Check previous version vulnerability after group update completion#13203
Merged
Check previous version vulnerability after group update completion#13203
Conversation
robaiken
changed the title
robaiken
force-pushed
the
robaiken/check-prev-versions-after-group-update
branch
from
ec01b72 to
b37a1ae
Compare
Nishnha
reviewed
Sep 30, 2025
| return false if ignore_conditions.any?(Dependabot::Config::IgnoreCondition::ALL_VERSIONS) | ||
|
|
||
| job.allowed_update?(dep) | ||
| job.allowed_update?(dep, has_update_completed: true) |
Member
There was a problem hiding this comment.
What does it mean to set has_update_completed to true here? Is there a better name for this variable?
Contributor
Author
There was a problem hiding this comment.
Thanks for catching that! I forgot to rename that variable before opening the pr when the approach changed
Nishnha
previously approved these changes
Sep 30, 2025
Member
Nishnha
left a comment
Nishnha
left a comment
There was a problem hiding this comment.
Approving for the fix since tests are passing.
I left a comment about what it means for has_update_completed to be true, and whether we can rename that arg to something more descriptive
markhallen
previously approved these changes
Oct 1, 2025
Contributor
markhallen
left a comment
markhallen
left a comment
There was a problem hiding this comment.
The logic looks good. However, there are some optional suggestions around commenting and naming.
robaiken
force-pushed
the
robaiken/check-prev-versions-after-group-update
branch
2 times, most recently
from
effd35b to
cf84b3f
Compare
Co-authored-by: Mark Allen <markhallen@gmail.com>
Co-authored-by: Mark Allen <markhallen@gmail.com>
Co-authored-by: Mark Allen <markhallen@gmail.com>
robaiken
force-pushed
the
robaiken/check-prev-versions-after-group-update
branch
from
cf84b3f to
de9cdc6
Compare
markhallen
approved these changes
Oct 1, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
Fix vulnerability checking for group updates by checking previous version vulnerability status after updates complete, ensuring security updates are properly identified even when dependencies have already been updated.
Anything you want to highlight for special attention from reviewers?
Added two new methods (
vulnerable_for_update?andvulnerable_in_previous_version?) instead of modifying existing logic to maintain backward compatibility and provide clear separation between pre/post-update vulnerability checks.How will you know you've accomplished your goal?
Dependabot will no longer filter out insecure versions for group updates
Checklist