-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix npm_and_yarn engine detection #11392
base: main
Are you sure you want to change the base?
Conversation
2da40d9
to
403bf06
Compare
Thanks @ntkme ! Can you please add a test please? |
424692b
to
b1b823e
Compare
@abdulapopoola Test added. For reference, the added test fails on the main branch with:
It passes with the fix in this PR. |
7f1f8ae
to
1d1c8b2
Compare
@ntkme , Sorry for let reply. Checking it now. |
Thank you, @ntkme, for identifying the issue and proposing a solution. I’ll be making further updates to enhance the stability of the solution. Once it’s ready, I’ll let you know. CC: @abdulapopoola |
does this PR also fix the following cases?
|
@jkowalleck As you’ve noticed, there are some version range syntax that are currently not parsable, but supporting those additional syntax is out of my scope of this PR, which is just fixing the side effect of In my opinion additional range syntax can be a separate feature request, but I will leave it to @kbukum1 to decide what to do with other unsupported npm version range syntax. |
What are you trying to accomplish?
Detect
npm
engine version is broken without a lockfile even if the version is specified inpackage.json
in some cases:{ "packageManager": "[email protected]" }
works{ "engines": { "npm": "10.0.0" } }
works{ "engines": { "npm": ">=10" } }
is broken with messageNo version requirement found for npm
Anything you want to highlight for special attention from reviewers?
The root cause is that while trying to setup the engine,
delete_if
in ruby was used.delete_if
modifies the input array in place, and effectively removes entries from@engines
unless they match a very specific format.The side effect of removing valid entries from
@engines
breaks the version detection fromengines
at a later time.How will you know you've accomplished your goal?
I don't know for sure as I don't know how to test this end to end. I just manually walked through the code and found that the side effect seems to be the problem here.
dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb
Lines 312 to 325 in 0a0e9c0
At line 312, the call to
detect_version
callsVersionSelector
and removesengines
entries not matching a specific format due to side effect usingdelete_if
:At line 325, because the
engines
entries got removed, it fails to detect the constraints:Checklist