Not all configuration options are passed / vendoring does not work correctly
I opened an issue at dependabot-core first, because I thought it was an error there: https://github.com/dependabot/dependabot-core/issues/3380
Edit: After looking at the code and talking with a maintainer of dependabot-core it looks like this project misses support to clone the repo, which is needed to do vendoring. See the comment here: https://github.com/dependabot/dependabot-core/issues/3380#issuecomment-809249314
In the code of this project we don't ever pass the repo_contents_path (https://gitlab.com/dependabot-gitlab/dependabot/-/blob/master/app/services/dependabot/file_fetcher.rb), so I assume it's not supported.
Do you think this would be possible at all? It would probably make the process a bit more complicated?
===================
OLD INFO: However, when closer inspecting the source of this project (https://gitlab.com/dependabot-gitlab/dependabot/-/blob/master/app/services/configuration/parser.rb), it has some config parsing logic on it's own. Can you tell me which config is passed to dependabot-core?
Specifically I'm missing the following option in there: https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#vendor
The logic in dependabot-core is here:
Though, when looking at the combination of files, it looks like dependabot itself doesn't reaad the option either, it seems to auto-detect when it needs to tidy and when it needs to vendor. Someone from Dependabot gave some information about what might needs to be changed.