Dependabot-core: CocoaPods support

Well, there's this ancient PR I wrote which pretty much works, but has a few teething issues: https://github.com/dependabot/dependabot-core/pull/24.

I'd want this line removed from CocoaPods before resurrecting that PR (which will happen eventually - once few enough users are using old Ruby version). I also have some concerns about the way the CocoaPods registry works (it's a git repo that gets cloned down and is massive), but in principle all of this can be done.

I'll wait for a bit more interest here before resurrecting that PR and working on the above. The registry problem probably needs to be worked around, rather than fixed...

The support of CocoaPods would be awesome.

Thanks for the 👍 @paschelino. I looked at this before and bailed on it because my understanding was that there was a lot of vendoring with CocoaPods, and that updating just the Podfile and Podfile.lock wouldn't be enough - what other files would normally get updated when bumping a pod?

The source code from the dependencies is _often_ checked in to the repo as well, so you're right there is a lot of vendoring. In some cases developers choose to not check in the Pods/ directory, in which case simply updating the Podfile and Podfile.lock would be enough. But it wouldn't cover the case where the Pods/ are checked in.

(See: https://guides.cocoapods.org/using/using-cocoapods#should-i-check-the-pods-directory-into-source-control)

_From @leogiertz on October 18, 2018 11:33_

We ❤️ Dependabot and it would be great if we could also let it update our iOS dependencies.

_Copied from original issue: dependabot/feedback#221_

there was a lot of vendoring with CocoaPods

I can't provide any statistics, but I have worked in several projects, none of which checks in CocoaPod dependencies. Partial support without vendor is still appreciated.

If it helps at all, @greysteil, we could probably talk about allowing a subscription to https://github.com/CocoaPods/trunk.cocoapods.org/blob/master/config/init.rb#L51-L60

We would also be happy with partial support since none of the projects that I've worked with check in the Pods directory.

Looking forward to Cocoapods support :)

https://github.com/CocoaPods/CocoaPods/releases/tag/1.6.0 😀

https://github.com/CocoaPods/CocoaPods/blob/edadc430e813cb1fba7e0120a00ac4e7dd9763e7/cocoapods.gemspec#L44 😔

Would love to see Cocoapods support, have several open source projects and it would simplify maintenance. Right now I am using a cron job to run pod update and fail if there are updates.

Hi, what is the status for CocoaPods support? Are there alternative approaches for supporting CocoaPods?

@CarstenHoyer we're currently focused on scaling Dependabot at GitHub so don't have much spare capacity to take this on for another six months or so 😢

If you're keen to have a go at adding support we would be happy to review any pull requests for it on dependabot-core 🙌

Hey 👋

I actually have a (very WIP, very old) PR open to add Cocoapods support (https://github.com/dependabot/dependabot-core/pull/731) if anyone else wants to take a look and/or help out.

I've not had much time to revisit this PR recently but I plan to very soon. That being said, the main hold up at the moment is that Cocoapods pins activesupport to < 5 (https://github.com/CocoaPods/CocoaPods/issues/7885), which is very old. Once this dependency conflict is resolved (on the Cocoapods side), there should be a clearer path to allowing this PR to be merged, I hope!

Second to what @jspargo said, I don't think we can do much until CocoaPods/CocoaPods#7885 is fixed... so @CarstenHoyer if you want to push, push the CocoaPods team. Rails 5 has been out for long; even Rails 6 was released last month.

It looks https://github.com/CocoaPods/CocoaPods/issues/7885 has been resolved. So, can we already be ready to support CocoaPods?

Hi @ledyba-z - Yes, I believe so. I’ve just finished making updates to #731 but in principle the functionality is all there in the branch add-cocoapods

So watch this space (and this issue) but hopefully soon!

Hi, everyone! Are there any updates on this topic? I'd love to integrate Dependabot on the projects I work on.

Hi @brunoald, I hope that we can eventually support CocoaPods, but at this time we've paused adding new ecosystems. We don't have a timeline available of when we'll be adding more ecosystems yet, but once we do and we have a sense of where CocoaPods would fall priority wise I'll be sure to update here

Thanks for the update @jurre - let me know if there's anything I can do to help get Cocoapods support added 👀