diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb index 56daa9160ed..db384b63de8 100644 --- a/github_actions/lib/dependabot/github_actions/update_checker.rb +++ b/github_actions/lib/dependabot/github_actions/update_checker.rb @@ -76,7 +76,8 @@ def updated_requirements sig { returns(T::Array[Dependabot::SecurityAdvisory]) } def active_advisories security_advisories.select do |advisory| - advisory.vulnerable?(version_class.new(git_commit_checker.most_specific_tag_equivalent_to_pinned_ref)) + version = git_commit_checker.most_specific_tag_equivalent_to_pinned_ref + version.nil? ? false : advisory.vulnerable?(version_class.new(version)) end end diff --git a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb index f89992c4115..0df33d823ba 100644 --- a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb +++ b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb @@ -810,7 +810,7 @@ it { is_expected.to eq(expected_requirements) } end - context "when a vulnerable dependency hase a major tag reference" do + context "when a vulnerable dependency has a major tag reference" do let(:dependency_name) { "kartverket/github-workflows" } let(:reference) { "v2" } @@ -840,6 +840,14 @@ expect(updated_requirements.first[:source][:ref]).to eq("v3") end end + + context "when no matching tag with a higher version is available" do + let(:upload_pack_fixture) { "github-workflows-no-tags" } + + it "stays on the vulnerable version" do + expect(updated_requirements.first[:source][:ref]).to eq(reference) + end + end end end diff --git a/github_actions/spec/fixtures/git/upload_packs/github-workflows-no-tags b/github_actions/spec/fixtures/git/upload_packs/github-workflows-no-tags new file mode 100644 index 00000000000..afe59e06c0c Binary files /dev/null and b/github_actions/spec/fixtures/git/upload_packs/github-workflows-no-tags differ