WhiteSource Remediate Package Managers Release Notes

Overview

This page describes package manager updates for WhiteSource Renovate and WhiteSource Remediate.

Version 21.9.1.1

WhiteSource Renovate

The WhiteSource Renovate OSS was updated from 27.14.2 to 27.31.10.

New feature highlights:

  • Added option to write discovered repositories to a json

  • Composer: added support for authentication for http-basic and bearer types.

  • Go modules: added support for in gitlab subgroups

  • Docker: added support for authenticating at ECR with session tokens

  • GitHub Actions: added support for composite actions

  • Helm: added support for inline image definitions

NOTE: A full list of features can be found on Octoclairvoyant

Package Managers

The following package manager default versions have been updated:

  • node@14.18.1

  • yarn@1.22.15

  • gradle@6.9.1

  • elixir@1.12.3

  • php@7.4.24

  • composer@2.1.9

  • golang@1.17.2

  • python@3.9.7

  • poetry@1.1.11

  • rust@1.55.0

  • cocoapods@1.11.2

  • pnpm@6.16.1

  • dotnet@3.1.414

  • helm@3.7.0

Version 21.8.2

WhiteSource Renovate

The WhiteSource Renovate OSS was updated from 25.76.2 to 27.14.2.

Important or breaking changes:

  • git-submodules: Git Submodules cloning now needs to be explicitly enabled

  • yarn: It is no longer supported to configure a "yarnrc" override in Renovate config

  • gradle: Gradle extraction now defaults to JS-based parsing (previously "gradle-lite")

  • pre-commit manager is no longer enabled by default and must be opted into manually

  • Dependency Dashboard is now enabled by default in the config:base preset

  • Git: Blobless git cloning is now used, instead of shallow clone

Significant features:

  • go: GOPROXY support

  • rubygems: support GitHub Packages

  • docker: use HEAD requests as optimization

  • git: gitAuthor is repo-configurable

  • gradle: Add support for Gradle's TOML version Catalogs

  • helmv3: support helm chart dependencies in OCI images

 Package Managers

Third-party package managers are unchanged.

Version 21.8.1

WhiteSource Renovate

The WhiteSource Renovate OSS was updated from 25.48.0 to 25.76.2. These changes mostly do not affect Remediate users, which use Remediate-only mode and have not enabled Renovate.

New feature highlights:

  • Added dependency dashboard label configuration

  • Added support for Terraform community providers during lock file generation.

  • The regex versioning now supports an optional build match group, which is handled as 4th version part.

  • Added an implementation of getDigest() for the github-releases datasource.

  • Supporting tag dependencies extraction for the GitLab and vanilla git

NOTE: A full list of features can be found on Octoclairvoyant

Package Managers

The following package manager default versions have been updated:

  • cocoapods@1.10.2

  • composer@2.1.6

  • dotnet@3.1.412

  • elixir@1.12.2

  • git@2.33.0

  • golang@1.17.0

  • helm@3.6.3

  • java@11.0.12

  • node@14.17.5

  • openjdk@16.0.2

  • php@7.4.22

  • pnpm@6.12.1

  • poetry@1.1.8

  • python@3.9.6

  • ruby@3.0.2

  • rust@1.54.0

  • yarn@1.22.11

Version 21.6.2

WhiteSource Renovate

The WhiteSource Renovate OSS was updated from 24.119.14 to 25.48.0. These changes mostly do not affect Remediate users, which use Remediate-only mode and have not enabled Renovate.

Important changes:

  • Remediate will no longer read ~/.npmrc from disk. npm credentials can be configured in multiple other ways described in https://docs.renovatebot.com/private-npm-modules/ including environment variables or a configuration file.

  • Major updates for Docker dependencies will now be enabled by default.

  • Grouping of Node.js packages into a single PR is no longer hardcoded. If you are not already using the config:base preset then you can add group:Nodejs to your extends instead.

  • Patch updates are not considered updateType=minor by default, so any rules you have for minor need to have patch added to them in order to take effect. It is no necessary to configure separateMinorPatch in order to apply patch rules.

  • trustLevel is no longer supported and instead broken into allowCustomCrateRegistriesallowScripts, and exposeAllEnv.

NOTE: A full list of changes can be found on Octoclairvoyant

Package Managers

The following package manager default versions have been updated:

  • git@2.32.2

  • node@14.17.1

  • elixir@1.12.1

  • php@7.4.20

  • composer@2.1.3

  • golang@1.16.5

  • python@3.9.5

  • pipenv@2021.5.29

  • rust@1.53.0

  • pnpm@6.8.0

  • dotnet@3.1.410

  • lerna@4.0.0

  • helm@3.6.1