Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update npm_and_yarn deprecation and unsupported checks for npm, pnpm, and yarn package managers #11240

Merged
merged 3 commits into from
Jan 7, 2025
Merged

Update npm_and_yarn deprecation and unsupported checks for npm, pnpm, and yarn package managers #11240

merged 3 commits into from
Jan 7, 2025

Conversation

kbukum1
Copy link
Contributor

@kbukum1 kbukum1 commented Jan 6, 2025
edited
Loading

What are you trying to accomplish?

This PR updates the handling of deprecation and unsupported checks for the npm_and_yarn ecosystem's package managers: npm, pnpm, and yarn.

The changes include:

  • Implementing a unified and comprehensive version detection mechanism for npm that prioritizes checking the packageManager field, engines, and lockfiles in that order to determine the version.
  • Refining deprecation and unsupported logic for npm to ensure alignment with the ecosystem's requirements.
  • Ensuring pnpm and yarn consistently return false for deprecation and unsupported checks, as no such logic applies to them.

Why?

  • To improve consistency and accuracy in how version detection and deprecation/unsupported checks are performed across package managers.
  • To address gaps in version detection by incorporating packageManager and engines fields along with lockfiles for npm.
  • To enhance clarity and reliability for all npm_and_yarn ecosystem package managers in Dependabot.

Anything you want to highlight for special attention from reviewers?

  • Version Detection for npm:

    • A new mechanism detects the version by evaluating the packageManager field, engines field, and lockfiles in sequence.
    • Ensures accurate detection even in cases where lockfiles alone are insufficient.

  • Deprecation and Unsupported Logic:

    • npm: Adjusted logic to use the detected version for determining deprecation and unsupported status.
    • pnpm and yarn: Explicitly set deprecation and unsupported checks to always return false.

  • Test Updates:

    • For npm, tests now cover cases where versions are determined using packageManager, engines, or lockfiles.
    • Comprehensive tests for pnpm and yarn validate consistent return values (false) for deprecation and unsupported checks.

How will you know you've accomplished your goal?

  • All tests for npm_and_yarn ecosystem package managers pass successfully.
  • Deprecation and unsupported checks align with the requirements for each package manager:
    • Correct and reliable detection of supported, deprecated, and unsupported versions for npm.
    • Fixed, consistent behavior (false) for pnpm and yarn.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

kbukum1
kbukum1 commented Jan 6, 2025
View reviewed changes
npm_and_yarn/lib/dependabot/npm_and_yarn/helpers.rb
@@ -174,7 +172,7 @@ def self.fetch_yarnrc_yml_value(key, default_value)
def self.npm8?(package_lock)
return true unless package_lock&.content

if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
if Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
Copy link
Contributor Author

@kbukum1 kbukum1 Jan 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Tip:
The method npm_version_numeric_latest is used for deprecation/unsupported checks. However, for consistency across package managers, we should use npm_version_numeric and conditionally delegate to npm_version_numeric_latest based on the feature flag npm_v6_deprecation_warning. This aligns with the detection method naming conventions used by other package managers, such as #{name}_version_numeric.

Detection methods for reference:

  • npm_version_numeric
  • pnpm_version_numeric
  • yarn_version_numeric

This approach ensures consistent version detection logic across all package managers in the npm_and_yarn ecosystem.

kbukum1
kbukum1 commented Jan 6, 2025
View reviewed changes
npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb

detected_version&.to_s
end

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Tip:
Added a proper detection method that should be used for detection of version instead of directly using Helper detection method.

@amazimbe : FYI

@kbukum1 kbukum1 marked this pull request as ready for review January 6, 2025 21:05
@kbukum1 kbukum1 requested a review from a team as a code owner January 6, 2025 21:05
kbukum1
kbukum1 commented Jan 6, 2025
View reviewed changes
npm_and_yarn/lib/dependabot/npm_and_yarn/helpers.rb
if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
return npm_version_numeric_latest(lockfile)
end
return npm_version_numeric_latest(lockfile) if Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)

Copy link
Contributor Author

@kbukum1 kbukum1 Jan 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Tip:
We need to use npm_v6_deprecation_warning feature flag to use the new method to detect version and raise deprecation/unsupported notification if necessary.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious if :enable_corepack_for_npm_and_yarn is no longer needed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is more for corepack installation and doesn't matter for this part.

kbukum1
kbukum1 commented Jan 6, 2025
View reviewed changes
npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb
@@ -72,14 +72,16 @@ class NpmPackageManager < Ecosystem::VersionManager

sig do
params(
raw_version: String,
detected_version: T.nilable(String),
raw_version: T.nilable(String),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Tip:

  • Detected Version: Extracted from manifest or lock files to determine the project's specified package manager version.
  • Raw Version: Obtained using versioning commands to identify the active package manager version at runtime.

This distinction ensures precise deprecation checks and reliable metrics collection.

@kbukum1
Copy link
Contributor Author

kbukum1 commented Jan 6, 2025

@amazimbe,

This PR modifies the npm v6 deprecation/unsupported checks by updating the detection method. It would be great if you could review the changes and, if everything looks good, proceed with deployment. Additionally, you can verify that your previous work functions as expected, which will also serve as a test for my changes as well.

Thanks!

amazimbe
amazimbe approved these changes Jan 7, 2025
View reviewed changes
npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb
super(
name: NAME,
version: Version.new(raw_version),
detected_version: detected_version ? Version.new(detected_version) : nil,
version: raw_version ? Version.new(raw_version) : nil,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the raw_version is nil wouldn't we want to set the version to the detected version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want to show that we don't have raw_version on metrics. Later when we add detection version we can see what we are detecting and what we are running on.

@kbukum1 kbukum1 merged commit 66735fb into main Jan 7, 2025
66 checks passed
@kbukum1 kbukum1 deleted the kamil/update_detected_version_check_for_npm_and_yarn branch January 7, 2025 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amazimbe amazimbe amazimbe approved these changes

@abdulapopoola abdulapopoola abdulapopoola approved these changes

Assignees
No one assigned
Labels
L: javascript
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kbukum1 @abdulapopoola @amazimbe