Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error handling of security updates for conflicting target dependencies #11621

Merged
merged 21 commits into from
Feb 19, 2025
Merged

Error handling of security updates for conflicting target dependencies #11621

merged 21 commits into from
Feb 19, 2025

Conversation

thavaahariharangit
Copy link
Contributor

@thavaahariharangit thavaahariharangit commented Feb 17, 2025
edited
Loading

What are you trying to accomplish?

If the vulnerable dependency versions required via transitive dependency. then the update is not possible.

package-b current version "1.1.0" and it is vulnerable
it's lowest non vulnerable version is "1.2.0"

But package-a (1.2.0) requires package-c(1.2.0)
and the package-c(1.2.0) requires package-b(1.1.0)
In this scenario package-b cannot be updated.

We need to throw an error transitive_update_not_possible in this scenario
And logs should be updated with the expanation.

Anything you want to highlight for special attention from reviewers?

Current functionality can be found in this workflow

Root cause of the problem

Lowest non vulnerable version 0.1.12 ( @vulnerable_version_strings=["< 0.1.12"]) but the current version 0.1.7 and it is vulnerable.

But we cannot update this([email protected]) as this is required by [email protected] via a transitive dependency.

After this PR changes logs look like this

updater | 2025/02/19 10:16:24 INFO The latest possible version that can be installed is 0.1.7 because of the following conflicting dependency:
updater | 
updater |   @mocks-server/[email protected] requires [email protected] via a transitive dependency on [email protected]
updater | 2025/02/19 10:16:24 INFO The earliest fixed version is 0.1.12.
{"data":{"error-type":"transitive_update_not_possible","error-details":{"conflicting-dependencies":[{"explanation":"@mocks-server/[email protected] requires [email protected] via a transitive dependency on [email protected]","name":"express","requirement":"0.1.7","version":"4.21.2"}],"dependency-name":"path-to-regexp","latest-resolvable-version":"0.1.7","lowest-non-vulnerable-version":"0.1.12"}},"type":"record_update_job_error"}


...

updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +--------------------------------+
updater | |             Errors             |
updater | +--------------------------------+
updater | | transitive_update_not_possible |
updater | +--------------------------------+

How will you know you've accomplished your goal?

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@thavaahariharangit thavaahariharangit requested a review from a team as a code owner February 17, 2025 14:56
@thavaahariharangit thavaahariharangit marked this pull request as draft February 17, 2025 14:56
@thavaahariharangit thavaahariharangit marked this pull request as ready for review February 18, 2025 14:50
@thavaahariharangit thavaahariharangit merged commit 821571f into main Feb 19, 2025
157 of 160 checks passed
@thavaahariharangit thavaahariharangit deleted the harry/error-handling-of-security-updates-conflicting-target-dependency branch February 19, 2025 15:02
dmitris pushed a commit to dmitris/dependabot-core that referenced this pull request Feb 26, 2025
@thavaahariharangit @dmitris
Error handling of security updates for conflicting target dependencies (
982155f 
dependabot#11621)

* Error handling of security updates

* Updated rspec

* Update the error as transitive_update_not_possible

* Lint fixes.

* Removing the message.

* Fixing the smoketest failure.

* Fix sorbet error.

* Fixing the smoke test.

* Fixing the rspec error.

* Fixing the test.

* Refactoring the code

* Refactoring the code

* Fixing the Lint errors.

* Code clean up and refactor.

* RSpec added to my changes.

* Updated the lowest resolvable version.

* Updated as per the review comment.

* Sorbet fixes.

---------

Co-authored-by: “Thavachelvam <“[email protected]”>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amazimbe amazimbe amazimbe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thavaahariharangit @amazimbe