From 2723b34189b115521696343693e5a2a51a03dd71 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 28 Oct 2025 15:00:51 +0000 Subject: [PATCH 1/7] Add validation for unsupported dependency-type option Co-authored-by: a-schur <227858738+a-schur@users.noreply.github.com> --- .../lib/dependabot/dependency_group_engine.rb | 27 ++++ .../dependency_group_engine_spec.rb | 137 ++++++++++++++++++ 2 files changed, 164 insertions(+) diff --git a/updater/lib/dependabot/dependency_group_engine.rb b/updater/lib/dependabot/dependency_group_engine.rb index 6abaf5badef..94fa2bf2009 100644 --- a/updater/lib/dependabot/dependency_group_engine.rb +++ b/updater/lib/dependabot/dependency_group_engine.rb @@ -25,8 +25,16 @@ class DependencyGroupEngine class ConfigurationError < StandardError; end + # Package managers that support the dependency-type option in group rules + PACKAGE_MANAGERS_SUPPORTING_DEPENDENCY_TYPE = T.let( + %w[bundler composer hex maven npm_and_yarn pip uv].freeze, + T::Array[String] + ) + sig { params(job: Dependabot::Job).returns(Dependabot::DependencyGroupEngine) } def self.from_job_config(job:) + validate_group_configuration!(job) + groups = job.dependency_groups.map do |group| Dependabot::DependencyGroup.new(name: group["name"], rules: group["rules"], applies_to: group["applies-to"]) end @@ -41,6 +49,25 @@ def self.from_job_config(job:) new(dependency_groups: groups) end + sig { params(job: Dependabot::Job).void } + def self.validate_group_configuration!(job) + return unless job.dependency_groups.any? + + unsupported_groups = job.dependency_groups.select do |group| + rules = group["rules"] || {} + rules.key?("dependency-type") && + !PACKAGE_MANAGERS_SUPPORTING_DEPENDENCY_TYPE.include?(job.package_manager) + end + + return unless unsupported_groups.any? + + group_names = unsupported_groups.map { |g| g["name"] }.join(", ") + raise ConfigurationError, + "The 'dependency-type' option is not supported for the '#{job.package_manager}' package manager. " \ + "It is only supported for: #{PACKAGE_MANAGERS_SUPPORTING_DEPENDENCY_TYPE.join(', ')}. " \ + "Affected groups: #{group_names}" + end + sig { returns(T::Array[Dependabot::DependencyGroup]) } attr_reader :dependency_groups diff --git a/updater/spec/dependabot/dependency_group_engine_spec.rb b/updater/spec/dependabot/dependency_group_engine_spec.rb index b0f14089129..e24e97e35af 100644 --- a/updater/spec/dependabot/dependency_group_engine_spec.rb +++ b/updater/spec/dependabot/dependency_group_engine_spec.rb @@ -480,4 +480,141 @@ end end end + + describe "::from_job_config validation" do + let(:dependency_groups_config) do + [ + { + "name" => "test-group", + "rules" => { + "dependency-type" => "production" + } + } + ] + end + + context "when dependency-type is used with a supported package manager" do + %w[bundler composer hex maven npm_and_yarn pip uv].each do |package_manager| + context "with #{package_manager}" do + let(:job) do + instance_double( + Dependabot::Job, + dependency_groups: dependency_groups_config, + source: source, + dependencies: nil, + security_updates_only?: false, + package_manager: package_manager + ) + end + + it "does not raise an error" do + expect { dependency_group_engine }.not_to raise_error + end + end + end + end + + context "when dependency-type is used with an unsupported package manager" do + %w[gradle go_modules cargo docker terraform].each do |package_manager| + context "with #{package_manager}" do + let(:job) do + instance_double( + Dependabot::Job, + dependency_groups: dependency_groups_config, + source: source, + dependencies: nil, + security_updates_only?: false, + package_manager: package_manager + ) + end + + it "raises a ConfigurationError" do + expect { dependency_group_engine }.to raise_error( + Dependabot::DependencyGroupEngine::ConfigurationError, + /The 'dependency-type' option is not supported for the '#{package_manager}' package manager/ + ) + end + + it "includes the group name in the error message" do + expect { dependency_group_engine }.to raise_error( + Dependabot::DependencyGroupEngine::ConfigurationError, + /Affected groups: test-group/ + ) + end + + it "lists supported package managers in the error message" do + expect { dependency_group_engine }.to raise_error( + Dependabot::DependencyGroupEngine::ConfigurationError, + /bundler, composer, hex, maven, npm_and_yarn, pip, uv/ + ) + end + end + end + end + + context "when multiple groups use dependency-type with an unsupported package manager" do + let(:dependency_groups_config) do + [ + { + "name" => "group-one", + "rules" => { + "dependency-type" => "production" + } + }, + { + "name" => "group-two", + "rules" => { + "dependency-type" => "development" + } + } + ] + end + + let(:job) do + instance_double( + Dependabot::Job, + dependency_groups: dependency_groups_config, + source: source, + dependencies: nil, + security_updates_only?: false, + package_manager: "gradle" + ) + end + + it "raises an error mentioning all affected groups" do + expect { dependency_group_engine }.to raise_error( + Dependabot::DependencyGroupEngine::ConfigurationError, + /Affected groups: group-one, group-two/ + ) + end + end + + context "when groups don't use dependency-type with an unsupported package manager" do + let(:dependency_groups_config) do + [ + { + "name" => "test-group", + "rules" => { + "patterns" => ["dummy-*"] + } + } + ] + end + + let(:job) do + instance_double( + Dependabot::Job, + dependency_groups: dependency_groups_config, + source: source, + dependencies: nil, + security_updates_only?: false, + package_manager: "gradle" + ) + end + + it "does not raise an error" do + expect { dependency_group_engine }.not_to raise_error + end + end + end end From bb9c0a43a09f6201ff73120af75983bfd447ad3d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 5 Nov 2025 18:40:25 +0000 Subject: [PATCH 2/7] Fix linter issues: use parentheses for %w literals Co-authored-by: a-schur <227858738+a-schur@users.noreply.github.com> --- updater/lib/dependabot/dependency_group_engine.rb | 2 +- updater/spec/dependabot/dependency_group_engine_spec.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/updater/lib/dependabot/dependency_group_engine.rb b/updater/lib/dependabot/dependency_group_engine.rb index 94fa2bf2009..db51a745c48 100644 --- a/updater/lib/dependabot/dependency_group_engine.rb +++ b/updater/lib/dependabot/dependency_group_engine.rb @@ -27,7 +27,7 @@ class ConfigurationError < StandardError; end # Package managers that support the dependency-type option in group rules PACKAGE_MANAGERS_SUPPORTING_DEPENDENCY_TYPE = T.let( - %w[bundler composer hex maven npm_and_yarn pip uv].freeze, + %w(bundler composer hex maven npm_and_yarn pip uv).freeze, T::Array[String] ) diff --git a/updater/spec/dependabot/dependency_group_engine_spec.rb b/updater/spec/dependabot/dependency_group_engine_spec.rb index e24e97e35af..0de046e612c 100644 --- a/updater/spec/dependabot/dependency_group_engine_spec.rb +++ b/updater/spec/dependabot/dependency_group_engine_spec.rb @@ -494,7 +494,7 @@ end context "when dependency-type is used with a supported package manager" do - %w[bundler composer hex maven npm_and_yarn pip uv].each do |package_manager| + %w(bundler composer hex maven npm_and_yarn pip uv).each do |package_manager| context "with #{package_manager}" do let(:job) do instance_double( @@ -515,7 +515,7 @@ end context "when dependency-type is used with an unsupported package manager" do - %w[gradle go_modules cargo docker terraform].each do |package_manager| + %w(gradle go_modules cargo docker terraform).each do |package_manager| context "with #{package_manager}" do let(:job) do instance_double( From 713a92fca6ae306df4dba74c41920dd87db191f5 Mon Sep 17 00:00:00 2001 From: a-schur Date: Thu, 6 Nov 2025 14:38:49 +0000 Subject: [PATCH 3/7] expect validation error for unsupported dependency types --- silent/tests/testdata/su-group-type.txt | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/silent/tests/testdata/su-group-type.txt b/silent/tests/testdata/su-group-type.txt index 95b04939bf5..566b76e6f12 100644 --- a/silent/tests/testdata/su-group-type.txt +++ b/silent/tests/testdata/su-group-type.txt @@ -1,7 +1,7 @@ -dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent -stdout -count=2 create_pull_request -pr-created expected-dev-group.json -pr-created expected-prod-group.json +! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent +! stdout create_pull_request +stderr "The 'dependency-type' option is not supported for the 'silent' package manager" +stdout '{"data":{"error-type":"update_files_error".*"error-message":"The .dependency-type. option is not supported for the .silent. package manager.*Affected groups: dev, prod".*},"type":"record_update_job_error"}' -- manifest.json -- { @@ -10,20 +10,6 @@ pr-created expected-prod-group.json "dependency-c": { "version": "1.2.3" } } --- expected-dev-group.json -- -{ - "dependency-a": { "version": "1.2.4", "group": "dev" }, - "dependency-b": { "version": "1.2.4", "group": "dev" }, - "dependency-c": { "version": "1.2.3" } -} - --- expected-prod-group.json -- -{ - "dependency-a": { "version": "1.2.3", "group": "dev" }, - "dependency-b": { "version": "1.2.3", "group": "dev" }, - "dependency-c": { "version": "1.2.4" } -} - -- dependency-a -- { "versions": [ From 3615ec517438e380996f8d3205bda9b67cd2aeea Mon Sep 17 00:00:00 2001 From: a-schur Date: Thu, 6 Nov 2025 14:50:01 +0000 Subject: [PATCH 4/7] Update silent tests to expect validation errors for unsupported dependency-type --- silent/tests/testdata/su-group-type.txt | 2 +- silent/tests/testdata/vu-group-type.txt | 27 ++++--------------------- 2 files changed, 5 insertions(+), 24 deletions(-) diff --git a/silent/tests/testdata/su-group-type.txt b/silent/tests/testdata/su-group-type.txt index 566b76e6f12..161f4164725 100644 --- a/silent/tests/testdata/su-group-type.txt +++ b/silent/tests/testdata/su-group-type.txt @@ -1,6 +1,6 @@ ! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent ! stdout create_pull_request -stderr "The 'dependency-type' option is not supported for the 'silent' package manager" +stderr 'The .dependency-type. option is not supported for the .silent. package manager' stdout '{"data":{"error-type":"update_files_error".*"error-message":"The .dependency-type. option is not supported for the .silent. package manager.*Affected groups: dev, prod".*},"type":"record_update_job_error"}' -- manifest.json -- diff --git a/silent/tests/testdata/vu-group-type.txt b/silent/tests/testdata/vu-group-type.txt index c0159ac4237..2ee7d72abb7 100644 --- a/silent/tests/testdata/vu-group-type.txt +++ b/silent/tests/testdata/vu-group-type.txt @@ -1,8 +1,7 @@ -dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent -stderr 'created \| dependency-a \( from 1.2.3 to 1.2.5 \), dependency-b \( from 2.2.3 to 2.2.5 \)' -stdout -count=2 create_pull_request -pr-created expected-dev-group.json -pr-created expected-prod-group.json +! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent +! stdout create_pull_request +stderr 'The .dependency-type. option is not supported for the .silent. package manager' +stdout '{"data":{"error-type":"update_files_error".*"error-message":"The .dependency-type. option is not supported for the .silent. package manager.*Affected groups: dev, prod".*},"type":"record_update_job_error"}' -- manifest.json -- { @@ -13,24 +12,6 @@ pr-created expected-prod-group.json "dependency-e": { "version": "2.2.3", "group": "test" } } --- expected-dev-group.json -- -{ - "dependency-a": { "version": "1.2.5", "group": "dev" }, - "dependency-b": { "version": "2.2.5", "group": "dev" }, - "dependency-c": { "version": "2.2.3" }, - "dependency-d": { "version": "2.2.3" }, - "dependency-e": { "version": "2.2.5", "group": "test" } -} - --- expected-prod-group.json -- -{ - "dependency-a": { "version": "1.2.3", "group": "dev" }, - "dependency-b": { "version": "2.2.3", "group": "dev" }, - "dependency-c": { "version": "2.2.5" }, - "dependency-d": { "version": "2.2.5" }, - "dependency-e": { "version": "2.2.3", "group": "test" } -} - -- dependency-a -- { "versions": [ From 29274178b8cad53d1febace0b3bc3db4336105ae Mon Sep 17 00:00:00 2001 From: a-schur Date: Thu, 6 Nov 2025 19:25:55 +0000 Subject: [PATCH 5/7] Revert silent test changes - silent now supported for dependency-type --- silent/tests/testdata/su-group-type.txt | 22 ++++++++++++++++---- silent/tests/testdata/vu-group-type.txt | 27 +++++++++++++++++++++---- 2 files changed, 41 insertions(+), 8 deletions(-) diff --git a/silent/tests/testdata/su-group-type.txt b/silent/tests/testdata/su-group-type.txt index 161f4164725..95b04939bf5 100644 --- a/silent/tests/testdata/su-group-type.txt +++ b/silent/tests/testdata/su-group-type.txt @@ -1,7 +1,7 @@ -! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent -! stdout create_pull_request -stderr 'The .dependency-type. option is not supported for the .silent. package manager' -stdout '{"data":{"error-type":"update_files_error".*"error-message":"The .dependency-type. option is not supported for the .silent. package manager.*Affected groups: dev, prod".*},"type":"record_update_job_error"}' +dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent +stdout -count=2 create_pull_request +pr-created expected-dev-group.json +pr-created expected-prod-group.json -- manifest.json -- { @@ -10,6 +10,20 @@ stdout '{"data":{"error-type":"update_files_error".*"error-message":"The .depend "dependency-c": { "version": "1.2.3" } } +-- expected-dev-group.json -- +{ + "dependency-a": { "version": "1.2.4", "group": "dev" }, + "dependency-b": { "version": "1.2.4", "group": "dev" }, + "dependency-c": { "version": "1.2.3" } +} + +-- expected-prod-group.json -- +{ + "dependency-a": { "version": "1.2.3", "group": "dev" }, + "dependency-b": { "version": "1.2.3", "group": "dev" }, + "dependency-c": { "version": "1.2.4" } +} + -- dependency-a -- { "versions": [ diff --git a/silent/tests/testdata/vu-group-type.txt b/silent/tests/testdata/vu-group-type.txt index 2ee7d72abb7..c0159ac4237 100644 --- a/silent/tests/testdata/vu-group-type.txt +++ b/silent/tests/testdata/vu-group-type.txt @@ -1,7 +1,8 @@ -! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent -! stdout create_pull_request -stderr 'The .dependency-type. option is not supported for the .silent. package manager' -stdout '{"data":{"error-type":"update_files_error".*"error-message":"The .dependency-type. option is not supported for the .silent. package manager.*Affected groups: dev, prod".*},"type":"record_update_job_error"}' +dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent +stderr 'created \| dependency-a \( from 1.2.3 to 1.2.5 \), dependency-b \( from 2.2.3 to 2.2.5 \)' +stdout -count=2 create_pull_request +pr-created expected-dev-group.json +pr-created expected-prod-group.json -- manifest.json -- { @@ -12,6 +13,24 @@ stdout '{"data":{"error-type":"update_files_error".*"error-message":"The .depend "dependency-e": { "version": "2.2.3", "group": "test" } } +-- expected-dev-group.json -- +{ + "dependency-a": { "version": "1.2.5", "group": "dev" }, + "dependency-b": { "version": "2.2.5", "group": "dev" }, + "dependency-c": { "version": "2.2.3" }, + "dependency-d": { "version": "2.2.3" }, + "dependency-e": { "version": "2.2.5", "group": "test" } +} + +-- expected-prod-group.json -- +{ + "dependency-a": { "version": "1.2.3", "group": "dev" }, + "dependency-b": { "version": "2.2.3", "group": "dev" }, + "dependency-c": { "version": "2.2.5" }, + "dependency-d": { "version": "2.2.5" }, + "dependency-e": { "version": "2.2.3", "group": "test" } +} + -- dependency-a -- { "versions": [ From 033aa8150a21ae86d0696ea58376c6cde7a785f6 Mon Sep 17 00:00:00 2001 From: a-schur Date: Thu, 6 Nov 2025 19:32:20 +0000 Subject: [PATCH 6/7] add silent to supported package managers array --- updater/lib/dependabot/dependency_group_engine.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/updater/lib/dependabot/dependency_group_engine.rb b/updater/lib/dependabot/dependency_group_engine.rb index db51a745c48..c9d791e53a7 100644 --- a/updater/lib/dependabot/dependency_group_engine.rb +++ b/updater/lib/dependabot/dependency_group_engine.rb @@ -27,7 +27,7 @@ class ConfigurationError < StandardError; end # Package managers that support the dependency-type option in group rules PACKAGE_MANAGERS_SUPPORTING_DEPENDENCY_TYPE = T.let( - %w(bundler composer hex maven npm_and_yarn pip uv).freeze, + %w(bundler composer hex maven npm_and_yarn pip uv silent).freeze, T::Array[String] ) From 6e0393dccba9391e8bd08c255f23d3c602e90f63 Mon Sep 17 00:00:00 2001 From: a-schur Date: Thu, 6 Nov 2025 19:42:28 +0000 Subject: [PATCH 7/7] comments for clarification about silent and needing to update constants as more systems become supported in the future --- updater/lib/dependabot/dependency_group_engine.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/updater/lib/dependabot/dependency_group_engine.rb b/updater/lib/dependabot/dependency_group_engine.rb index c9d791e53a7..c781ff7f517 100644 --- a/updater/lib/dependabot/dependency_group_engine.rb +++ b/updater/lib/dependabot/dependency_group_engine.rb @@ -25,7 +25,9 @@ class DependencyGroupEngine class ConfigurationError < StandardError; end - # Package managers that support the dependency-type option in group rules + # Package managers that support the dependency-type option in group rules. + # Update this list when adding dependency-type support to new ecosystems. + # Note: 'silent' is included to avoid modifying its integration tests. PACKAGE_MANAGERS_SUPPORTING_DEPENDENCY_TYPE = T.let( %w(bundler composer hex maven npm_and_yarn pip uv silent).freeze, T::Array[String]