Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

prefer SafeVersions property when considering other versions #11312

Merged
merged 3 commits into from
Jan 17, 2025

Conversation

brettfo
Copy link
Contributor

@brettfo brettfo commented Jan 15, 2025

Also consider a security advisory's explicit safe versions when evaluating package updates.

The lambda version filter was rewritten to make it easier to read and debug because there are several places to set a breakpoint. The only functional change is the additional explicit check in the SafeVersions property at the end.

The run worker was also updated to generate the correct DependencyInfo object from the SecurityAdvisorys from the job file.

Fixes #11311.

@brettfo brettfo requested a review from a team as a code owner January 15, 2025 21:40
@github-actions github-actions bot added the L: dotnet:nuget NuGet packages via nuget or dotnet label Jan 15, 2025
@brettfo brettfo marked this pull request as draft January 15, 2025 21:55
@brettfo brettfo force-pushed the dev/brettfo/nuget-update-analysis-limits branch 3 times, most recently from 86ff02a to 8e0b59b Compare January 16, 2025 21:44
@brettfo brettfo marked this pull request as ready for review January 16, 2025 21:44
var prereleaseTypeMatches = currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version;
var isIgnoredVersion = dependencyInfo.IgnoredVersions.Any(i => i.IsSatisfiedBy(version));
var isVulnerableVersion = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
var isSafeVersion = !safeVersions.Any() || safeVersions.Any(s => s.IsSatisfiedBy(version));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the new check. If no explicit safe versions are specified, the behavior remains unchanged. If there are, make sure one of them matches.

@brettfo brettfo changed the title prefer SafeVersions property before considering other version restrictions prefer SafeVersions property when considering other versions Jan 16, 2025
@randhircs randhircs force-pushed the dev/brettfo/nuget-update-analysis-limits branch from 8e0b59b to 57b57a5 Compare January 17, 2025 20:42
@randhircs randhircs merged commit ccdd1ef into main Jan 17, 2025
71 checks passed
@randhircs randhircs deleted the dev/brettfo/nuget-update-analysis-limits branch January 17, 2025 21:14
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

NuGet update analysis goes too far
3 participants