Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(vulnerabilities): do not force exact patch version for PyPI datasource in GitHub alerts #29586

Merged
merged 1 commit into from
Jun 11, 2024

Conversation

Churro
Copy link
Collaborator

@Churro Churro commented Jun 10, 2024

Changes

GitHub vulnerability alerts may suggest a particular patch version for PyPI dependencies that could be retracted, currently resulting in no PR being created at all. This change relaxes == to >=, so that the first available version is picked.

Context

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

Test repo: renovate-demo/29572-renovate-python-requests#2

Copy link
Collaborator

@rarkins rarkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about the change to the worker so that it picks the minimal instead of maximum matching version?

@Churro
Copy link
Collaborator Author

Churro commented Jun 11, 2024

What about the change to the worker so that it picks the minimal instead of maximum matching version?

Should be warranted for GitHub alerts with this snippet:

if (config.isVulnerabilityAlert && !config.osvVulnerabilityAlerts) {
filteredReleases = filteredReleases.slice(0, 1);
}

For OSV, this is a thing but I wanted to address this in a separate PR - see #29280 (comment)

@rarkins
Copy link
Collaborator

rarkins commented Jun 11, 2024

Yes you're right, I forgot that this is for non-OSV

@rarkins rarkins enabled auto-merge June 11, 2024 06:44
@rarkins rarkins added this pull request to the merge queue Jun 11, 2024
Merged via the queue into renovatebot:main with commit 38ce2ec Jun 11, 2024
37 checks passed
@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 37.401.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

@rarkins
Copy link
Collaborator

rarkins commented Jun 11, 2024

Follow-up issue: #29600

kosmoz pushed a commit to kosmoz/renovate that referenced this pull request Jun 12, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants