composer-update: fix YAML block-scalar break in transitive BFS loop#22
Merged
Conversation
The two-line bash assignment
queue="$queue
$parents"
put the second line at column 1 — that's less indented than the YAML `|`
block scalar's indent base, so the scalar ended right there and the rest
of the run script started parsing as YAML, blowing up the action loader
with "While scanning a simple key, could not find expected ':'".
Fold the assignment onto one YAML line via printf so the literal newline
is created at bash runtime, not in the YAML source.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
oxyc
added a commit
that referenced
this pull request
May 29, 2026
… (+ test suite) (#35) * test(composer-update): unit + integration tests; extract helpers to lib.sh The composer-update logic had no tests and was fragile (every recent fix — #20–#31 — was a production-only discovery). Add a real test suite and make the logic testable. - Extract the helper functions (build_pkg_arg, build_widen_arg, find_direct_ancestors, loosen_constraint, is_still_vulnerable, expand_args_for, get_lock_version) from update.sh into a sourceable scripts/lib.sh. update.sh sources it; behavior is unchanged (the existing no-widen integration test still passes). - Unit tests for the PHP helpers (the fragile version-range logic): - compute-min-safe-constraints: exclusive/inclusive bounds, missing version components, multi-range selection, no-entry fall-throughs. - is-still-vulnerable: in/out of range, multi-range, junk-input fail-safe. - Unit tests for the bash helpers, each tied to the edge case it guards: #27 build_pkg_arg trailing newline, #29 build_widen_arg caret widen, #28 loosen_constraint, #22/#26 find_direct_ancestors BFS + expand_args_for. - Integration tests driving the real update.sh with a fake composer: #24 downgrade revert, #21 dev-* revert, #23 per-package retry isolation, #20 no-widen honored as a JSON array. (Plus the existing no-widen test.) - Fix surfaced by the tests: compute-min-safe-constraints emitted `[]` for an empty result, but update.sh string-indexes that map with `jq '.[$pkg]'`, which errors on a JSON array under `set -eo pipefail`. Encode as `{}`. - CI: composer-update-tests.yml now sets up PHP and runs tests/run.sh. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(composer-update): inclusive-bound (<=) safe-version derivation skips 4-segment hotfixes compute-min-safe-constraints derived ~X.Y.(Z+1) for a <=X.Y.Z advisory. That skips a 4-segment hotfix like X.Y.Z.1, which is >X.Y.Z but <X.Y.(Z+1): the constraint matched no published version, the update no-opped, and the vuln went unpatched (no PR opened). Real case: suomentyokalu / seo-by-rank-math, advisory <=1.0.271, fixed in 1.0.271.1. The derived ~1.0.272 could not resolve. Emit >X.Y.Z,<X.(Y+1).0 instead — a strict-greater lower bound that matches the hotfix while still excluding the vulnerable boundary X.Y.Z, still minor-capped. Teach loosen_constraint() and build_widen_arg() the new range shape (major-cap widen/loosen, boundary stays excluded). Tests: regression case asserting <=1.0.271 -> >1.0.271,<1.1.0 plus Semver checks that 1.0.271.1 is reachable and 1.0.271 is excluded; updated existing <= assertions; helper-fn coverage for the range shape. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: test <test@example.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hotfix for #21 — talliosake's scan run 26109897638 failed to load
composer-update/action.yml:The transitive-ancestor BFS loop had a two-line bash assignment whose continuation line started at column 1:
That's less indented than the YAML
|block scalar's indent base, so the scalar terminated at that line and the rest of the run script was reinterpreted as YAML — which obviously doesn't parse.Fix
Fold the assignment onto a single YAML line and let bash insert the newline at runtime:
queue=$(printf '%s\n%s' "$queue" "$parents")Validated locally with
python3 -c "yaml.safe_load(open(...))".Test plan
generoi/github-actions/composer-update@v2) and confirm the action loads.🤖 Generated with Claude Code