Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[npm] fix failure to attempt parent update if unfixed transitive update is available #5799

Merged
merged 5 commits into from
Sep 28, 2022
Merged

[npm] fix failure to attempt parent update if unfixed transitive update is available #5799

merged 5 commits into from
Sep 28, 2022

Conversation

mctofu
Copy link
Contributor

@mctofu mctofu commented Sep 27, 2022
edited
Loading

This fixes an issue that prevents Dependabot from trying to update a parent dependency when updating a vulnerable transitive dependency.

Ex: A vulnerability is reported in dependency B for all versions < 2.0.0
We start with:

A (1.0.0, allows B ^1.0.0) -> B (1.0.0, vuln)

To successfully fix this vulnerability we need to update A:

A (1.0.1, allows B ^2.0.0) -> B (2.0.0, fixed)

However, if Dependabot found there was a version B was allowed to update to it would propose that instead:

A (1.0.0, allows B ^1.0.0) -> B (1.0.1, still vuln)

The end result would be the job fails as not possible because it fails the vuln fix check at

dependabot-core/updater/lib/dependabot/updater.rb

Lines 274 to 282 in 8ab4d78

# Prevent updates that don't end up fixing any security advisories,
# blocking any updates where dependabot-core updates to a vulnerable
# version. This happens for npm/yarn subdendencies where Dependabot has no
# control over the target version. Related issue:
# https://github.com/github/dependabot-api/issues/905
if job.security_updates_only? &&
updated_deps.none? { |d| job.security_fix?(d) }
return record_security_update_not_possible_error(checker)
end

This fix adds detection that the update of B to 1.0.1 is still vulnerable and rejects it so we'll keep looking and find the solution that updates A. I've also tweaked the dry-run script to more closely match the updater.

@mctofu mctofu marked this pull request as ready for review September 28, 2022 00:04
@mctofu mctofu requested a review from a team as a code owner September 28, 2022 00:04
@mctofu mctofu changed the title [npm] fix failure to attempt parent unlock if unfixed transitive update is available [npm] fix failure to attempt parent update if unfixed transitive update is available Sep 28, 2022
bdragon
bdragon approved these changes Sep 28, 2022
View reviewed changes
Copy link
Contributor

@bdragon bdragon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

bin/dry-run.rb Outdated
updated_deps.none? { |d| security_fix?(d) }
puts " (updated version is still vulnerable 🚨)"
log_conflicting_dependencies(checker.conflicting_dependencies)
next
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think L743-746 could use one more space of indentation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! fixed with rubocop in 73b3e51

...nd_yarn/spec/fixtures/projects/npm8/transitive_dependency_locked_but_updateable/package.json
"author": "",
"license": "ISC",
"dependencies": {
"@dependabot-fixtures/npm-parent-dependency-with-more-versions": "^1.0.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

@mctofu
Sync dry-run vuln fixed check with updater
324962a 
The updater will abort before proceeding with the file update if
the proposed update does not fix the vulnerability. It also triggers
the conflicting dependencies check.

See https://github.com/dependabot/dependabot-core/blob/8ab4d78efe7cf9a75bef76dd883d7ee3fffffb40/updater/lib/dependabot/updater.rb#L274-L282
@mctofu
test to reproduce issue
82aee12
@mctofu
Check if the latest allowed transitive version can fix the vulnerability
d7a37df 
A newer but still vulnerable version was allowed to return here which
would cause the job to eventually fail because it proposed updating to a
still vulnerable version. By filtering vulnerable versions here we
trigger the updater to consider updating the parent to allow the
transtive dep to be updated to a fixed version.
@mctofu
lint
65adb4a
@mctofu mctofu force-pushed the mctofu/fix-npm-transitive-wrong-version branch from 73b3e51 to 65adb4a Compare September 28, 2022 20:10
@mctofu mctofu merged commit d6f2b2a into main Sep 28, 2022
@mctofu mctofu deleted the mctofu/fix-npm-transitive-wrong-version branch September 28, 2022 21:27
@pavera pavera mentioned this pull request Oct 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdragon bdragon bdragon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mctofu @bdragon