[Grouped Updates] The VendorUpdater class watermarks DependencyFile objects it creates #7433
Conversation
|
👋🏻 @pavera I just wanted to check that my changes around the npm file updater made sense for the yarn files being managed |
| module Dependabot | ||
| module FileUpdaters | ||
| class VendorUpdater | ||
| class VendorUpdater < ArtifactUpdater |
There was a problem hiding this comment.
I considered an alternative approach of adding a new argument to VendorUpdater rather than creating a 'generic' ArtifactUpdater, something like
def initialise(repo_contents_path:, vendor_dir:, create_vendored_files: true)
Although this would work had result in less churn to the API, I felt this didn't make the intent that vendor files need some special handling clear enough and it would extremely easy for a subtle bug if we were to develop a new use for this utility class similar to the calls in the NPM FileUpdater.
The split of 'utility class to grab any artefact outside the manifest files' and 'specific class to manage vendored dependencies' seemed like a safer, more intentional interface.
There was a problem hiding this comment.
Thanks for explaining your thought process. Seems well-reasoned to me and straightforward inheritance like this seems preferable to weaving in switching logic 👍
| pnp_updater.updated_files(base_directory: base_dir, only_paths: [".pnp.cjs", ".pnp.data.json"]).each do |file| | ||
| updated_files << file |
There was a problem hiding this comment.
This was an opportunistic change to allow us to optimise very slightly to avoid reading any files we don't plan on using I've made in passing.
I'm ok with backing this out as it is scope creep, but it was a fairly quick thing to add on.
There was a problem hiding this comment.
Thanks for the callout 👍 I don't see any issue with it, especially given its size/impact.
| encoding = `#{command}`.strip | ||
|
|
||
| !TEXT_ENCODINGS.include?(encoding) | ||
| def create_dependency_file(parameters) |
There was a problem hiding this comment.
This is a private method in the base class, so it feels a little sneaky for this subclass to know it should override it, but then again this is ruby so nbd.
| pnp_updater.updated_files(base_directory: base_dir, only_paths: [".pnp.cjs", ".pnp.data.json"]).each do |file| | ||
| updated_files << file |
There was a problem hiding this comment.
Thanks for the callout 👍 I don't see any issue with it, especially given its size/impact.
| module Dependabot | ||
| module FileUpdaters | ||
| class VendorUpdater | ||
| class VendorUpdater < ArtifactUpdater |
There was a problem hiding this comment.
Thanks for explaining your thought process. Seems well-reasoned to me and straightforward inheritance like this seems preferable to weaving in switching logic 👍
brrygrdn
force-pushed
the
brrygrdn/watermark-vendor-files
branch
from
206fddb to
32f3c89
Compare
brrygrdn
force-pushed
the
brrygrdn/watermark-vendor-files
branch
from
32f3c89 to
1da6c28
Compare
Groundwork to fix #7319
Grouped Updates need to manage the aggregation of
DependencyFileobjects return from updaters in two ways:In the case of vendor files, we need them to be present in the overall file list for (1), but we do not want them to be passed into subsequent updaters as their interface does not expect to have to filter them out and retrofitting this filtering across all our ecosystems isn't the most practical approach.
The Changes
This PR does the following
vendored_fileattribute toDependabot::DependencyFilewhich is false by defaultVendorUpdaterclass to provide support for managing arbitrary files within an Updater that don't fall within the remit of theFileUpdateritself, i.e. they are not a manifest file, nor are they a vendor file.pnp.*and install state files for yarn berry within our NPM libraryVendorUpdaterto setvendored_file: trueon anyDependecyFileobjects it createsRationale
This change introduces the
vendor_filewatermarking without changing any behaviour or modifying the Group Update processes to use it to isolate and de-risk this from the larger effort to handle grouped updates + vendoring.