diff --git a/content/code-security/reference/supply-chain-security/dependabot-options-reference.md b/content/code-security/reference/supply-chain-security/dependabot-options-reference.md index 2a32f681669b..70b3be9751ad 100644 --- a/content/code-security/reference/supply-chain-security/dependabot-options-reference.md +++ b/content/code-security/reference/supply-chain-security/dependabot-options-reference.md @@ -308,6 +308,7 @@ When set to `dependency-name`, {% data variables.product.prodname_dependabot %} **Limitations of cross-directory grouping** When using `group-by: dependency-name`: + * All directories must use the same package ecosystem (for example, all `npm` or all `bundler`) * Applies to **version updates only** * If directories have incompatible version constraints for a dependency, {% data variables.product.prodname_dependabot %} will create separate pull requests @@ -537,6 +538,9 @@ Package manager | YAML value | Supported versions | | Go modules | `gomod` | v1 | | Gradle | `gradle` | Not applicable | | Maven | `maven` | Not applicable | +| {% ifversion dependabot-nix-support %} | +| Nix flakes | `nix` | Not applicable | +| {% endif %} | | npm | `npm` | v7, v8, v9, v10 | | NuGet | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} | | {% ifversion dependabot-opentofu-support %} | @@ -713,6 +717,7 @@ Examples : `0 9 * * *`, `every day at 5pm` `0 9 * * *` is equivalent to "every day at 9am". `every day at 5pm` is equivalent to `0 17 * * *`. > [!NOTE] +> > * Timezones must be specified in the [`timezone`](#timezone) parameter and not in the `cronjob`. > * A `cronjob` type schedule is required to use a `cron` interval. @@ -872,11 +877,11 @@ New version `1.2.0` New version `2.0.0` * `increase`: new constraint `^2.0.0` -* `increase-if-necessary`: new constraint `^2.0.0 ` +* `increase-if-necessary`: new constraint `^2.0.0` * `widen`: new constraint `>=1.0.0 <3.0.0` > [!NOTE] -> If the package manager you use does not yet support configuring the `versioning-strategy` parameter, or does not support a value you need. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/. +> If the package manager you use does not yet support configuring the `versioning-strategy` parameter, or does not support a value you need, the strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in . {% ifversion dependabot-updates-supported-versioning-tags %} diff --git a/data/features/dependabot-nix-support.yml b/data/features/dependabot-nix-support.yml new file mode 100644 index 000000000000..1e38f93434bb --- /dev/null +++ b/data/features/dependabot-nix-support.yml @@ -0,0 +1,6 @@ +# Reference: https://github.com/dependabot/dependabot-core/pull/14498 +# Nix flake support for Dependabot +versions: + fpt: '*' + ghec: '*' + ghes: '>3.21' diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index d8901934605f..a5a626f523ec 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -33,6 +33,9 @@ git submodule | `gitsubmodule` | Not applicable | {% octicon "check" aria-lab Go modules | `gomod` | v1 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | [Gradle](#gradle) | `gradle` | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | [Maven](#maven) | `maven` | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | +| {% ifversion dependabot-nix-support %} | +[Nix](#nix) | `nix` | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable | Not applicable | +| {% endif %} | npm | `npm` | v7, v8, v9, v10, v11 | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | [NuGet](#nuget-cli) | `nuget` | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | | {% ifversion dependabot-opentofu-support %} | @@ -146,6 +149,7 @@ To update the Gradle Wrapper, {% data variables.product.prodname_dependabot %} r For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). > [!NOTE] +> > * When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert. > * {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file. @@ -163,6 +167,16 @@ When configuring {% data variables.product.prodname_dependabot %} for Helm chart {% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot). +{% ifversion dependabot-nix-support %} + +### Nix + +{% data variables.product.prodname_dependabot %} monitors your `flake.lock` file and opens pull requests when newer commits are available upstream for your flake inputs. {% data variables.product.github %}, GitLab, SourceHut, and plain Git inputs are all supported. Updating pinned refs inside `flake.nix` itself (for example, changing `github:cachix/devenv/v0.5` to a newer tag) is not supported. + +{% data variables.product.prodname_dependabot %} does not currently support private repositories for the `nix` ecosystem. + +{% endif %} + ### NuGet CLI {% data variables.product.prodname_dependabot %} doesn't run the NuGet CLI but does support most features up until version 6.8.0. @@ -230,6 +244,7 @@ Private registry support applies to git registries only. Swift registries are no ### Terraform Terraform support includes: + * Modules hosted on Terraform Registry or a publicly reachable Git repository. * Terraform providers. * Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your `dependabot.yml` file. For more information, see [`git`](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#git).