v1-to-v2.md

Warning

🚧 Work in progress; dependabot@V2 is still under development and this document may change without notice up until general availability (GA).

Table of Contents

• Summary of changes V1 → V2
• Breaking changes V1 → V2
• Todo before general availability

Summary of changes V1 → V2

V2 is a complete re-write of the Dependabot task; It aims to:

• Resolve the numerous private feed/registry authentication issues that currently exist in V1;
• More closely align the update logic with the GitHub-hosted Dependabot service;

The task now uses Dependabot CLI to perform dependency updates, which is the [currently] recommended approach for running Dependabot. See extension task architecture for more details on the technical changes and impact to the update process.

Breaking changes V1 → V2

New pipeline agent requirements; "Go" must be installed

Dependabot CLI requires Go (1.22+) and Docker (with Linux containers). If you use Microsoft-hosted agents, we recommend using the ubuntu-latest image, which meets all task requirements. For self-hosted agents, you will need to install Go 1.22+.

Security-only updates and "fixed vulnerabilities" are not implemented (yet)

Using configuration open-pull-requests-limit: 0 will cause a "not implemented" error. This is current limitation of V2. A solution is still under development and is expected to be resolved before general availability. See: dependabot/cli#360 for more technical details.

Task Input updaterOptions has been renamed to experiments

Renamed to match Dependabot Core/CLI terminology. The input value remains unchanged. See configuring experiments for more details.

Task Input failOnException has been removed

Due to the design of Dependabot CLI, the update process can no longer be interrupted once the update has started. Because of this, the update will now continue on error and summarise all error at the end of the update process.

Task Input excludeRequirementsToUnlock has been removed

This was a customisation/workaround specific to the V1 update script that can no longer be implemented with Dependabot CLI as it is not an official configuration option.

Task Input dockerImageTag has been removed

This is no longer required as the [custom] Dependabot Updater image is no longer used.

Task Input extraEnvironmentVariables has been removed

Due to the containerised design of Dependabot CLI, environment variables can no longer be passed from the task to the updater process. All Dependabot config must now set via dependabot.yaml or as task inputs. The following old environment variables have been converted to task inputs:

Environment Variable	New Task Input
DEPENDABOT_AUTHOR_EMAIL	authorEmail
DEPENDABOT_AUTHOR_NAME	authorName

Todo before general availability

Before removing the preview flag from V2 task.json, we need to:

• Open an issue in Dependabot-CLI, enquire how security-advisories are expected to be provided before knowing the list of dependencies. (dependabot/cli#360)
• Convert GitHub security advisory client in vulnerabilities.rb to TypeScript code
• Implement security-advisories config once the answer the above is known
• Review task.json, add documentation for new V2 inputs
• Update \docs\extension.md with V2 docs
• Update \extension\README.MD with V2 docs
• Update \README.MD with V2 docs
• Do a general code tidy-up pass (check all "TODO" comments)
• Add unit tests for V2 utils scripts
• Investigate https://zod.dev/