Comments (29)
A project by @fthomas already does this. Hope you could maybe setup some sort of collaboration !
https://github.com/fthomas/scala-steward
from dependabot-core.
We did end up setting up scala steward as a github action running every night. This can be done without the need to deploy anything manually. See https://github.com/scala-steward-org/scala-steward-action
from dependabot-core.
Hey, a whole org with ~100 scala repos here that would be happy to beta test sbt support :)
from dependabot-core.
@abdulapopoola, I noticed this note in the contributors guide regarding adding support for new ecosystems. Could you confirm whether there would be interest in adding support for sbt specifically? If so I would be interesting in tackling this ð
from dependabot-core.
I ran into this sbt plugin which should help a lot !
https://github.com/rtimush/sbt-updates
You can append addSbtPlugin("com.timushev.sbt" % "sbt-updates" % "0.3.4")
to the end of project/plugins.sbt
(creating it if not present) and then run sbt dependencyUpdates
and parse the output in stdout. It looks like that:
[info] Found 10 dependency updates for notification-impl
[info] com.datadoghq:dd-java-agent:dd-java-agent : 0.10.0 -> 0.16.0
[info] com.lightbend.lagom:lagom-logback : 1.4.6 -> 1.4.8
[info] com.lightbend.lagom:lagom-reloadable-server:dev-mode : 1.4.6 -> 1.4.8
[info] com.lightbend.lagom:lagom-scaladsl-dev-mode : 1.4.6 -> 1.4.8
[info] com.lightbend.lagom:lagom-scaladsl-server : 1.4.6 -> 1.4.8
Note that in multi-project build you will have duplicated lines.
Even partial support for sbt in dependabot would be great (ie creating the PR to notify the library has been updated). It will probably be impossible to cover all ways in which versions are defined in sbt since you can code in your build files.
from dependabot-core.
@albuch Renovate has a constraint for sbt projects. ð
As @mark-dhl said, Scala Steward is a really best choice for Scala/Sbt.
from dependabot-core.
Anything I can do to make our Scala project rely on dependabot?
We have a multi-tier project that combines 4 projects into a one repo with multiple SBT build files.
from dependabot-core.
Hi @dorranh ; yeah; this is something we would be willing to explore in collaboration and we'd love it if you can help get this started.
from dependabot-core.
Hi @abdulapopoola! I just wanted to follow up and let you / everyone know that this is still on my radar. I just haven't had the bandwidth to work on this the past few months. I still aim to take a stab at it in the near future though ð.
from dependabot-core.
FYI, we currently achieve the alerting part with https://github.com/scalacenter/sbt-dependency-submission
from dependabot-core.
Totally up for this. I've got some work to do getting Maven support out of beta first, but once that's done sbt support would be a great addition.
from dependabot-core.
My company is working with scala, once support for Gitlab and sbt is there I'd be happy to become a paying customer of dependabot.
from dependabot-core.
@Grundlefleck sorry about that - I've reopened the pull request and added the "enhancement" label, which should prevent stalebot rudely closing it again.
Right now the Dependabot team is working pretty flat out on some scaling challenges and bringing more of Dependabot's features to GitHub natively, which means we've (regrettably) been neglecting dependabot-core a bit. I can't promise a timeline, but I'm hopeful we'll be able to spend more time on dependabot-core soon. When we can give it some proper attention, your SBT pull request will be top of the list.
from dependabot-core.
This thread makes me feel like dependabot is prebeta test for SBT....
from dependabot-core.
How to join Java's Maven test
from dependabot-core.
Looking at the GitHub roadmap for issues related to Dependabot, it doesn't look too bright:
https://github.com/github/roadmap/projects/1?card_filter_query=dependabot
There used to be "Ecosystem updates" in Q1 and Q2 2021, but I don't see anything for Q3/Q4 or 2022.
At least, this issue is top-7 at the moment in terms of ð votes:
https://github.com/dependabot/dependabot-core/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
In summary: ð€
from dependabot-core.
Thanks @tyrcho. I'm still really keen on adding both - will keep you posted.
from dependabot-core.
We are already using dependabot for python and ruby, but the biggest part of our codebase is scala.
Are there any updates on scala/sbt-support?
from dependabot-core.
Not yet. We'd still love to add sbt support, but we're a small team and are currently focussed on scaling Dependabot so it can create automated security fixes for all GitHub repos.
from dependabot-core.
I was linked here from https://dependabot.com/java/ - I would like to help beta test Java Maven support
from dependabot-core.
The PR I raised as a starting point for sbt support (#1589) was closed without comment due to staleness. Not sure whether to interpret as a bad PR that I can improve, or lack of team capacity, or something else. I'm still willing to continue on the functionality, but would prefer to see some indication of whether I'm likely to see it ever getting merged before spending more time on it.
from dependabot-core.
There is another alternative that supports scala/sbt (among many others) in a rudimentary version: https://github.com/apps/renovate
See https://docs.renovatebot.com/modules/manager/sbt/ for docs.
from dependabot-core.
from dependabot-core.
@dciborow got a link for that?
from dependabot-core.
@francisdb It is said here: https://dependabot.com/java/ with a link to this issue to a betatester
I would like to test it if possible
from dependabot-core.
Me, too! ðââïž
from dependabot-core.
from dependabot-core.
I would like to be a beta tester for sbt support
from dependabot-core.
This isn't on our near-term roadmap, but we'd happily accept a PR if anyone in the community wants to take a stab at it.
from dependabot-core.
Related Issues (20)
- report suppressed MessageBuilder exceptions to the service HOT 2
- Grouped update PR includes no details about upgrades (part 2) HOT 11
- Unable to rebase
- Migrate native javascript helpers to use ecmascript modules
- For the PRs created with dependabot, in the PR description have a bunch or weird characters like there's an encoding issue
- Enable New RuboCop Cops
- Dependabot on Github Actions reporting Node 16 deprecation issue HOT 3
- Provide list or dashboard of Dependabot findings per team HOT 1
- [FR] "git subtree" support
- SAST HOT 6
- Closing .NET PRs as "no longer needed" when dependency is still present and out-of-date HOT 5
- Changing the semantic version stops dependabot package updates
- Support for Gradle Multi-Module Conventions/Pre-Compiled Script Plugins
- All pull requests have 'across 1 directory' in the title since today HOT 5
- Enable YJIT
- Allow custom command execution before install
- Dependabot PR titles suddenly less specific: `across 1 directory` rather than `in /website` HOT 2
- `GET /{package}/{version}` on GitHub Packages returns 405
- Bot attempts to update pre-1.0 minor version number
- Dependabot can't parse your `pnpm-lock.yaml` (new lockfile in `pnpm` `v9.0.0`) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
ð Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ððð
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â€ïž Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.