Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add updater job flag to update the dependency list without updating the dependency files #10836

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

rhyskoedijk
Copy link

@rhyskoedijk rhyskoedijk commented Oct 23, 2024

What are you trying to accomplish?

Resolve dependabot/cli#360 and further progress @jakecoffman's dependabot ls CLI suggestion from dependabot/cli#325.

This change adds a new update_dependency_list_only attribute to Dependabot::Job.
When true, Dependabot::UpdateFilesCommand will exit immediately after publishing to the update_dependency_list API, skipping the call to Dependabot::Updater.run(). The option is false by default.

The change allows community users a way to use Dependabot purely for discovering dependencies, without actually updating them.

As mentioned in dependabot/cli#360, there is currently no obvious way (that I could find) for the community (outside GitHub) to use Dependabot [CLI] for security-only updates since a prerequisite of security-only updates is that the job definition contains the names of the vulnerable dependencies to be updated. The dependency names are not known until the update has started and discovery has completed, but the update cannot be started without first knowing the dependency names; catch-22.

Anything you want to highlight for special attention from reviewers?

I understand that contributions to the updater are generally not accepted and that within the GitHub hosted environment, this is a non-issue. I hope that you still consider this change (or some variation of it) to benefit community Dependabot implementations and users of Dependabot CLI.

If I have missed some obvious step that allows for security-only updates to be run without knowing the dependency names up-front, then this may not be required.

How will you know you've accomplished your goal?

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@rhyskoedijk rhyskoedijk marked this pull request as ready for review October 23, 2024 20:58
@rhyskoedijk rhyskoedijk requested a review from a team as a code owner October 23, 2024 20:58
@rhyskoedijk rhyskoedijk force-pushed the feature/list_dependencies_only branch from 057d250 to 07e1dbf Compare November 9, 2024 04:34
@rhyskoedijk rhyskoedijk force-pushed the feature/list_dependencies_only branch from 07e1dbf to d0f5f5a Compare November 17, 2024 12:40
@rhyskoedijk
Copy link
Author

@jakecoffman do you know if this is something that would ever be considered? If not, any tips on a way I could implement this in a way that would be accepted? I'd really like to finish your work from dependabot/cli#325 as it would be extremely useful for the tinglesoftware/dependabot-azure-devops) project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

How to discover the dependency list prior to running a security-only update
1 participant