How to discover the dependency list prior to running a security-only update

Question

How to discover the dependency list prior to running a security-only update

rhyskoedijk opened this issue 2 months ago · 2 comments

I'm trying to convert the tinglesoftware/dependabot-azure-devops community Dependabot implementation over to Dependabot CLI; it currently uses the dry-run.rb and updater scripts to perform updates, which is problematic because they do not use the credentials proxy container.

Everything works well so far using Dependabot CLI, except for security-only updates.
I've run in to a "chicken or the egg" situation where you need to list the [vulnerable] dependency names in job.yml, but you don't know what the dependencies are until you've already run a dependabot update first and parsed the dependency list from output.yml.

For example:

job:
    package-manager: npm_and_yarn
    security-updates-only: true
    dependencies:
      - express # how would I know this is a dependency before executing `dependabot update`?
    security-advisories:
      - dependency-name: express
        affected-versions:
          - <5.0.0
        patched-versions: []
        unaffected-versions: []

Do you have any advise on how I could solve this problem?
It would be ideal if there was a command like dependabot list, that was able return the "update_dependency_list" output, but skip the actual updates. Assuming I'm not missing something obvious, would you be open to me submitting a pull request to add this command?

The only way I can currently work around this issue is to do two "updates"; First with security-updates-only: false so I can parse the discovered dependency list, then a 2nd update with security-updates-only: true and the dependencies list populated.

Answer 1 · 2024-09-15T22:30:56.000Z

It looks like @jakecoffman proposed something similar to what I'm looking for in #325.
Is there anything I could do to help with this? It sounds like a change might be needed to dependabot-core first which is maybe why this has stalled?

Answer 2 · 2024-10-23T04:44:16.000Z

If anybody stumbles across this before it is resolved, I worked around this issue by running a "fake" update job containing ignore: { dependency-name: '*' }. This makes Dependabot discover all dependencies, but update none of them. Once the job has finished, the "update_dependency_list" output can be parsed and used to build a new job that performs the security-only update. Not ideal, but it works.

See: tinglesoftware/dependabot-azure-devops#1394

Ideally there would be first-class support for "listing dependencies" using the CLI.