It looks like the groups option is not working #685
Comments
|
Correct. This is not yet supported. PRs are welcome though it may require building an updater similar to the GitHub's version. |
|
@mburumaxwell Name a bounty for this and I'll sponsor you - no joke. This has been my #1 feat missing that I've been missing from Renovate and I really need this <3 |
|
@ColinKrist I can also help to match a bounty if someone wants to pick it up. Maybe something that can be listed on Bounty Source? |
|
This is quite an interesting proposition. Curious what the offers actually are ... |
|
I was going to try and DM you on Twitter / GitHub but your DMs are closed. Does $75 USD sound fair - wanted to ask about difficulty because I'd be willing to get this expensed from my employer. LMK |
|
Opened Twitter DMs incase you need that. I have no particular inclination on the bounty besides curiosity. Maybe I will once I have a clue on the amount of effort required. Meanwhile, maybe you should post all the bounties on Bounty Source like this one https://app.bountysource.com/issues/123710224-pnpm-support |
|
Done, https://app.bountysource.com/issues/123710276-it-looks-like-the-groups-option-is-not-working The azure pipeline task ecosystem community is small. I definitely want to give back and support you guys where I can and make sure you guys feel like the work amounts to something. |
|
FYI @mburumaxwell has set the bounty for this at $500. I've just committed to the cause as I agree this is a much-needed feature. If you're interested in getting this feature implemented and are able to contribute to funding the bounty, please do so using the link posted by @ColinKrist above. |
|
You may have to use GH sponsors at your own convenience. Bountysource has serious problems: |
|
https://github.com/bountysource/core/wiki/Frequently-Asked-Questions#can-i-receive-a-refund-for-a-bounty-i-posted I've sent in my request, but who knows how long it'll be in limbo. @mburumaxwell once I get this money back I'll consider sending this over via GH. I'm hoping for something a bit more public to prevent misuse / guarantee the work will be done. Will you start the work before receiving the funds for this feature? I should have set an expiration time on the bounty to prevent feature work limbo like this, so I apologize to anyone who has added funds to the bounty. |
|
@ColinKrist No worries, none of us knew of the problems. Is the intention to withdraw the bounty and fund through another mechanism? I paid through PayPal but convinced my (apparently rightly skeptical) organisation to reimburse me - I'll open a dispute with PayPal and seek a refund, then figure out how I can pay my org back. |
|
The more important thing is that you get your money back instead of loosing it. Sponsoring on GH will be your choice and at your convenience. Will the work be done before that? Yes, it appears we need PR grouping internally too. However, I can't promise any timelines because I know the amount of changes required. |
|
@mburumaxwell wrote:
Would you be able to share a rough outline of what you think needs to be done? I'm curious to give this a go myself but I don't know this codebase, so it'd be very helpful to hear an analysis from somebody who does. |
|
Please do not use bountysource. Many devs have had trouble getting paid there. You can check out this lemmy community as an alternative https://lemmy.ml/c/bugbounties For statements from devs who have been unable to cash out from bountysource see: |
|
It is now available in the stable version: https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/ |
|
@mburumaxwell Can this maybe be included now? |
|
Not yet but probably won't decline a contribution. |
|
@RoystonS first step is to understand how grouping works in dependabot. Then plug that into the updater script while taking into account merge conflict resolution and closing of unwanted PRs. |
|
This still something that is being looked at implemented? |
Yes but improving the updater to avoid the very lengthy file needs to happen first. Unfortunately, that seems to have stalled due to the amount of time it requires. Copying from the official updater does not seem to be a solution due to its complexity; meaning we need to write our own bearing in mind testability, resolution of merge conflicts for groups etc. It is also entirely possible that I am looking at this from the wrong angle and another set of eyes could go about it differently; that's why it is open source. |
|
Hi, there are any other news on that? This would be a very nice feature |
|
For the benefit of those looking on wondering why this isn't "just being done"... From what I can see, the difficulty is that, due to the way the original GitHub dependabot code is structured, quite a bit of logic from that codebase needs to be duplicated/forked in this package in order to make it work with ADO. It isn't simply a case of providing an ADO-specific implementation of some nice clean abstractions. This means that features like grouping require a lot more specific code in this repo than might otherwise be the case. |
|
Really looking forward for grouping support. It is indeed the only feature we are currently missing for our configuration |
|
Is there an update for this issue? We are really looking forward to it as well |
|
Any update on this? |
|
No there are no updates. |
mburumaxwell
added
enhancement
|
@rhyskoedijk That's an immense contribution, thank you for the time and effort you've put into those PRs. I'm sure that this work will benefit a lot of people once it has been merged. I previously contributed to a bounty for this feature, but the bounty ended up being cancelled. I'd be more than happy to re-contribute that money over you once this feature has been merged in. If you enable sponsorship on your GitHub profile, that is probably the best way for us to sponsor you. |
I appreciate the offer, but that's not necessary. If anybody, sponsor the owner of the repo for keeping this project going and actively maintaining it. |
|
Thanks for your work, i'm looking forward to try this out. |
|
Yes images from 1.30.0 onwards have this. If you are using the image directly replace - task: dependabot@1
inputs:
useUpdateScriptvNext: true
# optionally pin the tag
# dockerImageTag: latest # or '1.30.2-ci0005' if you are pinning some recent changes
I would very much to hear if there are any issues coming from non-nuget updates. |
|
I've tried the new version. The grouping works great, thank you! |
|
I've been using vNext for the last week on about 10 repos with a mixture of NuGet, NPM, and Yarn. So far it has been working well with the exception of a few issues already known and reported in dependabot-core.
I've had this too in large group PRs. Unfortunately Azure DevOps has a 4000 character limit for PR description which does seem to cause problems sometimes. If Dependabot truncates the description in the wrong place it can cause HTML tags to not be closed properly, code blocks to not be terminated properly, etc. Give this an upvote or comment: |
|
@rhyskoedijk Are your NPM repositories in a private Azure Artifacts feed? I've just tried implementing grouping for NPM but now it fails auth for me. NuGet is authenticating with no problems. NuGet Credentials (working): NPM Credentials (not working): |
|
@DaleMckeown, I have not tested NPM with private feeds, no. AFAIK, only NuGet private feed auth currently works and that only works because I submitted some hacks to restore the old functionality. It might be possible to restore the old auth for NPM using a similar "fix", but I haven't looked in to it. I believe to properly restore private feed auth in all package managers, this project will need to implement behavior similar to dependabot-cli, which wraps the "updater" container in a special "proxy" container that injects the auth credentials to all outgoing HTTP requests for private feeds. This would be a lot of work to implement, so not sure if/when that would be supported. |
|
It seems that there are only a couple of options:
|
1 and 3 are quite simple. In fact, if you have that luxury of doing it, I recommend it because you will have less hustle. I recently did this for a couple of organizations/repositories. Granted that sometimes you'll get flaky PRs. Also, Azure DevOps does enterprise much better/cheaper. As for supporting the proxy, see #1317 |
It would be good if #1293 could be tested, this would fix my auth issues at least in the interim. With option 3, the biggest concern is that others external to the organisation would theoretically be able to access/download closed source code, so it's not an ideal solution for us. |
|
@DaleMckeown FYI that Task V2 has been recently added which uses dependabot-cli to perform updates; It is still very experimental and has some bugs that are still being worked through, but it should resolve the NPM auth issues you were facing. If you are in a position to test it out, feedback would be appreciated. |
|
@rhyskoedijk Nice one! I'll test this out next week and report back. |
|
I confirm groups are working with v2 |
|
@mburumaxwell it might be worth closing this now; there hasn't been any further issues related to groups since your comment for feedback three months ago; Groups are supported in V2 and in V1 if |
Hello is it correct that this (beta) option is not supported? And if not are there any plans to add support to it?
It would be extremely helpful
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#grouping-dependabot-version-updates-into-one-pull-request
The text was updated successfully, but these errors were encountered: