豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

Check previous version vulnerability after group update completion#13203

Merged
robaiken merged 6 commits intomainfrom
robaiken/check-prev-versions-after-group-update
Oct 1, 2025
Merged

Check previous version vulnerability after group update completion#13203
robaiken merged 6 commits intomainfrom
robaiken/check-prev-versions-after-group-update

Conversation

@robaiken
Copy link
Copy Markdown
Contributor

@robaiken robaiken commented Sep 30, 2025

What are you trying to accomplish?

Fix vulnerability checking for group updates by checking previous version vulnerability status after updates complete, ensuring security updates are properly identified even when dependencies have already been updated.

Anything you want to highlight for special attention from reviewers?

Added two new methods (vulnerable_for_update? and vulnerable_in_previous_version?) instead of modifying existing logic to maintain backward compatibility and provide clear separation between pre/post-update vulnerability checks.

How will you know you've accomplished your goal?

Dependabot will no longer filter out insecure versions for group updates

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@robaiken robaiken self-assigned this Sep 30, 2025
@robaiken robaiken changed the title check previous version vulnerability after group update completion Check previous version vulnerability after group update completion Sep 30, 2025
@robaiken robaiken force-pushed the robaiken/check-prev-versions-after-group-update branch from ec01b72 to b37a1ae Compare September 30, 2025 18:08
@robaiken robaiken marked this pull request as ready for review September 30, 2025 18:14
@robaiken robaiken requested a review from a team as a code owner September 30, 2025 18:14
return false if ignore_conditions.any?(Dependabot::Config::IgnoreCondition::ALL_VERSIONS)

job.allowed_update?(dep)
job.allowed_update?(dep, has_update_completed: true)
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does it mean to set has_update_completed to true here? Is there a better name for this variable?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching that! I forgot to rename that variable before opening the pr when the approach changed

Nishnha
Nishnha previously approved these changes Sep 30, 2025
Copy link
Copy Markdown
Member

@Nishnha Nishnha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving for the fix since tests are passing.

I left a comment about what it means for has_update_completed to be true, and whether we can rename that arg to something more descriptive

markhallen
markhallen previously approved these changes Oct 1, 2025
Copy link
Copy Markdown
Contributor

@markhallen markhallen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic looks good. However, there are some optional suggestions around commenting and naming.

Comment thread updater/lib/dependabot/job.rb Outdated
Comment thread updater/lib/dependabot/job.rb
Comment thread updater/lib/dependabot/job.rb Outdated
Comment thread updater/lib/dependabot/job.rb Outdated
@robaiken robaiken force-pushed the robaiken/check-prev-versions-after-group-update branch 2 times, most recently from effd35b to cf84b3f Compare October 1, 2025 11:01
robaiken and others added 6 commits October 1, 2025 12:08
Co-authored-by: Mark Allen <markhallen@gmail.com>
Co-authored-by: Mark Allen <markhallen@gmail.com>
Co-authored-by: Mark Allen <markhallen@gmail.com>
@robaiken robaiken force-pushed the robaiken/check-prev-versions-after-group-update branch from cf84b3f to de9cdc6 Compare October 1, 2025 11:08
@robaiken robaiken merged commit b1b8146 into main Oct 1, 2025
186 of 275 checks passed
@robaiken robaiken deleted the robaiken/check-prev-versions-after-group-update branch October 1, 2025 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants