejected by semver rules by @markhallen in #14270
• Fix go modules reachability error classification by @thavaahariharangit in #14283
• Add pre-commit additional dependencies support for Dart by @AbhishekBhaskar in #14274
• v0.363.0 by @dependabot-core-action-automation[bot] in #14288

New Contributors

• @efcasado made their first contribution in #14225

Full Changelog: v0.362.0...v0.363.0

v0.362.0

What's Changed

• retain version wildcards when writing xml by @brettfo in #14205
• Fix workspace stash error affecting all ecosystems during group updates by @Copilot in #14165
• fix: add support for nested maven properties by @yeikel in #13746
• Fix typo in Docker SemVer docs by @Wirone in #14171
• v0.362.0 by @dependabot-core-action-automation[bot] in #14221

New Contributors

• @Wirone made their first contribution in #14171

Full Changelog: v0.361.2...v0.362.0

v0.361.2

What's Changed

• register msbuild upon entering clone command by @brettfo in #14167
• Bump the npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in #13280
• use more robust tfm discovery for projects by @brettfo in #14169
• improve project discovery merging by @brettfo in #14089
• npm: Warn when install scripts change between versions by @JamieMagee in #14069
• Add comprehensive error handling for uv lock and uv pip compile failures by @thavaahariharangit in #14145
• npm: Warn when attestation/provenance is lost between versions by @JamieMagee in #14170
• Handle pnpm ERR_PNPM_TRUST_DOWNGRADE by silently skipping untrusted versions by @thavaahariharangit in #14150
• Remove gradle_wrapper_updater feature flag by @kbukum1 in #14174
• Prioritize tagged releases over latest commit in git_submodules by @etan-status in #13052
• Fix RuboCop linter errors in group PR directory matching tests by @Copilot in #14208
• Nishnha/fix pr directory comparison by @Nishnha in #13899
• Split copilot instructions into scoped files by @jurre in #14209
• Improve FileUpdater error diagnostics for support-file-only scenarios by @Copilot in #14198
• Add the Pre-Commit Ecosystem by @robaiken in #13977
• Add pre-commit gem in omnibus and updater gemfile and lockfile by @AbhishekBhaskar in #14215
• v0.361.2 by @dependabot-core-action-automation[bot] in #14220

New Contributors

• @etan-status made their first contribution in #13052

Full Changelog: v0.361.1...v0.361.2