⬆️ deps(github-actions): update dependabot/fetch-metadata action to v1.7.0

[Open-Source-Bot]

This PR contains the following updates:

Package	Type	Update	Change
dependabot/fetch-metadata	action	minor	v1.1.1 → v1.7.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

dependabot/fetch-metadata (dependabot/fetch-metadata)

v1.7.0

Compare Source

What's Changed

• Bump dotenv from 16.0.3 to 16.3.1 by @​dependabot in #​404
• Bump @​types/node from 20.2.3 to 20.3.3 by @​dependabot in #​407
• Bump the eslint-dependencies group with 4 updates by @​dependabot in #​409
• Update dependabot.yml by @​bdragon in #​410
• Bump @​types/node from 20.3.3 to 20.4.0 by @​dependabot in #​411
• Bump yaml from 2.2.1 to 2.3.1 by @​dependabot in #​390
• Bump tough-cookie from 4.0.0 to 4.1.3 by @​dependabot in #​412
• Bump @​types/node from 20.4.0 to 20.4.1 by @​dependabot in #​413
• Generate Dependabot PRs on Sundays weekly by @​abdulapopoola in #​417
• Aggressively group prod and dev dependencies for NPM by @​abdulapopoola in #​420
• Update .nvmrc to latest node 16 LTS version by @​abdulapopoola in #​422
• Bump the dev-dependencies group with 9 updates by @​dependabot in #​421
• Bump the dev-dependencies group with 1 update by @​dependabot in #​423
• Check for uncommitted files beyond the diff directory by @​jeffwidman in #​278
• Bump the dev-dependencies group with 6 updates by @​dependabot in #​424
• Bump the dev-dependencies group with 3 updates by @​dependabot in #​425
• Bump the dev-dependencies group with 6 updates by @​dependabot in #​428
• Bump the dev-dependencies group with 7 updates by @​dependabot in #​429
• Bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @​dependabot in #​430
• Bump the dev-dependencies group with 4 updates by @​dependabot in #​432
• Bump actions/checkout from 3 to 4 by @​dependabot in #​436
• Bump the dev-dependencies group with 6 updates by @​dependabot in #​440
• Change actions/checkout@​v3 to v4 in readme by @​Nishnha in #​444
• Bump the dev-dependencies group with 4 updates by @​dependabot in #​445
• Bump @​vercel/ncc from 0.36.1 to 0.38.0 by @​dependabot in #​435
• Bump the dev-dependencies group with 4 updates by @​dependabot in #​447
• Bump the dev-dependencies group with 3 updates by @​dependabot in #​448
• Bump @​babel/traverse from 7.22.8 to 7.23.2 by @​dependabot in #​457
• Add blurbs about using a PAT to the readme by @​Nishnha in #​466
• Bump @​vercel/ncc from 0.38.0 to 0.38.1 by @​dependabot in #​462
• Bump actions/setup-node from 3 to 4 by @​dependabot in #​461
• Bump the dev-dependencies group with 13 updates by @​dependabot in #​497
• Bump tibdex/github-app-token from 1.8.2 to 2.1.0 by @​dependabot in #​442
• Scope app token to only this repo for security by @​jeffwidman in #​501
• Switch to the official action for managing app tokens by @​jeffwidman in #​504
• v1.7.0 by @​fetch-metadata-action-automation in #​505

New Contributors

• @​bdragon made their first contribution in #​410
• @​abdulapopoola made their first contribution in #​417

Full Changelog: dependabot/fetch-metadata@v1.6.0...v1.7.0

v1.6.0

Compare Source

What's Changed

• Add .vscode folder to .gitignore by @​timothy-humphrey in #​385
• Support for Grouped Updates by @​Nishnha in #​396
• v1.6.0 by @​fetch-metadata-action-automation in #​403

New Contributors

• @​timothy-humphrey made their first contribution in #​385

Full Changelog: dependabot/fetch-metadata@v1...v1.6.0

v1.5.1

Compare Source

What's Changed

Bugfix:

• Fix library parser to trim trailing LF by @​kachick in #​380

Dep bumps that are trivial so decided to keep this a patch release:

• Bump yargs from 17.7.1 to 17.7.2 by @​dependabot in #​379
• Bump @​types/node from 20.2.1 to 20.2.3 by @​dependabot in #​382

Internal-facing infra changes:

• Group PR's for eslint-related deps by @​jeffwidman in #​374
• Bump the eslint-dependencies group with 3 updates by @​dependabot in #​375
• Bump the eslint-dependencies group with 2 updates by @​dependabot in #​378
• Switch to using an app token instead of a PAT by @​jeffwidman in #​362
• v1.5.1 by @​fetch-metadata-action-automation in #​384

Full Changelog: dependabot/fetch-metadata@v1...v1.5.1

v1.5.0

Compare Source

What's Changed

New Features:

• Added flag if "Maintainer changes" appears in the PR body by @​mwaddell in #​174

Bumped Deps:

• Bump @​types/node from 18.15.11 to 20.2.1 by @​dependabot in #​364
• Bump nock from 13.3.0 to 13.3.1 by @​dependabot in #​366

Docs:

• Add minimum permissions to usage example by @​jablko in #​343
• Document verification overrides in readme by @​jeffwidman in #​345

Code cleanup:

• Simplify the release process by linking to release notes instead of copy/pasting them by @​jeffwidman in #​347
• Use the full email for the GitHub Actions bot by @​jeffwidman in #​354
• Inline the PR URL by @​jeffwidman in #​359
• No need to request escalated permissions for GITHUB_TOKEN by @​jeffwidman in #​357
• Remove unused step by @​jeffwidman in #​358
• Simplify bin/bump-version by @​jeffwidman in #​368
• Add a deeplink for tagging releases to the Readme by @​jeffwidman in #​369
• Stop using deprecated set-output by @​jeffwidman in #​370
• Add workflow for creating release PR's by @​jeffwidman in #​360
• Add workflow for floating the v1 tag to the latest release by @​jeffwidman in #​361

Full Changelog: dependabot/fetch-metadata@v1...v1.5.0

v1.4.0

Compare Source

New Features

• feat: add option to skip internal verifications by @​yeikel in #​336

Bugfix

• Allow leading v on commit message versions by @​jonmcquillan in #​338

Dep Bumps

• Bump @​typescript-eslint/eslint-plugin from 5.48.2 to 5.49.0 by @​dependabot in #​307
• Bump @​types/yargs from 17.0.19 to 17.0.20 by @​dependabot in #​308
• Bump @​typescript-eslint/parser from 5.48.2 to 5.49.0 by @​dependabot in #​309
• Bump eslint from 8.32.0 to 8.33.0 by @​dependabot in #​315
• Bump @​typescript-eslint/parser from 5.49.0 to 5.50.0 by @​dependabot in #​314
• Bump @​types/yargs from 17.0.20 to 17.0.22 by @​dependabot in #​312
• Bump @​vercel/ncc from 0.36.0 to 0.36.1 by @​dependabot in #​311
• Bump typescript from 4.9.4 to 4.9.5 by @​dependabot in #​313
• Bump yargs from 17.6.2 to 17.7.1 by @​dependabot in #​322
• Bump eslint from 8.33.0 to 8.35.0 by @​dependabot in #​321
• Bump @​typescript-eslint/eslint-plugin from 5.49.0 to 5.54.0 by @​dependabot in #​319
• Bump @​typescript-eslint/parser from 5.50.0 to 5.54.0 by @​dependabot in #​320
• Bump @​types/node from 18.11.18 to 18.14.2 by @​dependabot in #​318
• Bump @​types/node from 18.14.2 to 18.15.11 by @​dependabot in #​324
• Bump eslint from 8.35.0 to 8.37.0 by @​dependabot in #​327
• Bump @​types/yargs from 17.0.22 to 17.0.24 by @​dependabot in #​326
• Bump @​typescript-eslint/parser from 5.54.0 to 5.57.1 by @​dependabot in #​330
• Bump @​typescript-eslint/eslint-plugin from 5.54.0 to 5.57.1 by @​dependabot in #​329
• Bump eslint from 8.37.0 to 8.38.0 by @​dependabot in #​340
• Bump @​typescript-eslint/parser from 5.57.1 to 5.59.0 by @​dependabot in #​341
• Bump @​typescript-eslint/eslint-plugin from 5.57.1 to 5.59.0 by @​dependabot in #​342

Other

• chore(ee): add devcontainer by @​yeikel in #​337

New Contributors

• @​jonmcquillan made their first contribution in #​338
• @​yeikel made their first contribution in #​337

Full Changelog: dependabot/fetch-metadata@v1...v1.4.0

v1.3.6

Compare Source

What's Changed

• Drop mention of "locally" by @​jeffwidman in #​281
• Don't assume git pull fetches all branches/tags by @​jeffwidman in #​284
• Clarify release notes slightly by @​jeffwidman in #​283
• Bump eslint-plugin-promise from 6.0.1 to 6.1.1 by @​dependabot in #​287
• Bump @​typescript-eslint/parser from 5.38.0 to 5.45.0 by @​dependabot in #​290
• Bump yargs and @​types/yargs by @​dependabot in #​286
• Bump @​types/node from 18.11.9 to 18.11.10 by @​dependabot in #​289
• Bump decode-uri-component from 0.2.0 to 0.2.2 by @​dependabot in #​291
• Bump yaml from 2.1.1 to 2.1.3 by @​dependabot in #​288
• Bump @​types/node from 18.11.10 to 18.11.18 by @​dependabot in #​296
• Bump @​vercel/ncc from 0.34.0 to 0.36.0 by @​dependabot in #​294
• Bump dotenv from 16.0.2 to 16.0.3 by @​dependabot in #​293
• Bump typescript from 4.8.3 to 4.9.4 by @​dependabot in #​295
• Bump yaml from 2.1.3 to 2.2.1 by @​dependabot in #​292
• Bump json5 from 1.0.1 to 1.0.2 by @​dependabot in #​297
• Bump eslint from 8.23.1 to 8.32.0 by @​dependabot in #​303
• Bump @​typescript-eslint/parser from 5.45.0 to 5.48.2 by @​dependabot in #​300
• Bump @​typescript-eslint/eslint-plugin from 5.42.0 to 5.48.2 by @​dependabot in #​302
• Bump eslint-plugin-import from 2.26.0 to 2.27.5 by @​dependabot in #​301
• Bump nock from 13.2.9 to 13.3.0 by @​dependabot in #​299
• Bump @​types/yargs from 17.0.15 to 17.0.19 by @​dependabot in #​304
• Fix parser for libraries by @​kachick in #​224

New Contributors

• @​kachick made their first contribution in #​224

Full Changelog: dependabot/fetch-metadata@v1...v1.3.6

v1.3.5

Compare Source

What's Changed

• v1.3.4 Release Notes by @​Nishnha in #​267
• docs: fix auto-merge example by @​rribeiro1 in #​250
• Bump @​types/node from 18.7.18 to 18.11.9 by @​dependabot in #​275
• Fix object-shorthand linter warnings by @​mattt in #​276
• Bump @​actions/core from 1.9.1 to 1.10.0 by @​dependabot in #​272
• Bump @​typescript-eslint/eslint-plugin from 5.38.0 to 5.42.0 by @​dependabot in #​274
• Bump @​actions/github from 5.0.3 to 5.1.1 by @​dependabot in #​271
• Bump yargs and @​types/yargs by @​dependabot in #​273
• Document steps for cutting a new release by @​jeffwidman in #​252
• Don't bump pin versions in README.md by @​jeffwidman in #​280

New Contributors

• @​Nishnha made their first contribution in #​267
• @​rribeiro1 made their first contribution in #​250

Full Changelog: dependabot/fetch-metadata@v1...v1.3.5

v1.3.4

Compare Source

What's Changed

• Pin only to major version, not full patch version by @​jeffwidman in #​246
• Fix broken logo on readme by @​jeffwidman in #​253
• Bump action to use node16 by @​quinnjn in #​251
• Bump @​typescript-eslint/eslint-plugin from 5.20.0 to 5.38.0 by @​dependabot in #​256
• Bump @​actions/core from 1.6.0 to 1.9.1 by @​dependabot in #​242
• Bump eslint-config-standard from 16.0.3 to 17.0.0 by @​dependabot in #​214
• Bump @​types/node from 17.0.25 to 18.7.18 by @​dependabot in #​255
• Bump @​typescript-eslint/parser from 5.20.0 to 5.38.0 by @​dependabot in #​254
• Bump eslint from 8.13.0 to 8.23.1 by @​dependabot in #​259
• Bump nock from 13.2.4 to 13.2.9 by @​dependabot in #​260
• Bump yargs and @​types/yargs by @​dependabot in #​261
• Bump eslint-plugin-promise from 6.0.0 to 6.0.1 by @​dependabot in #​263
• Bump dotenv from 16.0.0 to 16.0.2 by @​dependabot in #​262
• Bump @​vercel/ncc from 0.33.4 to 0.34.0 by @​dependabot in #​264
• Bump @​actions/github from 5.0.1 to 5.0.3 by @​dependabot in #​265
• Bump ts-node from 10.7.0 to 10.9.1 by @​dependabot in #​266
• Bump typescript from 4.6.3 to 4.8.3 by @​dependabot in #​257
• Bump yaml from 2.0.1 to 2.1.1 by @​dependabot in #​258

New Contributors

• @​jeffwidman made their first contribution in #​246
• @​quinnjn made their first contribution in #​251

Full Changelog: dependabot/fetch-metadata@v1.3.3...v1.3.4

v1.3.3

Compare Source

What's Changed

• action.yaml: fix skip-commit-verification quoting by @​jsok in #​232

New Contributors

• @​jsok made their first contribution in #​232

Full Changelog: dependabot/fetch-metadata@v1.3.2...v1.3.3

v1.3.2

Compare Source

What's Changed

• Update CODEOWNERS by @​mattt in #​211
• Add 'skip-commit-verification' as an input for GitHub Enterprise Server users by @​brrygrdn in #​225

New Contributors

• @​mattt made their first contribution in #​211

Full Changelog: dependabot/fetch-metadata@v1.3.1...v1.3.2

v1.3.1

Compare Source

Highlights

This release is primarily catching up on our dependencies, but it also includes a few bug fixes:

• Correctly populate Dependabot Alert metadata when a manifest is located in the project root, thanks @​SalimBensiali
• Add a workaround for a dependabot-core bug that causes the update-type to be blank occasionally, thanks @​mwaddell

What's Changed

• If the update-type is missing for some reason, calculate it by @​mwaddell in #​173
• Updated readme to explain when you need to use a PAT by @​mwaddell in #​183
• Updated auto approve example to minimizing notifications by @​mwaddell in #​188
• Bump @​types/node from 17.0.19 to 17.0.23 by @​dependabot in #​191
• Bump @​types/jest from 27.4.0 to 27.4.1 by @​dependabot in #​168
• Fix incorrect vulnerable manifest path check by @​SalimBensiali in #​186
• Bump @​types/yargs from 17.0.8 to 17.0.10 by @​dependabot in #​181
• Bump @​typescript-eslint/parser from 5.12.1 to 5.17.0 by @​dependabot in #​194
• Bump eslint from 8.9.0 to 8.12.0 by @​dependabot in #​190
• Bump ts-node from 10.5.0 to 10.7.0 by @​dependabot in #​196
• Bump eslint from 8.12.0 to 8.13.0 by @​dependabot in #​198
• Bump typescript from 4.5.5 to 4.6.3 by @​dependabot in #​193
• Bump minimist from 1.2.5 to 1.2.6 by @​dependabot in #​204
• Bump yargs from 17.3.1 to 17.4.1 by @​dependabot in #​199
• Bump @​typescript-eslint/parser from 5.17.0 to 5.20.0 by @​dependabot in #​202
• Bump @​typescript-eslint/eslint-plugin from 5.12.1 to 5.20.0 by @​dependabot in #​203
• Dependabot updates run monthly and attempt to auto-compile dist/ by @​brrygrdn in #​205
• Bump @​actions/github from 5.0.0 to 5.0.1 by @​dependabot in #​197
• Bump eslint-plugin-import from 2.25.4 to 2.26.0 by @​dependabot in #​207
• Bump @​types/node from 17.0.23 to 17.0.25 by @​dependabot in #​208
• Bump @​vercel/ncc from 0.33.3 to 0.33.4 by @​dependabot in #​209
• Bump yaml from 1.10.2 to 2.0.1 by @​dependabot in #​206

New Contributors

• @​SalimBensiali made their first contribution in #​186

Full Changelog: dependabot/fetch-metadata@v1.3.0...v1.3.1

v1.3.0: - Fetch additional metadata via the GitHub API

Compare Source

Highlights

🆕 Fetch additional metadata about Dependabot commits

You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.

Example:

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.0
      with:
        alert-lookup: true
        compat-lookup: true

The flags enable the following new outputs:

• steps.dependabot-metadata.outputs.alert-state
  • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
• steps.dependabot-metadata.outputs.ghsa-id
  • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
• steps.dependabot-metadata.outputs.cvss
  • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
• steps.dependabot-metadata.outputs.compatibility-score
  • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).

Many thanks to @​mwaddell for contributing these additional flags 🥇

The Action no longer fails if other commits are present

We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.

Thanks for the feedback, and thanks @​mwaddell for contributing the change.

The Action defaults to using the GITHUB_TOKEN

This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.

Thanks @​jablko for contributing this change 🏆

What's Changed

• Flag security alerts and pass versions through by @​mwaddell in #​144
• Updated bump-version to update README.md as well by @​mwaddell in #​163
• Updated README to reference correct version by @​mwaddell in #​165
• Allow fetch-metadata to run on a PR even if it has additional commits… by @​mwaddell in #​166
• Default github-token by @​jablko in #​83
• Return compatibility score by @​mwaddell in #​146

New Contributors

• @​jablko made their first contribution in #​83

Full Changelog: dependabot/fetch-metadata@v1.2.1...v1.3.0

v1.2.1: - Workflows may be re-ran by someone other than Dependabot

Compare Source

Highlights:

• Check the PR author instead of the Action Actor so failed fetch-metadata workflows can be retried, thanks @​mwaddell!
• Catch up on our dependency updates 😅

What's Changed

• Check PR Author instead of Action Actor by @​mwaddell in #​137
• Updated README to list supported dependency-type values by @​mwaddell in #​145
• Bump yargs from 17.0.1 to 17.3.1 by @​dependabot in #​126
• Bump eslint-plugin-import from 2.23.4 to 2.25.4 by @​dependabot in #​129
• Bump ts-node from 10.1.0 to 10.5.0 by @​dependabot in #​142
• Bump @​types/node from 16.4.10 to 17.0.19 by @​dependabot in #​147
• Bump @​typescript-eslint/parser from 4.29.0 to 4.33.0 by @​dependabot in #​149
• Bump @​types/jest from 26.0.24 to 27.4.0 by @​dependabot in #​151
• Bump @​vercel/ncc from 0.29.0 to 0.33.3 by @​dependabot in #​148
• Bump @​typescript-eslint/eslint-plugin from 4.29.0 to 4.33.0 by @​dependabot in #​152
• Bump @​types/yargs from 17.0.2 to 17.0.8 by @​dependabot in #​153
• Bump nock from 13.1.1 to 13.2.4 by @​dependabot in #​154
• Bump tmpl from 1.0.4 to 1.0.5 by @​dependabot in #​160
• Bump node-fetch from 2.6.1 to 2.6.7 by @​dependabot in #​159
• Bump eslint-plugin-promise from 5.1.0 to 6.0.0 by @​dependabot in #​158
• Bump dotenv from 10.0.0 to 16.0.0 by @​dependabot in #​156
• Bump @​actions/core from 1.4.0 to 1.6.0 by @​dependabot in #​155
• Bump typescript from 4.3.5 to 4.5.5 by @​dependabot in #​157
• Bump eslint from 7.32.0 to 8.9.0 by @​dependabot in #​150

Full Changelog: dependabot/fetch-metadata@v1.2.0...v1.2.1

v1.2.0: - Updated outputs

Compare Source

What's Changed

• Prefer node 16.x by @​brrygrdn in #​70
• Add a code of conduct by @​brrygrdn in #​99
• Add directory, package-ecosystem, and target-branch as outputs by @​mwaddell in #​139

All other changes are dev or build related.

Full Changelog: dependabot/fetch-metadata@v1.1.1...v1.2.0

---

Configuration

📅 Schedule: Branch creation - At 10:00 PM through 11:59 PM and 12:00 AM through 06:59 AM ( * 22-23,0-6 * * * ), Only on Sunday and Saturday ( * * * * 0,6 ) in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.