From f94c558f573b3600004d87deaa33d021aed8a3c0 Mon Sep 17 00:00:00 2001 From: ghe Date: Thu, 25 Mar 2021 14:50:43 +0000 Subject: [PATCH] feat: include pins optionally --- .../update-dependencies/index.ts | 15 +++++--- .../update-dependencies.spec.ts | 36 +++++++++++++++++++ 2 files changed, 46 insertions(+), 5 deletions(-) diff --git a/packages/snyk-fix/src/plugins/python/handlers/pip-requirements/update-dependencies/index.ts b/packages/snyk-fix/src/plugins/python/handlers/pip-requirements/update-dependencies/index.ts index 383d90d6af..9edda80154 100644 --- a/packages/snyk-fix/src/plugins/python/handlers/pip-requirements/update-dependencies/index.ts +++ b/packages/snyk-fix/src/plugins/python/handlers/pip-requirements/update-dependencies/index.ts @@ -19,6 +19,7 @@ const debug = debugLib('snyk-fix:python:update-dependencies'); export function updateDependencies( parsedRequirementsData: ParsedRequirements, updates: DependencyPins, + directUpgradesOnly = false, ): { updatedManifest: string; changes: FixChangesSummary[] } { const { requirements, @@ -38,11 +39,15 @@ export function updateDependencies( ); debug('Finished generating upgrades to apply'); - const { pinnedRequirements, changes: pinChanges } = generatePins( - requirements, - updates, - ); - debug('Finished generating pins to apply'); + let pinnedRequirements: string[] = []; + let pinChanges: FixChangesSummary[] = []; + if (!directUpgradesOnly) { + ({ pinnedRequirements, changes: pinChanges } = generatePins( + requirements, + updates, + )); + debug('Finished generating pins to apply'); + } let updatedManifest = [ ...applyUpgrades(requirements, updatedRequirements), diff --git a/packages/snyk-fix/test/unit/plugins/python/handlers/update-dependencies/update-dependencies.spec.ts b/packages/snyk-fix/test/unit/plugins/python/handlers/update-dependencies/update-dependencies.spec.ts index 2b65831213..133a9455d2 100644 --- a/packages/snyk-fix/test/unit/plugins/python/handlers/update-dependencies/update-dependencies.spec.ts +++ b/packages/snyk-fix/test/unit/plugins/python/handlers/update-dependencies/update-dependencies.spec.ts @@ -306,4 +306,40 @@ describe('remediation', () => { ); } }); + it('skips pins if asked', () => { + const upgrades = { + 'django@1.6.1': { + upgradeTo: 'django@2.0.1', + vulns: [], + upgrades: [], + isTransitive: false, + }, + 'transitive@1.0.0': { + upgradeTo: 'transitive@1.1.1', + vulns: [], + upgrades: [], + isTransitive: true, + }, + }; + + const manifestContents = 'Django==1.6.1'; + + const expectedManifest = + 'Django==2.0.1\ntransitive>=1.1.1 # not directly required, pinned by Snyk to avoid a vulnerability'; + const directUpgradesOnly = false; + const requirements = parseRequirementsFile(manifestContents); + const result = updateDependencies( + requirements, + upgrades, + directUpgradesOnly, + ); + expect(result.changes.map((c) => c.userMessage).sort()).toEqual( + [ + 'Pinned transitive from 1.0.0 to 1.1.1', + 'Upgraded Django from 1.6.1 to 2.0.1', + ].sort(), + ); + // Note no extra newline was added to the expected manifest + expect(result.updatedManifest).toEqual(expectedManifest); + }); });