search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.66k stars 1.53k forks source link

jQuery should be upgraded to 3.5.1 #2805

Closed valentijnscholten closed 4 years ago

valentijnscholten commented 4 years ago

jQuery is lagging behind a bit at 3.5.1 due to dependabot not offering 3.5.1 to us in a PR. We skipped 3.5.0 in https://github.com/DefectDojo/django-DefectDojo/pull/2416 I have filed a bug report with dependabot, so let's wait a bit to see their response. I'd like to help them fix it. Or get educated on what we're missing :-) The update is not urgent, so we can afford to wait. It would also help us to see it fixed and test it so we can start trusting depandabot again :-)

valentijnscholten commented 4 years ago

This is what I sent to them:

HI,

We are using dependabot and it works fine most of the time. But currently we see what we believe to be a bug.

Earlier this year we got a PR from dependabot to update jquery rfom 3.4.1 to 3.5.0.

But jquery 3.5.0 had breaking changes, so we wanted to skip 3.5.0. So we used

@dependabot close

there was no suitable ignore option as we didn't want to ignore 3.x.x and didn't want to ignore 3.5.x and dependabot doesn't allow to ignore a specific patch version. so we just closed the PR.

However, now that jquery 3.5.1 is out for a while we should get a PR for that from dependabot. But we don't.
In the logs I can see that dependabot see 3.5.1 as latest version, but it seems to skip it because there is already a PR for 3.5.0?

updater | INFO <job_45257903> Starting job processing
updater | INFO <job_45257903> Starting update job for DefectDojo/django-DefectDojo
updater | INFO <job_45257903> Checking if jquery 3.4.1 needs updating
  proxy | 2020/08/27 18:41:01 [004] GET https://registry.npmjs.org:443/jquery
  proxy | 2020/08/27 18:41:01 [004] 200 https://registry.npmjs.org:443/jquery
  proxy | 2020/08/27 18:41:01 [006] GET https://registry.npmjs.org:443/jquery/3.5.1
  proxy | 2020/08/27 18:41:01 [006] 200 https://registry.npmjs.org:443/jquery/3.5.1
updater | INFO <job_45257903> Latest version is 3.5.1
  proxy | 2020/08/27 18:41:01 [008] GET https://registry.npmjs.org:443/jquery/3.5.0
updater | INFO <job_45257903> Requirements to unlock own
updater | INFO <job_45257903> Requirements update strategy bump_versions
updater | INFO <job_45257903> Pull request already exists for jquery@3.5.0

Two issues with that:
1) that PR is closed so it should create a new one
2) that PR is for 3.5.0 and we now have 3.5.1 available so even if there already is an existing (open or closed) PR it should create a new PR?

Or are we missing something?

Valentijn

Logs: https://app.dependabot.com/accounts/DefectDojo/update-logs/45257903
PR: https://github.com/DefectDojo/django-DefectDojo/pull/2416
Repo: https://github.com/DefectDojo/django-DefectDojo
valentijnscholten commented 4 years ago

our config seems fine, nothing states to ignore anything jquery: 

Applied config from .dependabot/config.yml:

---
update_configs:
- directory: "/components"
  package_manager: javascript
  target_branch: dev
  update_schedule: live
In addition, the following defaults have been applied:

---
allowed_updates:
- match:
    update_type: all
    dependency_type: direct
- match:
    update_type: security
    dependency_type: indirect
automerged_updates: []
default_assignees: []
default_labels:
- dependencies
- javascript
default_reviewers: []
ignored_updates:
- match:
    dependency_name: bootstrap
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: bootstrap-social
    version_requirement: ">= 5.a, < 6"
- match:
    dependency_name: bootswatch
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: chosen
    version_requirement: ">= 1.a, < 2"
- match:
    dependency_name: drmonty-datatables-responsive
    version_requirement: ">= 2.a, < 3"
- match:
    dependency_name: flot
    version_requirement: ">= 2.a, < 3"
- match:
    dependency_name: flot
    version_requirement: ">= 3.a, < 4"
- match:
    dependency_name: flot
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: fullcalendar
    version_requirement: ">= 5.a, < 6"
- match:
    dependency_name: startbootstrap-sb-admin-2
    version_requirement: ">= 3.a, < 4"
- match:
    dependency_name: startbootstrap-sb-admin-2
    version_requirement: ">= 4.a, < 5"
- match:
    dependency_name: "@yarn_components/font-awesome"
    version_requirement: "!! 0d1f27efb836eb2ab994ba37221849ed64a73e5c"
version_requirement_updates: auto
valentijnscholten commented 4 years ago

after some messing around dependabot is working again for jquery: #2829