feat: Allow to ignore specific dependencies #196
Conversation
|
Good day @kunalnagar , could you please take a look into this PR? |
|
Hey @kunalnagar any chance to take a look into? |
|
@rndev15 - I do like this idea of being able to mute/ignore certain dependencies that one does not care about. Have you looked at if the dependabot API allows passing in a list of packages to ignore instead of manually doing a |
|
hey @kunalnagar I took a look into docs for |
.github/workflows/ci.yml
Outdated
| @@ -34,6 +34,7 @@ jobs: | |||
| # slack_webhook: ${{ secrets.SLACK_WEBHOOK }} | |||
| # severity: low,medium | |||
| # ecosystem: npm,rubygems | |||
| # ignore_dependencies: lodash,devise | |||
There was a problem hiding this comment.
Let's call it ignore_packages since GitHub calls them packages instead of dependencies
action.yml
Outdated
| @@ -43,6 +43,8 @@ inputs: | |||
| description: 'Comma separated list of severities. E.g. low,medium,high,critical (NO SPACES BETWEEN COMMA AND SEVERITY)' | |||
| ecosystem: | |||
| description: 'A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.' | |||
| ignore_dependencies: | |||
There was a problem hiding this comment.
| ignore_dependencies: | |
| ignore_packages: |
action.yml
Outdated
| @@ -43,6 +43,8 @@ inputs: | |||
| description: 'Comma separated list of severities. E.g. low,medium,high,critical (NO SPACES BETWEEN COMMA AND SEVERITY)' | |||
| ecosystem: | |||
| description: 'A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.' | |||
| ignore_dependencies: | |||
| description: 'A comma-separated list of dependencies to ignore. If specified, these dependencies will not be alerted.' | |||
There was a problem hiding this comment.
| description: 'A comma-separated list of dependencies to ignore. If specified, these dependencies will not be alerted.' | |
| description: 'A comma-separated list of package names. If specified, alerts for these packages will be ignored.' |
src/fetch-alerts.ts
Outdated
| @@ -13,6 +13,7 @@ export const fetchRepositoryAlerts = async ( | |||
| repositoryOwner: string, | |||
| severity: string, | |||
| ecosystem: string, | |||
| ignoreDependencies: string[], | |||
There was a problem hiding this comment.
| ignoreDependencies: string[], | |
| ignorePackages: string[], |
src/fetch-alerts.ts
Outdated
| const alerts: Alert[] = response | ||
| .data | ||
| .filter((dependabotAlert) => | ||
| !ignoreDependencies.includes(dependabotAlert.security_vulnerability.package.name) | ||
| ) | ||
| .map((dependabotAlert) => | ||
| toRepositoryAlert(dependabotAlert, repositoryName, repositoryOwner), | ||
| ) |
There was a problem hiding this comment.
- Do you mind running the lint task and see if it passes? I feel like your editor may not be set up correctly to format the code automatically.
- We only need to filter the alerts if the
ignorePackagesfield contains a value. We should check for that, and only filter if required.
src/fetch-alerts.ts
Outdated
| const alerts: Alert[] = response | ||
| .data | ||
| .filter((dependabotOrgAlert) => | ||
| !ignoreDependencies.includes(dependabotOrgAlert.security_vulnerability.package.name) | ||
| ) | ||
| .map((dependabotOrgAlert) => | ||
| toOrgAlert(dependabotOrgAlert), | ||
| ) |
src/fetch-alerts.ts
Outdated
| @@ -66,6 +78,7 @@ export const fetchEnterpriseAlerts = async ( | |||
| enterprise: string, | |||
| severity: string, | |||
| ecosystem: string, | |||
| ignoreDependencies: string[], | |||
There was a problem hiding this comment.
| ignoreDependencies: string[], | |
| ignorePackages: string[], |
src/fetch-alerts.ts
Outdated
| const alerts: Alert[] = response | ||
| .data | ||
| .filter((dependabotEnterpriseAlert) => | ||
| !ignoreDependencies.includes(dependabotEnterpriseAlert.security_vulnerability.package.name) | ||
| ) | ||
| .map((dependabotEnterpriseAlert) => | ||
| toEnterpriseAlert(dependabotEnterpriseAlert), | ||
| ) |
src/main.ts
Outdated
| @@ -39,16 +39,20 @@ async function run(): Promise<void> { | |||
| const count = parseInt(getInput('count')) | |||
| const severity = getInput('severity') | |||
| const ecosystem = getInput('ecosystem') | |||
| const ignoreDependencies = ( | |||
There was a problem hiding this comment.
| const ignoreDependencies = ( | |
| const ignorePackages = ( |
src/main.ts
Outdated
| getInput('ignore_dependencies') || '' | ||
| ).split(',').map((str: string) => str.trim()) |
There was a problem hiding this comment.
Let's pass the value here directly using getInput and do the transform inside the logic where we check if this field has values. We don't need to do this transform if no values exist.
rndev15
force-pushed
the
allow-ignore-deps
branch
10 times, most recently
from
4ea676e to
811c916
Compare
|
Good day, @kunalnagar With the help of my colleague we made some changes to original PR:
Here is the example of how feature works (I blurred repo & org name). On first slack message we can see how code works with
|
rndev15
force-pushed
the
allow-ignore-deps
branch
from
811c916 to
46c0ef5
Compare
|
Good day, @kunalnagar |
Hey there, in this PR I try to resolve #195