New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go modules ignore conditions #3631
Conversation
…nt major This also signals a move to performing all of our Dependabot-specific logic in Ruby (which is the norm for most ecosystems), as opposed to splitting it between Ruby and Go.
Co-authored-by: David McIntosh <mctofu@github.com>
Co-authored-by: David McIntosh <mctofu@github.com>
go_modules/lib/dependabot/go_modules/update_checker/latest_version_finder.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - I'm excited to ignore some versions.
Most of my time on this review was spent contemplating the path not taken - thanks for the clear and documented reasoning there!
attr_reader :dependency, :dependency_files, :credentials, :ignored_versions | ||
|
||
def fetch_latest_version | ||
pseudo_version_regex = /\b\d{14}-[0-9a-f]{12}$/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Idea: maybe extract+freeze as a constant?
During a version updates run we'll build several of these, we can squeak a few nanos by only compiling it once.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 9e402ae
go_modules/lib/dependabot/go_modules/update_checker/latest_version_finder.rb
Show resolved
Hide resolved
def filter_ignored_versions(versions_array) | ||
filtered = versions_array. | ||
reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } } | ||
raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Xref the conflict with #3644 , ezpz to resolve though!
GOMOD | ||
end | ||
|
||
pending "doesn't update to the retracted version" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noice: this spec!
Co-Authored-By: Philip Harrison <feelepxyz@github.com>
This brings in support for ignored versions for the go modules ecosystem in dependabot-core. It also extracts a
LatestVersionFinder
class which is common in the other ecosystems.This was an alternate approach to #3630. Instead of migrating to use
go list -m -versions
we stuck to using our existingupdatechecker
helper but modified it to work more likego list
with these changes:With those changes in place applying the ignored version filter was fairly simple: 2bdbabc