Skip to content

Commit

Permalink
feat: transitiveRemediation (#8883)
Browse files Browse the repository at this point in the history
* save remediations

* enhance and export NpmResponse

* sort branch lists

* transitive remediation init

* update-lockfile not bump

* version not value

* remediate package.json

* isVulnerabilityAlert

* simplify config

* fix circular

* update snapshots

* add config and docs

* TODO

* flatten tests

* remediation -> update

* lots of renames

* improve readability

* refactor

* remove fetch

* more tests

* reduce fiixtures sizes

* more tests

* fix parent null

* remove exec

* explicit false

* fix

* Apply suggestions from code review

Co-authored-by: Michael Kriese <[email protected]>

* use type-fest PackageJson

* more tests

* coverage

* Update lib/workers/branch/get-updated.ts

Co-authored-by: Michael Kriese <[email protected]>
  • Loading branch information
rarkins and viceice authored Mar 1, 2021
1 parent 399d7ea commit 98d5539
Show file tree
Hide file tree
Showing 35 changed files with 1,262 additions and 38 deletions.
7 changes: 7 additions & 0 deletions docs/usage/configuration-options.md
Original file line number Diff line number Diff line change
Expand Up @@ -2104,6 +2104,13 @@ The above config will suppress the comment which is added to a PR whenever you c
It is only recommended to configure this field if you wish to use the `schedules` feature and want to write them in your local timezone.
Please see the above link for valid timezone names.

## transitiveRemediation

When enabled, Renovate will attempt to remediate vulnerabilities even if they exist only in transitive dependencies.

Applicable only for GitHub platform (with vulnerability alerts enabled), `npm` manager, and when a `package-lock.json` v1 format is present.
This is considered a feature flag with the aim to remove it and default to this behavior once it has been more widely tested.

## unicodeEmoji

If enabled emoji shortcodes (`:warning:`) are replaced with their unicode equivalents (`⚠️`)
Expand Down
6 changes: 6 additions & 0 deletions lib/config/definitions.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1263,6 +1263,12 @@ const options: RenovateOptions[] = [
cli: false,
env: false,
},
{
name: 'transitiveRemediation',
description: 'Enable remediation of transitive dependencies.',
type: 'boolean',
default: false,
},
{
name: 'vulnerabilityAlerts',
description:
Expand Down
2 changes: 2 additions & 0 deletions lib/datasource/common.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ export interface Release {
version: string;
newDigest?: string;
constraints?: Record<string, string[]>;
dependencies?: Record<string, string>;
devDependencies?: Record<string, string>;
}

export interface ReleaseResult {
Expand Down
2 changes: 2 additions & 0 deletions lib/datasource/npm/get.ts
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,8 @@ export async function getDependency(
const release: NpmRelease = {
version,
gitRef: res.versions[version].gitHead,
dependencies: res.versions[version].dependencies,
devDependencies: res.versions[version].devDependencies,
};
if (res.time?.[version]) {
release.releaseTimestamp = res.time[version];
Expand Down
14 changes: 14 additions & 0 deletions lib/manager/common.ts
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,16 @@ export interface BumpedPackageFile {
newContent: string;
}

export interface UpdateLockedConfig {
packageFile?: string;
packageFileContent?: string;
lockFile?: string;
lockFileContent?: string;
depName?: string;
currentVersion?: string;
newVersion?: string;
}

export interface ManagerApi {
defaultConfig: Record<string, unknown>;
language?: string;
Expand Down Expand Up @@ -270,6 +280,10 @@ export interface ManagerApi {
updateDependency?(
updateDependencyConfig: UpdateDependencyConfig
): Result<string | null>;

updateLockedDependency?(
config: UpdateLockedConfig
): Result<Record<string, string | null>>;
}

// TODO: name and properties used by npm manager
Expand Down
6 changes: 5 additions & 1 deletion lib/manager/npm/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,11 @@ import { LANGUAGE_JAVASCRIPT } from '../../constants/languages';
import * as npmVersioning from '../../versioning/npm';

export { extractAllPackageFiles } from './extract';
export { bumpPackageVersion, updateDependency } from './update';
export {
bumpPackageVersion,
updateDependency,
updateLockedDependency,
} from './update';
export { getRangeStrategy } from './range';

export const language = LANGUAGE_JAVASCRIPT;
Expand Down
3 changes: 2 additions & 1 deletion lib/manager/npm/update/index.ts
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
export { bumpPackageVersion } from './package-version';
export { updateDependency } from './dependency';
export { updateLockedDependency } from './locked-dependency';
export { bumpPackageVersion } from './package-version';

Large diffs are not rendered by default.

Large diffs are not rendered by default.

Large diffs are not rendered by default.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"dependencies": {
"express": "4.0.0"
}
}

Large diffs are not rendered by default.

Large diffs are not rendered by default.

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`manager/npm/update/locked-dependency/dep-constraints findDepConstraints() finds direct dependency 1`] = `
Array [
Object {
"constraint": "4.0.0",
"depType": "dependencies",
},
]
`;

exports[`manager/npm/update/locked-dependency/dep-constraints findDepConstraints() finds direct devDependency 1`] = `
Array [
Object {
"constraint": "4.0.0",
"depType": "devDependencies",
},
]
`;

exports[`manager/npm/update/locked-dependency/dep-constraints findDepConstraints() finds indirect dependency 1`] = `
Array [
Object {
"constraint": "0.2.0",
"parentDepName": "express",
"parentVersion": "4.0.0",
},
]
`;
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`manager/npm/update/locked-dependency/get-locked getLockedDependencies() finds direct dependency 1`] = `
Array [
Object {
"integrity": "sha1-J03IKTPJ9XTMOKDOXqgXK+nGsJQ=",
"requires": Object {
"accepts": "1.0.0",
"buffer-crc32": "0.2.1",
"cookie": "0.1.0",
"cookie-signature": "1.0.3",
"debug": ">= 0.7.3 < 1",
"escape-html": "1.0.1",
"fresh": "0.2.2",
"merge-descriptors": "0.0.2",
"methods": "0.1.0",
"parseurl": "1.0.1",
"path-to-regexp": "0.1.2",
"qs": "0.6.6",
"range-parser": "1.0.0",
"send": "0.2.0",
"serve-static": "1.0.1",
"type-is": "1.0.0",
"utils-merge": "1.0.0",
},
"resolved": "https://registry.npmjs.org/express/-/express-4.0.0.tgz",
"version": "4.0.0",
},
]
`;

exports[`manager/npm/update/locked-dependency/get-locked getLockedDependencies() finds indirect dependency 1`] = `
Array [
Object {
"integrity": "sha1-Bnq/Rc/4v/spy9t0OXJbMjiKLFg=",
"requires": Object {
"debug": "*",
"fresh": "~0.2.1",
"mime": "~1.2.9",
"range-parser": "~1.0.0",
},
"resolved": "https://registry.npmjs.org/send/-/send-0.2.0.tgz",
"version": "0.2.0",
},
]
`;
22 changes: 22 additions & 0 deletions lib/manager/npm/update/locked-dependency/common.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
export interface PackageLockDependency {
version: string;
resolved?: string;
integrity?: string;
dependencies?: Record<string, PackageLockDependency>;
}

export type PackageLockDependencies = Record<string, PackageLockDependency>;

export interface PackageLockOrEntry {
lockfileVersion?: number;
version?: string;
dependencies?: PackageLockDependencies;
requires?: Record<string, string>;
}

export interface ParentDependency {
parentDepName?: string;
parentVersion?: string;
constraint: string;
depType?: string;
}
36 changes: 36 additions & 0 deletions lib/manager/npm/update/locked-dependency/dep-constraints.spec.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
import { readFileSync } from 'fs';
import { resolve } from 'upath';
import { getName } from '../../../../../test/util';
import { findDepConstraints } from './dep-constraints';

jest.mock('../../../../util/fs');

const packageJson = JSON.parse(
readFileSync(resolve(__dirname, './__fixtures__/package.json'), 'utf8')
);
const packageLockJson = JSON.parse(
readFileSync(resolve(__dirname, './__fixtures__/package-lock.json'), 'utf8')
);

describe(getName(__filename), () => {
describe('findDepConstraints()', () => {
it('finds indirect dependency', () => {
expect(
findDepConstraints(packageJson, packageLockJson, 'send', '0.2.0')
).toMatchSnapshot();
});
it('finds direct dependency', () => {
expect(
findDepConstraints(packageJson, packageLockJson, 'express', '4.0.0')
).toMatchSnapshot();
});
it('finds direct devDependency', () => {
const packageJsonDev = { ...packageJson };
packageJsonDev.devDependencies = packageJsonDev.dependencies;
delete packageJsonDev.dependencies;
expect(
findDepConstraints(packageJsonDev, packageLockJson, 'express', '4.0.0')
).toMatchSnapshot();
});
});
});
Loading

0 comments on commit 98d5539

Please sign in to comment.