Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prefer SafeVersions property when considering other versions #11312

Merged
merged 3 commits into from
Jan 17, 2025
Merged

prefer SafeVersions property when considering other versions #11312

merged 3 commits into from
Jan 17, 2025
+161 −14

Conversation

brettfo
Copy link
Contributor

@brettfo brettfo commented Jan 15, 2025
edited
Loading

Also consider a security advisory's explicit safe versions when evaluating package updates.

The lambda version filter was rewritten to make it easier to read and debug because there are several places to set a breakpoint. The only functional change is the additional explicit check in the SafeVersions property at the end.

The run worker was also updated to generate the correct DependencyInfo object from the SecurityAdvisorys from the job file.

Fixes #11311.

@brettfo brettfo requested a review from a team as a code owner January 15, 2025 21:40
@github-actions github-actions bot added the L: dotnet:nuget NuGet packages via nuget or dotnet label Jan 15, 2025
@brettfo brettfo marked this pull request as draft January 15, 2025 21:55
@brettfo brettfo force-pushed the dev/brettfo/nuget-update-analysis-limits branch 3 times, most recently from 86ff02a to 8e0b59b Compare January 16, 2025 21:44
@brettfo brettfo marked this pull request as ready for review January 16, 2025 21:44
brettfo
brettfo commented Jan 16, 2025
View reviewed changes
nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/VersionFinder.cs
var prereleaseTypeMatches = currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version;
var isIgnoredVersion = dependencyInfo.IgnoredVersions.Any(i => i.IsSatisfiedBy(version));
var isVulnerableVersion = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
var isSafeVersion = !safeVersions.Any() || safeVersions.Any(s => s.IsSatisfiedBy(version));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the new check. If no explicit safe versions are specified, the behavior remains unchanged. If there are, make sure one of them matches.

@brettfo brettfo changed the title prefer SafeVersions property before considering other version restrictions prefer SafeVersions property when considering other versions Jan 16, 2025
@randhircs randhircs force-pushed the dev/brettfo/nuget-update-analysis-limits branch from 8e0b59b to 57b57a5 Compare January 17, 2025 20:42
@randhircs randhircs merged commit ccdd1ef into main Jan 17, 2025
71 checks passed
@randhircs randhircs deleted the dev/brettfo/nuget-update-analysis-limits branch January 17, 2025 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebasgomez238 sebasgomez238 sebasgomez238 approved these changes

Assignees
No one assigned
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NuGet update analysis goes too far
3 participants
@brettfo @sebasgomez238 @randhircs