Skip to content

Bump dependabot/fetch-metadata from 2.5.0 to 3.1.0#10

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dependabot/fetch-metadata-3.1.0
Open

Bump dependabot/fetch-metadata from 2.5.0 to 3.1.0#10
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dependabot/fetch-metadata-3.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026

Copy link
Copy Markdown
Contributor

Bumps dependabot/fetch-metadata from 2.5.0 to 3.1.0.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

v3.0.0

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

... (truncated)

Commits
  • 25dd0e3 v3.1.0 (#692)
  • e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
  • 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
  • 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
  • 5168191 Updating dist build
  • 23882e1 build(deps): bump @​actions/github in the dependencies group
  • 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
  • 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
  • b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
  • c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 2.5.0 to 3.1.0.
- [Release notes](https://github.com/dependabot/fetch-metadata/releases)
- [Commits](dependabot/fetch-metadata@v2.5.0...v3.1.0)

---
updated-dependencies:
- dependency-name: dependabot/fetch-metadata
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Apr 20, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@amargiovanni

Copy link
Copy Markdown

[claude] dependabot review — breaking

Major bump 2.5.0 → 3.1.0 di dependabot/fetch-metadata: il breaking change dichiarato in v3.0.0 è il requisito di Node.js v24 come runtime dell'action. Il drop di runtime è gestito dai runner GitHub-hosted (ubuntu-latest), non dal nostro codice. Ho verificato l'unico punto d'uso in .github/workflows/dependabot-auto-merge.yml:17: usiamo solo l'input github-token e l'output update-type, entrambi pienamente supportati in v3.1.0 (anzi v3.1.0 contiene un fix proprio su update-type per PR Python/Composer/Terraform). Le altre modifiche sono interne: switch del build da ncc a esbuild, upgrade di @actions/core a v3 e @actions/github a v9, parsing versione da metadata link, gestione dipendenze duplicate. Nessuna signature di input/output che usiamo è cambiata. Nessuna config da riscrivere lato nostro. Per questo, pur trattandosi formalmente di major bump, raccomando il merge: la verifica del codice del repo conferma che non tocchiamo API rotte.

Punti rilevanti:

  • Breaking dichiarato: runtime Node.js v24 richiesto, ma gestito dai runner ubuntu-latest senza azione lato repo
  • Uso interno limitato a github-token (input) e update-type (output): entrambi compatibili con v3.1.0
  • v3.1.0 include fix su update-type per ecosistemi Python/Composer/Terraform: comportamento più affidabile, non regressivo
  • Aggiornati internamente @actions/core a v3 e @actions/github a v9: cambio trasparente per i consumatori dell'action
  • Verifica fatta: nessuna patch necessaria in .github/workflows/dependabot-auto-merge.yml

Aggiornamento valutato safe: nessuna obiezione automatica al merge (la decisione resta umana).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant