Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes for transitive dependency vulnerabilities without a top level dependency update #5762

Merged
merged 3 commits into from
Sep 21, 2022
Merged

Fixes for transitive dependency vulnerabilities without a top level dependency update #5762

merged 3 commits into from
Sep 21, 2022

Conversation

mctofu
Copy link
Contributor

@mctofu mctofu commented Sep 20, 2022

With a dependency chain of A -> B -> C a vulnerability on C could require an update to B but not A so the resulting update would be for B & C. This fixes a few issues in that scenario.

  • When C is removed an error occurs when attempting to update B. This was because I missed applying this filter from the dry-run script to the updater after the merge.
  • When we create the PR for B & C then B was being filtered out resulting in a single dependency PR instead of a multi dependency PR. When C is removed this was causing an error because we don't support removal in single dependency PRs.

These aren't things that are easily tested in the updater spec but I'm planning on adding coverage via the end to end tests in the future.

@mctofu
Don't send removed dependencies to the FileUpdater
514d80a 
It's not necessary as the dependencies will be removed as part of
applying the other updates.
@mctofu
Don't filter intermediate dependencies from PR message
5557b82 
With a dependency chain of A -> B -> C a vulnerability on C could
require an update to B but not A. Prior to this change B would have
been omitted from the PR messages because only top level depenencies
have requirements.
@mctofu
dry-run parity with updater on PR dep filtering
c57450a
@mctofu mctofu marked this pull request as ready for review September 21, 2022 00:10
@mctofu mctofu requested a review from a team as a code owner September 21, 2022 00:10
@mctofu mctofu merged commit f4f72c7 into main Sep 21, 2022
@mctofu mctofu deleted the mctofu/fix-removal-intermediate-dep branch September 21, 2022 01:22
@pavera pavera mentioned this pull request Oct 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@honeyankit honeyankit honeyankit approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mctofu @honeyankit