Add more helpful error messaging when a vulnerable dependency cannot be upgraded by Nishnha · Pull Request #5542 · dependabot/dependabot-core

Nishnha · 2022-08-16T00:50:49Z

This PR adds a new method, #explain_fix_unavailable, which adds an explanation key to the fix_unavailable object when the UpdateChecker returns an update_not_possible error.

This explanation key is also used in the ConflictingDependencies check which is printed out after a failed job run and also shows up in the Dependabot security alert view.

The UpdateChecker should always raise with an :update_not_possible by this point since the call from #latest_version_resolvable_with_full_unlock? will not have any viable audit results and thus no fix available

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

Nishnha · 2022-08-23T21:08:57Z

🙃
I'm getting an error from the "behaves like an update checker" test:
https://github.com/dependabot/dependabot-core/runs/7982211556?check_suite_focus=true#step:5:267

I'm pretty sure the UpdateChecker#vulnerability_audit method this PR introduces will need to be public to be accessed from the Updater (we include Dependabot Core as a gem there, so we should only access the public interface)

For #conflicting_dependencies, we added as a method to the UpdateChecker base class even though it's only used in the bundler and npm_and_yarn ecosystems
https://github.com/dependabot/dependabot-core/blob/main/common/lib/dependabot/update_checkers/base.rb#L97-L105

I think the best course of action for the #vulnerability_audit method is to also add it to the UpdateChecker base class and note that it's used for npm transitive dependency updates.

Does anyone have other suggestions?

mctofu · 2022-08-24T00:56:19Z

🙃 I'm getting an error from the "behaves like an update checker" test: https://github.com/dependabot/dependabot-core/runs/7982211556?check_suite_focus=true#step:5:267

I'm pretty sure the UpdateChecker#vulnerability_audit method this PR introduces will need to be public to be accessed from the Updater (we include Dependabot Core as a gem there, so we should only access the public interface)

For #conflicting_dependencies, we added as a method to the UpdateChecker base class even though it's only used in the bundler and npm_and_yarn ecosystems https://github.com/dependabot/dependabot-core/blob/main/common/lib/dependabot/update_checkers/base.rb#L97-L105

I think the best course of action for the #vulnerability_audit method is to also add it to the UpdateChecker base class and note that it's used for npm transitive dependency updates.

Does anyone have other suggestions?

Can you represent the error message in the #conflicting_dependencies result? #conflicting_dependencies is fairly generic and could be implemented by more ecosystems if we had the time to do so. #vulnerability_audit seems much more specific to our npm implementation so it doesn't seem as likely we'd expose that for any other ecosystem.

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

deivid-rodriguez

I'm not really well versed into how npm updates work, but this looks good to me!

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/vulnerability_auditor_spec.rb

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker.rb

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

… instead of raising

Co-authored-by: David Rodríguez <deivid.rodriguez@riseup.net>

…vailable object

Nishnha · 2022-09-01T19:29:49Z

Reverting this in #5613 because of a TypeError. Will fix, add tests, and re-deploy.

Nishnha requested a review from a team as a code owner August 16, 2022 00:50

landongrindheim reviewed Aug 16, 2022

View reviewed changes