Problem trying to use the directories in the dependabot.yml

[bm-fez]

Describe the bug We are trying to use the following dependabot.yml file with the directories

version: 2
updates:
  - package-ecosystem: "npm"
    directories:
      - "/api"
      - "/BM.DocumentAddin"

We can see from the logs that this results in the expected docker run command line

/usr/bin/docker run --rm -i -e DEPENDABOT_PACKAGE_MANAGER=npm -e DEPENDABOT_OPEN_PULL_REQUESTS_LIMIT=5 -e DEPENDABOT_DIRECTORIES=["/api","/BM.DocumentAddin"] -e DEPENDABOT_FAIL_ON_EXCEPTION=true -e AZURE_ORGANIZATION=blackmarble-source -e AZURE_PROJECT=BM -e AZURE_REPOSITORY=BlackMarble.DocumentAddin -e AZURE_ACCESS_TOKEN=*** -e AZURE_MERGE_STRATEGY=squash ghcr.io/tinglesoftware/dependabot-updater-npm:1.30.2 update_script

However the logs show the analysis is being done of the default directory

Working in blackmarble-source/BM/_git/BlackMarble.DocumentAddin, 'default' branch under '/' directory

It appears the DEPENDABOT_DIRECTORIES is not being honoured

We have also tried (using a locally hosted docker container

• DEPENDABOT_DIRECTORIES=["/api"] - same result
• DEPENDABOT_DIRECTORIES=["**/*"] - docs say globstar format sold be accessed, but same result
• DIRECTORY=**/* - does not work as DIRECTORY does not accept wildcard
• DIRECTORY=/api - If we swap to using a single directory entry, for either two listed directories, analysis works as expected

I have no Ruby skills (hence I have not attempted to submit a PR), but unless I missed it I don't think the directories array is passed into the update_script code.

Categorization

• [X] This is not a permissions issue (Seek help at https://github.com/tinglesoftware/dependabot-azure-devops/discussions/1245)

To Reproduce Attempt to use the directories as opposed to the directory

Expected behavior Should be able to do analysis of multiple listed directories, or ones specified with Globstar syntax

Extension (please complete the following information):

• Host: Azure DevOps
• Version 1.30.800

Server (please complete the following information):

• Region uksouth
• Version 1.30.2

[rhyskoedijk]

@bm-fez support for directories is a relatively new change and isn't supported in the default "update_script" shown in your logs.

You can use directories by switching to "update_script_vnext". Enable it by checking the "Use latest update script (vNext)" checkbox under "Advanced" in the task options, or using useUpdateScriptvNext: true if using YML pipelines.

More info about the vNext script and the new features it supports can be found in https://github.com/tinglesoftware/dependabot-azure-devops/pull/1186.

[bm-fez]

Thanks the useUpdateScriptvNext: true parameter unblocked us.