Skip to content

Security updates must specify the dependency to be updated#51

Merged
brrygrdn merged 1 commit intomainfrom
brrygrdn/fix-security-smoke-test
Apr 12, 2023
Merged

Security updates must specify the dependency to be updated#51
brrygrdn merged 1 commit intomainfrom
brrygrdn/fix-security-smoke-test

Conversation

@brrygrdn
Copy link
Copy Markdown
Contributor

@brrygrdn brrygrdn commented Apr 12, 2023

This smoke test was failing for the new, isolated security update operation class in dependabot/dependabot-core#6961

It was odd as local testing with the CLI was showing the right outcome, but I realised that one consequence of this isolated updater is that it enforced the de-facto contract that a security update job must specify the dependencies it is attempting to update.

Currently, if we do not set the dependencies we effectively perform an "All Versions Update" by suppress any updates we could make other than those we have advisory data for.

This 'working by accident' state is something the isolated Operations are trying to remediate, so let's update the test to use the real-world job definition.

Notes

In the future, if we wanted to have some kind of 'All Security Updates possible' workflow, this is something we should treat as a new Operation class to be clear about the input payloads, etc, so we head into the right code line. There's still more work to be done in the Updater in order to make it more flexible/fully featured but for now I think closing the door on these accidental outcomes is in the spirit of the refactor.

@brrygrdn brrygrdn requested a review from jakecoffman April 12, 2023 11:46
@brrygrdn brrygrdn mentioned this pull request Apr 12, 2023
Merged
jakecoffman
jakecoffman approved these changes Apr 12, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@jakecoffman jakecoffman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting since security-updates-only: true is set. Maybe we should have an explicit check for these things in the updater and reject invalid jobs? I can't imagine there's many other cases like this though.

@brrygrdn
Copy link
Copy Markdown
Contributor Author

brrygrdn commented Apr 12, 2023

Interesting since security-updates-only: true is set. Maybe we should have an explicit check for these things in the updater and reject invalid jobs? I can't imagine there's many other cases like this though.

We have at least one other 'working by accident' scenario I'm aware of - we only specify a single dependency for new security update jobs, but we will attempt to handle multiple - I've left that one in place as unpicking it is non-trivial.

This is a gap between old standalone Dependabot and GitHub-integrated, my plain is to strictly match payloads to Operations ( i.e. so we either support it or don't ) and then make sure none are still going down the legacy route, after which we can start throwing an exception if you try a config that isn't valid.

@brrygrdn brrygrdn merged commit 919d325 into main Apr 12, 2023
@brrygrdn brrygrdn deleted the brrygrdn/fix-security-smoke-test branch April 12, 2023 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakecoffman jakecoffman jakecoffman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brrygrdn @jakecoffman