.github/dependabot.yaml

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

#
# ██     ██  █████  ██████  ███    ██ ██ ███    ██  ██████  ██
# ██     ██ ██   ██ ██   ██ ████   ██ ██ ████   ██ ██       ██
# ██  █  ██ ███████ ██████  ██ ██  ██ ██ ██ ██  ██ ██   ███ ██
# ██ ███ ██ ██   ██ ██   ██ ██  ██ ██ ██ ██  ██ ██ ██    ██
#  ███ ███  ██   ██ ██   ██ ██   ████ ██ ██   ████  ██████  ██
#
# `dependabot.yaml` must be stored in the `.github` directory of the default branch[1].
#
#  1. Make all your changes to this file!
#     Don't create another `dependabot.yaml` – it will simply be discarded.
#
#  2. Always associate your entries to a branch!
#     For instance, use `target-branch` in `updates` entries
#
# [1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
#

version: 2

# Fix the Maven Central to the ASF repository to work around: https://github.com/dependabot/dependabot-core/issues/8329
registries:
  maven-central:
    type: maven-repository
    url: https://repo.maven.apache.org/maven2

updates:

  - package-ecosystem: maven
    directories:
      - "/log4j-1.2-api"
      - "/log4j-api-test"
      - "/log4j-api"
      - "/log4j-appserver"
      - "/log4j-cassandra"
      - "/log4j-core-fuzz-test"
      - "/log4j-core-its"
      - "/log4j-core-test"
      - "/log4j-core"
      - "/log4j-couchdb"
      - "/log4j-docker"
      - "/log4j-fuzz-test"
      - "/log4j-iostreams"
      - "/log4j-jakarta-jms"
      - "/log4j-jakarta-smtp"
      - "/log4j-jakarta-web"
      - "/log4j-jcl"
      - "/log4j-jdbc-dbcp2"
      - "/log4j-jpa"
      - "/log4j-jpl"
      - "/log4j-jul"
      - "/log4j-layout-template-json-fuzz-test"
      - "/log4j-layout-template-json-test"
      - "/log4j-layout-template-json"
      - "/log4j-mongodb"
        # `log4j-mongodb4` is in a separate run
      - "/log4j-osgi-test"
      - "/log4j-parent"
      - "/log4j-perf-test"
        # `log4j-slf4j-impl` is in a separate run
      - "/log4j-slf4j2-impl-fuzz-test"
      - "/log4j-slf4j2-impl"
      - "/log4j-spring-boot"
      - "/log4j-spring-cloud-config-client"
      - "/log4j-taglib"
      - "/log4j-to-jul"
      - "/log4j-to-slf4j"
      - "/log4j-web"
    open-pull-requests-limit: 10
    schedule:
      interval: "daily"
    target-branch: "2.x"
    registries:
      - maven-central
    ignore:
      # Jetty 10.x does not have an internal logging API
      - dependency-name: "org.eclipse.jetty:*"
        versions: [ "[10,)" ]
      # EclipseLink 3.x is Jakarta EE 9
      - dependency-name: "org.eclipse.persistence:*"
        versions: [ "[3,)" ]
      # Spring 6.x is Jakarta EE 9
      - dependency-name: "org.springframework:*"
        versions: [ "[6,)" ]
      # Spring Boot 3.x is Jakarta EE 9
      - dependency-name: "org.springframework.boot:*"
        versions: [ "[3,)" ]
      # Spring Cloud 2022.x is Jakarta EE 9
      - dependency-name: "org.springframework.cloud:*"
        versions: [ "[2021,)" ]
      # Tomcat Juli 10.1.x requires Java 11
      - dependency-name: "org.apache.tomcat:*"
        versions: [ "[10.1,)" ]
      # Keep Logback version 1.2.x
      - dependency-name: "ch.qos.logback:*"
        versions: [ "[1.3,)" ]
      # Mockito 5.x requires Java 11
      - dependency-name: "org.mockito:*"
        versions: [ "[5,)" ]
      # JUnit Pioneer 2.x requires Java 11
      - dependency-name: "org.junit-pioneer:*"
        versions: [ "[2,)" ]
      # Apache Cassandra: keep version 3.x
      - dependency-name: "org.apache.cassandra:*"
        versions: [ "[4,)" ]
      # Kubernetes: keep version 5.x
      - dependency-name: "io.fabric8:*"
        versions: [ "[6,)" ]
      # `com.conversantmedia:disruptor` 1.2.16 requires Java 9
      - dependency-name: "com.conversantmedia:disruptor"
        versions: [ "[1.2.16,)" ]
      # Keep Jakarta EE at version 9.0
      - dependency-name: "jakarta.platform:*"
        versions: [ "[10,)" ]
      # OpenRewrite is quite noisy. Let us skip patch and minor updates:
      - dependency-name: "org.openrewrite:*"
        update-types: [ "version-update:semver-minor", "version-update:semver-patch" ]
      - dependency-name: "org.openrewrite.maven:*"
        update-types: [ "version-update:semver-minor", "version-update:semver-patch" ]
      - dependency-name: "org.openrewrite.recipe:*"
        update-types: [ "version-update:semver-minor", "version-update:semver-patch" ]
      # Json Unit 3.x requires Java 17
      - dependency-name: "net.javacrumbs.json-unit:*"
        versions: [ "[3,)" ]
      # Update both `disruptor.version` to latest 3.x version
      # and `disruptor4.version` to latest 4.x version
      - dependency-name: "com.lmax:disruptor"
        update-types: [ "version-update:semver-major" ]
      # WebCompere System Stubs requires Java 11
      - dependency-name: "uk.org.webcompere:*"
        versions: [ "[2.1,)" ]
      # Plexus Utils 4.x are for Maven 4.x
      - dependency-name: "org.codehaus.plexus:plexus-utils"
        versions: [ "[4,)" ]
      # H2 version 2.3.x requires Java 11
      - dependency-name: "com.h2database:h2"
        versions: [ "[2.3,)" ]
      # The Console Appender only support JANSI 1.x for now
      # see https://github.com/apache/logging-log4j2/issues/1736
      - dependency-name: "org.fusesource.jansi:jansi"
        update-types: [ "version-update:semver-major" ]
      # SLF4J should not perform major version upgrades
      - dependency-name: "org.slf4j:slf4j-api"
        update-types: [ "version-update:semver-major" ]

  - package-ecosystem: maven
    directories:
      - "/log4j-mongodb4"
    open-pull-requests-limit: 10
    schedule:
      interval: "daily"
    target-branch: "2.x"
    registries:
      - maven-central
    ignore:
      # MongoDB 4.x should only upgrade to 4.x
      - dependency-name: "org.mongodb:*"
        versions: [ "[5,)" ]

  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: "daily"
    target-branch: "2.x"

  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: "daily"
    target-branch: "2.x"

  - package-ecosystem: maven
    directory: "/"
    open-pull-requests-limit: 10
    schedule:
      interval: "daily"
    target-branch: "main"
    registries:
      - maven-central
    ignore:
      # Keep Jakarta EE at version 9.0
      - dependency-name: "jakarta.platform:*"
        versions: [ "[10,)" ]
      # OpenRewrite is quite noisy. Let us skip patch and minor updates:
      - dependency-name: "org.openrewrite:*"
        update-types: [ "version-update:semver-minor", "version-update:semver-patch" ]
      - dependency-name: "org.openrewrite.maven:*"
        update-types: [ "version-update:semver-minor", "version-update:semver-patch" ]
      - dependency-name: "org.openrewrite.recipe:*"
        update-types: [ "version-update:semver-minor", "version-update:semver-patch" ]
      # Plexus Utils 4.x are for Maven 4.x
      - dependency-name: "org.codehaus.plexus:plexus-utils"
        versions: [ "[4,)" ]
      # Don't upgrade to 3.x
      - dependency-name: "org.apache.logging.log4j:log4j-api"
        versions: [ "[3,)" ]
      # The Console Appender only support JANSI 1.x for now
      # see https://github.com/apache/logging-log4j2/issues/1736
      - dependency-name: "org.fusesource.jansi:jansi"
        update-types: [ "version-update:semver-major" ]

  - package-ecosystem: maven
    directories:
      - "/log4j-slf4j-impl"
    open-pull-requests-limit: 10
    schedule:
      interval: "daily"
    target-branch: "main"
    registries:
      - maven-central
    ignore:
      # SLF4J 1.7.x should only upgrade to 1.7.x and
      - dependency-name: "org.slf4j:slf4j-api"
        versions: [ "[1,)" ]

  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: "daily"
    target-branch: "main"

  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: "daily"
    target-branch: "main"