Merge pull request #3561 from dependabot/security-update-sonly

IgnoreCondition.security_updates_only

common/lib/dependabot/config/ignore_condition.rb

@@ -18,7 +18,8 @@ def initialize(dependency_name:, versions: nil, update_types: nil)
         @update_types = update_types || []
       end
 
-      def ignored_versions(dependency)
+      def ignored_versions(dependency, security_updates_only)
+        return versions if security_updates_only
         return [ALL_VERSIONS] if versions.empty? && transformed_update_types.empty?
 
         versions_by_type(dependency) + versions

common/lib/dependabot/config/update_config.rb

@@ -12,12 +12,13 @@ def initialize(ignore_conditions: nil, commit_message_options: nil)
         @commit_message_options = commit_message_options
       end
 
-      def ignored_versions_for(dependency)
+      def ignored_versions_for(dependency, security_updates_only: false)
         normalizer = name_normaliser_for(dependency)
         dep_name = name_normaliser_for(dependency).call(dependency.name)
+
         @ignore_conditions.
           select { |ic| self.class.wildcard_match?(normalizer.call(ic.dependency_name), dep_name) }.
-          map { |ic| ic.ignored_versions(dependency) }.
+          map { |ic| ic.ignored_versions(dependency, security_updates_only) }.
           flatten.
           compact.
           uniq

common/spec/dependabot/config/ignore_condition_spec.rb

@@ -8,9 +8,10 @@
   let(:dependency_name) { "test" }
   let(:dependency_version) { "1.2.3" }
   let(:ignore_condition) { described_class.new(dependency_name: dependency_name) }
+  let(:security_updates_only) { false }
 
   describe "#versions" do
-    subject(:ignored_versions) { ignore_condition.ignored_versions(dependency) }
+    subject(:ignored_versions) { ignore_condition.ignored_versions(dependency, security_updates_only) }
     let(:dependency) do
       Dependabot::Dependency.new(
         name: dependency_name,
@@ -58,6 +59,14 @@ def expect_ignored(versions)
         expect_allowed(["1.0.0", "1.1.0", "1.1.1"])
         expect_ignored(["2.0", "2.0.0"])
       end
+
+      context "with security_updates_only" do
+        let(:security_updates_only) { true }
+
+        it "returns the static versions" do
+          expect(ignored_versions).to eq([">= 2.0.0"])
+        end
+      end
     end
 
     context "with update_types" do
@@ -202,6 +211,15 @@ def expect_ignored(versions)
           end
         end
       end
+
+      context "with security_updates_only" do
+        let(:security_updates_only) { true }
+        let(:update_types) { %w(version-update:semver-major version-update:semver-patch) }
+
+        it "allows all " do
+          expect_allowed(patch_upgrades + minor_upgrades + major_upgrades)
+        end
+      end
     end
   end
 end

common/spec/dependabot/config/update_config_spec.rb

@@ -7,7 +7,7 @@
 
 RSpec.describe Dependabot::Config::UpdateConfig do
   describe "#ignored_versions_for" do
-    subject(:ignored_versions) { config.ignored_versions_for(dependency) }
+    subject(:ignored_versions) { config.ignored_versions_for(dependency, security_updates_only: security_updates_only) }
     let(:dependency) do
       Dependabot::Dependency.new(
         name: "@types/node",
@@ -18,6 +18,7 @@
     end
     let(:ignore_conditions) { [] }
     let(:config) { described_class.new(ignore_conditions: ignore_conditions) }
+    let(:security_updates_only) { false }
 
     it "returns empty when not defined" do
       expect(ignored_versions).to eq([])
@@ -105,6 +106,13 @@
       it "returns versions" do
         expect(ignored_versions).to eq([">= 13.a, < 14", ">= 12.13.a, < 13"])
       end
+
+      context "with security_updates_only" do
+        let(:security_updates_only) { true }
+        it "does not expand versions" do
+          expect(ignored_versions).to eq([])
+        end
+      end
     end
 
     context "with an dependency that must be name normalized" do