feat(npm)!: drop transitiveRemediation option

[rarkins]

Changes

Remove transitiveRemediation option, as it only works for deprecated npm versions.

BREAKING CHANGE: transitiveRemediation option is removed, will now be ignored.

Context

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

[RahulGautamSingh]

I think we should also remove the follow code-blocks as they are related to transitiveRemediation only.

renovate/lib/workers/repository/update/branch/get-updated.ts

Lines 97 to 128 in 8ce089b

	} else if (upgrade.isRemediation) {
	const { status, files } = await updateLockedDependency({
	...upgrade,
	depName,
	newVersion,
	currentVersion,
	packageFile,
	packageFileContent: packageFileContent!,
	lockFile,
	lockFileContent: lockFileContent!,
	allowParentUpdates: true,
	allowHigherOrRemoved: true,
	});
	if (reuseExistingBranch && status !== 'already-updated') {
	logger.debug(
	{ lockFile, depName, status },
	'Need to retry branch as it is not already up-to-date',
	);
	return getUpdatedPackageFiles({
	...config,
	reuseExistingBranch: false,
	});
	}
	if (files) {
	updatedFileContents = { ...updatedFileContents, ...files };
	Object.keys(files).forEach(
	(file) => delete nonUpdatedFileContents[file],
	);
	}
	if (status === 'update-failed' || status === 'unsupported') {
	upgrade.remediationNotPossible = true;
	}

renovate/lib/workers/repository/updates/flatten.ts

Lines 162 to 193 in 8ce089b

	if (get(manager, 'updateLockedDependency')) {
	for (const lockFile of packageFileConfig.lockFiles || []) {
	const lockfileRemediations = config.remediations as Record<
	string,
	Record<string, any>[]
	>;
	const remediations = lockfileRemediations?.[lockFile];
	if (remediations) {
	for (const remediation of remediations) {
	let updateConfig = mergeChildConfig(
	packageFileConfig,
	remediation,
	);
	updateConfig = mergeChildConfig(
	updateConfig,
	config.vulnerabilityAlerts,
	);
	delete updateConfig.vulnerabilityAlerts;
	updateConfig.isVulnerabilityAlert = true;
	updateConfig.isRemediation = true;
	updateConfig.lockFile = lockFile;
	updateConfig.currentValue = updateConfig.currentVersion;
	updateConfig.newValue = updateConfig.newVersion;
	updateConfig = applyUpdateConfig(updateConfig);
	updateConfig.enabled = true;
	updates.push(updateConfig);
	}
	}
	}
	}
	}
	}

[SchroederSteffen]

Could you please comment on the reason for the removal?
Like "no capacity to implement it for up-to-date NPM versions" or something like that?

[rarkins]

@SchroederSteffen essentially that's it. It was designed at the time for the npm v1 lock file. npm underwent some pretty big rewrites around the time of the v2 lock file, and some missing/changed capabilities in npm meant that we couldn't use some of the same tricks for updating lock files so v2 wasn't able to be immediately done. Years have passed and there hasn't been any contribution or interest in improving it from the community, either in npm or other managers, and now we're left with a feature which only works with a deprecated version of npm

[SchroederSteffen]

Thanks for the detailed response!
Still, I think it's really unfortunate that Renovate doesn't support such transitive remediations, as most vulnerabilities affect transient and not direct dependencies. (I'm currently not able to contribute it myself, though.)