Order of hashes from get_package_hashes
#126
Comments
pcorpet
added a commit
to pcorpet/hashin
that referenced
this issue
Jan 3, 2022
pcorpet
added a commit
to pcorpet/hashin
that referenced
this issue
Jan 5, 2022
pcorpet
added a commit
to pcorpet/hashin
that referenced
this issue
Jan 6, 2022
peterbe
pushed a commit
that referenced
this issue
Jan 7, 2022
* Keep a consistant order for hashes for get_package_hashes. Fixes #126 * fix leftover * fix lint and tests * update Version History
feelepxyz
added a commit
to dependabot/dependabot-core
that referenced
this issue
Jan 25, 2022
Order was fixed here peterbe/hashin#126
milind009
added a commit
to GiriB/dependabot-core
that referenced
this issue
Feb 3, 2022
* Bump go from 1.17.4 to 1.17.5 * Remove the developer image docker build This currently fails due to being unable to push to the repository: https://github.com/dependabot/dependabot-core/runs/4487225804?check_suite_focus=true Let's remove it until we make the required permission changes * Handle InvalidURIError as DependencyFileNotResolvable Co-Authored-By: Nishant Sinha <[email protected]> * Add test for invalid index urls Co-Authored-By: Nishant Sinha <[email protected]> * Add test for PoetryFileUpdater with a python_index with auth details This was tested with a local instance of pypiserver with an empty packages/ directory, which meant it was just proxying calls to pypi.org. The credentials used in testing were set up using the pypiserver instructions at https://pypi.org/project/pypiserver/#apache-like-authentication-htpasswd. This might be feasible for Dependabot's own testing, as you could run this as part of the setup, but there are probably better alternatives. * Fix failing Cargo test The test made sure no update occured if there is a transitive dependency conflict. The transitive dependency nom was updated for the dependency askama, so we pin askama to a commit SHA. * v0.169.6 * Reinstate the dev container build to GHCR * Push images to a GHCR mirror * Add permission to push packages or else we don't get far! * Run push-core-image only on dependabot/dependabot-core repository * Python: Upgrade pyenv to 2.2.2 * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.4.3 to 27.4.5. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md) - [Commits](jestjs/jest@v27.4.3...v27.4.5) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Allow whitespace at beginning of cargo dep * Return name unless contains git dependency name notation * Remove matching tabs at start of line Ruby's `\s` regex matches any whitespace character, including tabs * Fix conditional in Docker workflow * Add in display name test case for registry and git source * Add provider name test and rubocop fix * Test tab indentation on cargo dependencies * Add unknown repo name test * Avoid matching containers starting with the same name * Simplify setting proxy envvars for the container * Common: Constrain activesupport to < 7 We rely on some code that seems to be incompatible with activesupport 7, which was just released. We'll want to dig into that and see if we can't make our code play nice with the new version, but for now, since this is breaking our builds etc let's ensure that we stay on major version 6. * v0.169.7 * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 8.4.1 to 8.5.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v8.4.1...v8.5.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Common: Consider all failed requests to check enterprise source as false We've observed some failures when making requests to the `/status` endpoint for some git hosts that end up not being reported as a `Excon::Error`. We make this request to check if the host is a GHES instance so we can pull in relevant metadata from the host. However, when that request fails, we should prefer opening the PR without that metadata, as we likely wouldn't be able to source it any way. * Fix syntax for setting bundle config * Bundler: update bundler to 2.2.33 https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#2233-december-7-2021 Includes a security fix around how git commands are executed * v0.169.8 * build(deps): bump jason from 1.2.2 to 1.3.0 in /hex/helpers Bumps [jason](https://github.com/michalmuskala/jason) from 1.2.2 to 1.3.0. - [Release notes](https://github.com/michalmuskala/jason/releases) - [Changelog](https://github.com/michalmuskala/jason/blob/master/CHANGELOG.md) - [Commits](michalmuskala/jason@v1.2.2...v1.3.0) --- updated-dependencies: - dependency-name: jason dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Remove additional push targets * Only build CI for pulls into main * Prefer to use job.<job_id>.env to set vars * Add packages: write scope * Push branch images to only GHCR from now on * Push CI images to a GHCR mirror * Python: Quarantine slow tests into their own CI run These tests have not been wearing masks, and to avoid them infecting the other tests we need to quarantine them. Jokes aside, splitting these slow tests off into their own CI run should reduce the overall time we have to wait on CI to pass, and it gives us some indication on which tests we might want to try to speed up going forward. So far I've split off the ~10 slowest tests, which according to rspec take 40% of the total time to run these tests! We can move more things into the slow suite, but I'd like to avoid having the majority of the tests live there, because then we'd still end up with one very slow suite. * Swap byebug for debug Rails (thus ActiveSupport) has opted to use debug as its debugging gem in its version 7 release. * Use GHCR as the canonical source for CI images * Require top-level ActiveSupport before files * Python: Move some more tests to the slow suite After noticing the regular python suite still takes ~20 minutes on CI and the python_slow suite roughly half that, I moved another bunch of the now top 10 slowest tests in the regular suite to the slow one. * build(deps): bump wheel from 0.37.0 to 0.37.1 in /python/helpers Bumps [wheel](https://github.com/pypa/wheel) from 0.37.0 to 0.37.1. - [Release notes](https://github.com/pypa/wheel/releases) - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](pypa/wheel@0.37.0...0.37.1) --- updated-dependencies: - dependency-name: wheel dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump cython from 0.29.25 to 0.29.26 in /python/helpers Bumps [cython](https://github.com/cython/cython) from 0.29.25 to 0.29.26. - [Release notes](https://github.com/cython/cython/releases) - [Changelog](https://github.com/cython/cython/blob/master/CHANGES.rst) - [Commits](cython/cython@0.29.25...0.29.26) --- updated-dependencies: - dependency-name: cython dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Remove `byebug` artifacts These artifacts are remnants of a recently removed gem. Now that we're using `debug`, we no longer need to ignore `.byebug_history`. * Use debugger-agnostic alias I wasn't aware that the major Ruby debuggers implement `debugger` as an alias to their `binding` calls in source code. While I don't see this as a necessary or important change, I think it's worth making. * GOPRIVATE not needed for 'go mod edit -json' It only parses the local go.mod and doesn't reach out over the network. * Remove unreachable error handling Possibility of this error occurring was removed in dependabot@18d48b4 * Allow configuration of GOPRIVATE * Tests to check for GOPRIVATE affecting update behavior * Allow goprivate config via dry-run * Check for access before ghcr push * For testing PoetryFileUpdater, use .prepared_pyproject ...rather than testing against the updated files as in the previous commit. With this approach, we don't need to set up an actual repository with credentials, since all we are doing is checking that the credentials do not leak into the pyproject file. Since the lock file is created by Poetry itself from the pyproject file, if our pyproject file is clean of credentials when we generate the lock file, the only way credentials could then leak in would be a bug in Poetry. * Bump cargo from 1.51.0 to 1.57.0 https://blog.rust-lang.org/2021/12/02/Rust-1.57.0.html * Add description of updater_options formats * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.2.0 to 1.3.1. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md) - [Commits](phpstan/phpstan@1.2.0...1.3.1) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Simplify Dockerfile a little bit * Revert "Bump cargo from 1.51.0 to 1.57.0" * v0.170.0 * Ensure CI uses the latest image built on that branch * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.2.0 to 1.3.1. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md) - [Commits](phpstan/phpstan@1.2.0...1.3.1) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Add releases to list of changelog file strings For example, this project puts their changelog in Releases.md https://github.com/denoland/deno/blob/main/Releases.md I think it is spiritually similar to "release" which is already on the list. * build(deps): bump hashin from 0.15.0 to 0.17.0 in /python/helpers Bumps [hashin](https://github.com/peterbe/hashin) from 0.15.0 to 0.17.0. - [Release notes](https://github.com/peterbe/hashin/releases) - [Commits](https://github.com/peterbe/hashin/commits) --- updated-dependencies: - dependency-name: hashin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Add test * Revert hashin upgrade for python native helper * Tag the branch image as dependabot/dependabot-core:latest locally * v0.170.1 * Rename unknown git repo PRs * Rename unknown git repo PRs * Rename unknown git repo PRs * Fix issues with renaming unknown repos * Consistency pass on composer native helper build * build(deps): bump pipenv from 2021.11.23 to 2022.1.8 in /python/helpers Bumps [pipenv](https://github.com/pypa/pipenv) from 2021.11.23 to 2022.1.8. - [Release notes](https://github.com/pypa/pipenv/releases) - [Changelog](https://github.com/pypa/pipenv/blob/main/CHANGELOG.rst) - [Commits](pypa/pipenv@v2021.11.23...v2022.1.8) --- updated-dependencies: - dependency-name: pipenv dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump hashin from 0.15.0 to 0.17.0 in /python/helpers Bumps [hashin](https://github.com/peterbe/hashin) from 0.15.0 to 0.17.0. - [Release notes](https://github.com/peterbe/hashin/releases) - [Commits](https://github.com/peterbe/hashin/commits) --- updated-dependencies: - dependency-name: hashin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * v0.170.2-release-notes * v0.171.0 * Bundler installs to DEPENDABOT_NATIVE_HELPERS_PATH/bundler * Composer installs to DEPENDABOT_NATIVE_HELPERS_PATH/composer * go_mod installs to DEPENDABOT_NATIVE_HELPERS_PATH/go_modules * Hex installs to DEPENDABOT_NATIVE_HELPERS_PATH/hex * Npm installs to DEPENDABOT_NATIVE_HELPERS_PATH/npm_and_yarn * Python installs to DEPENDABOT_NATIVE_HELPERS_PATH/python * Terraform installs to DEPENDABOT_NATIVE_HELPERS_PATH/terraform * Consistently mount helpers into CODE_DIR in dev shell * Update README with native helper instructions * Update bundler/README.md * Update composer/README.md * Update python/README.md * Update go_modules/README.md * Update hex/README.md * Update terraform/README.md * Update npm_and_yarn/README.md * Ignore helper/install-dir, Whitespace * No need to mkdir in dockerfile now * Lint build script changes * Clarify some README examples * build(deps): bump composer/composer in /composer/helpers/v2 Bumps [composer/composer](https://github.com/composer/composer) from 2.1.14 to 2.2.4. - [Release notes](https://github.com/composer/composer/releases) - [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md) - [Commits](composer/composer@2.1.14...2.2.4) --- updated-dependencies: - dependency-name: composer/composer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Fix composer 2.2.4 tests * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.3.1 to 1.3.3. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md) - [Commits](phpstan/phpstan@1.3.1...1.3.3) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.3.1 to 1.3.3. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md) - [Commits](phpstan/phpstan@1.3.1...1.3.3) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump composer/composer in /composer/helpers/v1 Bumps [composer/composer](https://github.com/composer/composer) from 1.10.23 to 1.10.24. - [Release notes](https://github.com/composer/composer/releases) - [Changelog](https://github.com/composer/composer/blob/1.10.24/CHANGELOG.md) - [Commits](composer/composer@1.10.23...1.10.24) --- updated-dependencies: - dependency-name: composer/composer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump composer v1 binary installed in Docker * build(deps-dev): bump friendsofphp/php-cs-fixer in /composer/helpers/v2 Bumps [friendsofphp/php-cs-fixer](https://github.com/FriendsOfPHP/PHP-CS-Fixer) from 3.3.2 to 3.4.0. - [Release notes](https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases) - [Changelog](https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/master/CHANGELOG.md) - [Commits](PHP-CS-Fixer/PHP-CS-Fixer@v3.3.2...v3.4.0) --- updated-dependencies: - dependency-name: friendsofphp/php-cs-fixer dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * v0.171.1 * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 8.5.0 to 8.6.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v8.5.0...v8.6.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump jest in /npm_and_yarn/helpers Bumps [jest](https://github.com/facebook/jest) from 27.4.5 to 27.4.7. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md) - [Commits](jestjs/jest@v27.4.5...v27.4.7) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Npm: support lockfile v3 This change instructs our npm code to use npm7 for lockfiles using the v3 format. Npm 7 fully supports this new format, (which is not backwards compatible with npm 6), and prior to this change they were treated as npm 6 lockfiles, which would result in the entire lockfile being rewritten. Co-authored-by: Fernando Fernández <[email protected]> * v0.171.2 * Prevent unnecessary downloads of library packages - just update the json/lock files * build(deps-dev): bump eslint in /npm_and_yarn/helpers Bumps [eslint](https://github.com/eslint/eslint) from 8.6.0 to 8.7.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v8.6.0...v8.7.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * resolving merge conflicts * removing unecessary usage of dependency * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v2 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.3.3 to 1.4.2. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md) - [Commits](phpstan/phpstan@1.3.3...1.4.2) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps-dev): bump phpstan/phpstan in /composer/helpers/v1 Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.3.3 to 1.4.2. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/master/CHANGELOG.md) - [Commits](phpstan/phpstan@1.3.3...1.4.2) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Upgrade Python version to 3.10.2 * Update Python 2.7 related comment * build(deps): bump npm from 6.14.14 to 6.14.16 in /npm_and_yarn/helpers Bumps [npm](https://github.com/npm/cli) from 6.14.14 to 6.14.16. - [Release notes](https://github.com/npm/cli/releases) - [Changelog](https://github.com/npm/cli/blob/v6.14.16/CHANGELOG.md) - [Commits](npm/cli@v6.14.14...v6.14.16) --- updated-dependencies: - dependency-name: npm dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * updating file according to changes missed by git merge * build(deps): bump @npmcli/arborist in /npm_and_yarn/helpers Bumps [@npmcli/arborist](https://github.com/npm/arborist) from 4.1.1 to 4.2.1. - [Release notes](https://github.com/npm/arborist/releases) - [Changelog](https://github.com/npm/arborist/blob/main/CHANGELOG.md) - [Commits](https://github.com/npm/arborist/commits) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump composer/composer in /composer/helpers/v2 Bumps [composer/composer](https://github.com/composer/composer) from 2.2.4 to 2.2.5. - [Release notes](https://github.com/composer/composer/releases) - [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md) - [Commits](composer/composer@2.2.4...2.2.5) --- updated-dependencies: - dependency-name: composer/composer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump composer/composer in /composer/helpers/v1 Bumps [composer/composer](https://github.com/composer/composer) from 1.10.24 to 1.10.25. - [Release notes](https://github.com/composer/composer/releases) - [Changelog](https://github.com/composer/composer/blob/1.10.25/CHANGELOG.md) - [Commits](composer/composer@1.10.24...1.10.25) --- updated-dependencies: - dependency-name: composer/composer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Add section to debug native helper scripts Documenting the `DEBUG_HELPERS` and `DEBUG_FUNCTION` env vars used to debug native helpers. * feat: allow bypass of default label description * fix: update github_actions label description * style: fix linter errors * refactor: extract method for default label description * test: remove unrelated assertion * Update github_actions/lib/dependabot/github_actions.rb Co-authored-by: David McIntosh <[email protected]> * test: move spec to common * Mount dry-run folder in docker-dev-shell * Handle repo not found when fetching config file * npm7: Fix subdependency versoion resolver Fixes the npm 7 subdependency version resolver by doing an update using the npm cli, similar to how we do subdependency updates in the lockfile updater. Dependabot currently says no update is possible for npm 7 subdependency updates. I ran into a few issues testing npm 8 so leaving this out of this PR. * build(deps): bump extend Bumps [extend](https://github.com/justmoon/node-extend) from 3.0.0 to 3.0.2. - [Release notes](https://github.com/justmoon/node-extend/releases) - [Changelog](https://github.com/justmoon/node-extend/blob/main/CHANGELOG.md) - [Commits](justmoon/node-extend@v3.0.0...v3.0.2) --- updated-dependencies: - dependency-name: extend dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump lodash Bumps [lodash](https://github.com/lodash/lodash) from 4.17.20 to 4.17.21. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.20...4.17.21) --- updated-dependencies: - dependency-name: lodash dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Reorder pytest hash Order was fixed here peterbe/hashin#126 * v0.171.3 * Adding "devDependencies" support for nuget projects. - Addresses issue dependabot#4659 - Supports `ItemGroup > DevelopmentDependency` groups in `.csproj` files - Supports `developmentDependency="true"` in `packages.config` - Does **not** support development dependencies specified using the `Condition=` property in `<Import />`, etc. * Update nuget/lib/dependabot/nuget/file_parser/project_file_parser.rb Co-authored-by: Philip Harrison <[email protected]> * Update nuget/lib/dependabot/nuget/file_parser/project_file_parser.rb Co-authored-by: Philip Harrison <[email protected]> * Consolidating DEV_SELECTOR back into the existing selector * fixing rubocop warning * Use tagged version of pyenv * v0.171.4 * Revert "Revert "Bump cargo from 1.51.0 to 1.57.0"" * Bump cargo to 1.58.0 and update tests to match From 1.57.0 on cargo no longer seems to support specifying a blank or empty version for a dependency. The behavior did not seem documented from what I could find, so I've updated the tests to match the behavior as observed from cargo. Co-authored-by: David McIntosh <[email protected]> Co-authored-by: Barry Gordon <[email protected]> Co-authored-by: Nishant Sinha <[email protected]> Co-authored-by: Isobel Hooper <[email protected]> Co-authored-by: Barry Gordon <[email protected]> Co-authored-by: Mattt Zmuda <[email protected]> Co-authored-by: Mike <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dennis Carey <[email protected]> Co-authored-by: Jurre Stender <[email protected]> Co-authored-by: Lane Seppala <[email protected]> Co-authored-by: dwc0011 <[email protected]> Co-authored-by: Landon Grindheim <[email protected]> Co-authored-by: Landon Grindheim <[email protected]> Co-authored-by: Peter Dave Hello <[email protected]> Co-authored-by: Nipunn Koorapati <[email protected]> Co-authored-by: Stefan Grootscholten <[email protected]> Co-authored-by: Philip Harrison <[email protected]> Co-authored-by: Fernando Fernández <[email protected]> Co-authored-by: Jason Woods <[email protected]> Co-authored-by: Ülgen Sarıkavak <[email protected]> Co-authored-by: mo khan <[email protected]> Co-authored-by: Michael Waddell <[email protected]> Co-authored-by: Michael Waddell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As in #105 , I wonder if we could expect the output of
get_package_hashesto have hashes in lexicographical order.GitHub's dependabot is relying on that and is creating commits in my repo that are conflicting with other tools. Of course dependabot could fix it, but I believe it would be cleaner to have the same order out of
get_package_hashesthan the one done byrun_packages.The text was updated successfully, but these errors were encountered: