Bubble up expected pub security update errors to the user

dependabot · Aug 23, 2023 · 0cc61ea · 0cc61ea
1 parent 3205319
commit 0cc61ea
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/pub/lib/dependabot/pub/update_checker.rb b/pub/lib/dependabot/pub/update_checker.rb
@@ -65,9 +65,11 @@ def updated_requirements
                   # Ideally we would like to do any upgrade that migrates away from the vulnerability
                   # but this method can only return a single requirement udate.
                   breaking_changes = updates.filter { |d| d["previousConstraint"] != d["constraintBumpedIfNeeded"] }
-                  if breaking_changes.size > 1
-                    raise "Cannot upgrade from vulnerability without unlocking other packages."
-                  end
+
+                  # This security update would require unlocking other packages, which is not currently supported.
+                  # Because of that, return original requirements, so that no requirements are actually updated and
+                  # the error bubbles up as security_update_not_possible to the user.
+                  return depedency.requirements if breaking_changes.size > 1
 
                   updates.find { |u| u["name"] == dependency.name }
                 else