There is no timezone Europe/Kyiv

[yukal]

Area with issue?

JSON Schema

✔️ Expected Behavior

I'm trying to create a workflow scenario for the Dependabot using the "Europe/Kyiv" timezone.
Please note that the "Europe/Kyiv" timezone is native to Ukrainians. See the issue here:
dependabot/dependabot-core#6132

❌ Actual Behavior

My IDE (VSCode) shows the red underline and tells me that the timezone is absent in dependabot-2.0.json scheme

YAML or JSON file that does not work.

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"

    schedule:
      timezone: "Europe/Kyiv"
      interval: "weekly"
      time: "04:00"

IDE or code editor.

Visual Studio Code

Are you making a PR for this?

No

[kurtmckee]

I'll work to add this. The list in the Dependabot schema was copied from src/schemas/json/base.json, so I'll submit two PRs:

1. Address this specific issue
2. Address the timezone in base.json and anywhere else

[hyperupcall]

@kurtmckee I was curious what you think about #3519? I added a few entries to the timezone in base.json and used it from the dependabot schema. To keep the original behavior, the validation still fails when it sees a timezone that is not in the enum set. I think it would be good to change it so it does accept strings besides the pre-defined enum - that way, then new timezones are added, they are able to be used right away

[kurtmckee]

Sorry for the delay in responding. I anticipate that #3519 could severely hinder downstream tools. I see that it's already merged, but I think that most well-designed tools will completely forbid follow-up network access, and will either break outright or will simply stop validating whatever was referenced.

Specifications generally allow authors to use referencing syntax, but in the wild it's always an unmitigated disaster for exploits so tools generally turn off network access. See what the XML specification allows versus the list of CVEs against all software that parses XML, for example.

As for the immediate effect, I anticipate that tools like check-jsonschema -- which is generally run as pre-commit hooks -- will have to work around these references because pre-commit.ci disallows all network access.

[hyperupcall]

I see, yeah you were right that #3519 would break many tools. I had to revert it for some of the reasons you mentioned - $refed schemas would not be fetched and validation would simply fail. I was planning to use bowtie to prevent these sort of breaking changes. But I think the only way to prevent this issue with limited network access is to "bundle" the "schema $ref tree" into a single schema for easy consumption.