Warning
🚧 Work in progress; dependabot@V2 is still under development and this document may change without notice up until general availability (GA).
V2 is a complete re-write of the Dependabot task; It aims to:
- Resolve the numerous private feed/registry authentication issues that currently exist in V1;
- More closely align the update logic with the GitHub-hosted Dependabot service;
The task now uses Dependabot CLI to perform dependency updates, which is the [currently] recommended approach for running Dependabot. See extension task architecture for more details on the technical changes and impact to the update process.
Warning
It is strongly recommended that you complete (or abandon) all active Depedabot pull requests created in V1 before migrating to V2. Due to changes in Dependabot dependency metadata, V2 pull requests are not compatible with V1 (and vice versa). Migrating to V2 before completing existing pull requests will lead to duplication of pull requests.
Dependabot CLI requires Go (1.22+) and Docker (with Linux containers). If you use Microsoft-hosted agents, we recommend using the ubuntu-latest image, which meets all task requirements. For self-hosted agents, you will need to install Go 1.22+.
Using configuration open-pull-requests-limit: 0 will cause a "not implemented" error. This is current limitation of V2. A solution is still under development and is expected to be resolved before general availability.
See: dependabot/cli#360 for more technical details.
Renamed to match Dependabot Core/CLI terminology. The input value remains unchanged. See configuring experiments for more details.
Due to the design of Dependabot CLI, the update process can no longer be interrupted once the update has started. Because of this, the update will now continue on error and summarise all error at the end of the update process.
This was a customisation/workaround specific to the V1 update script that can no longer be implemented with Dependabot CLI as it is not an official configuration option.
This is no longer required as the [custom] Dependabot Updater image is no longer used.
Due to the containerised design of Dependabot CLI, environment variables can no longer be passed from the task to the updater process. All Dependabot config must now set via dependabot.yaml or as task inputs. See changes to environment variables below for more details.
The following environment variables are now configured using pipeline system variables:
| Environment Variable | → | Pipeline Variable |
|---|---|---|
DEPENDABOT_DEBUG |
→ | System.Debug |
The following environment variables are now configured using task inputs:
| Environment Variable | → | Task Input |
|---|---|---|
DEPENDABOT_AUTHOR_EMAIL |
→ | authorEmail |
DEPENDABOT_AUTHOR_NAME |
→ | authorName |
DEPENDABOT_UPDATER_OPTIONS |
→ | experiments |
The following environment variables have been removed entirely; the feature is no longer supported:
| Removed Environment Variable | Reason |
|---|---|
DEPENDABOT_PR_NAME_PREFIX_STYLE |
Feature is not supported; It is not an official configuration |
DEPENDABOT_COMPATIBILITY_SCORE_BADGE |
Feature is not supported; It is not an official configuration |
DEPENDABOT_MESSAGE_HEADER |
Feature is not supported; It is not an official configuration |
DEPENDABOT_MESSAGE_FOOTER |
Feature is not supported; It is not an official configuration |
DEPENDABOT_SIGNATURE_KEY |
Feature is not supported; It is not an official configuration |
DEPENDABOT_JOB_ID |
Set automatically by extension |
Before removing the preview flag from V2 task.json, we need to:
- Open an issue in Dependabot-CLI, enquire how security-advisories are expected to be provided before knowing the list of dependencies. (dependabot/cli#360)
- Convert GitHub security advisory client in
vulnerabilities.rbto TypeScript code - Implement
security-advisoriesconfig once the answer the above is known - Review
task.json, add documentation for new V2 inputs - Update
\docs\extension.mdwith V2 docs - Update
\extension\README.MDwith V2 docs - Update
\README.MDwith V2 docs - Do a general code tidy-up pass (check all "TODO" comments)
- Add unit tests for V2 utils scripts
- Investigate https://zod.dev/