Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to discover the dependency list prior to running a security-only update #360

Open
rhyskoedijk opened this issue Sep 15, 2024 · 2 comments · May be fixed by dependabot/dependabot-core#10836
Open

How to discover the dependency list prior to running a security-only update #360

rhyskoedijk opened this issue Sep 15, 2024 · 2 comments · May be fixed by dependabot/dependabot-core#10836

Comments

@rhyskoedijk
Copy link

rhyskoedijk commented Sep 15, 2024
edited
Loading

I'm trying to convert the tinglesoftware/dependabot-azure-devops community Dependabot implementation over to Dependabot CLI; it currently uses the dry-run.rb and updater scripts to perform updates, which is problematic because they do not use the credentials proxy container.

Everything works well so far using Dependabot CLI, except for security-only updates.
I've run in to a "chicken or the egg" situation where you need to list the [vulnerable] dependency names in job.yml, but you don't know what the dependencies are until you've already run a dependabot update first and parsed the dependency list from output.yml.

For example:

job:
    package-manager: npm_and_yarn
    security-updates-only: true
    dependencies:
      - express # how would I know this is a dependency before executing `dependabot update`?
    security-advisories:
      - dependency-name: express
        affected-versions:
          - <5.0.0
        patched-versions: []
        unaffected-versions: []

Do you have any advise on how I could solve this problem?
It would be ideal if there was a command like dependabot list, that was able return the "update_dependency_list" output, but skip the actual updates. Assuming I'm not missing something obvious, would you be open to me submitting a pull request to add this command?

The only way I can currently work around this issue is to do two "updates"; First with security-updates-only: false so I can parse the discovered dependency list, then a 2nd update with security-updates-only: true and the dependencies list populated.
@rhyskoedijk rhyskoedijk mentioned this issue Sep 15, 2024
Merged
@rhyskoedijk
Copy link
Author

It looks like @jakecoffman proposed something similar to what I'm looking for in #325.
Is there anything I could do to help with this? It sounds like a change might be needed to dependabot-core first which is maybe why this has stalled?

@rhyskoedijk rhyskoedijk mentioned this issue Oct 14, 2024
Draft
@rhyskoedijk
Copy link
Author

rhyskoedijk commented Oct 23, 2024
edited
Loading

If anybody stumbles across this before it is resolved, I worked around this issue by running a "fake" update job containing ignore: { dependency-name: '*' }. This makes Dependabot discover all dependencies, but update none of them. Once the job has finished, the "update_dependency_list" output can be parsed and used to build a new job that performs the security-only update. Not ideal, but it works.

See: tinglesoftware/dependabot-azure-devops#1394

Ideally there would be first-class support for "listing dependencies" using the CLI.

@rhyskoedijk rhyskoedijk linked a pull request Oct 23, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@rhyskoedijk