Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot doesn't properly manage multiple versions of a npm dependency in a repo #4701

Open
milind009 opened this issue Feb 4, 2022 · 2 comments
Open

Dependabot doesn't properly manage multiple versions of a npm dependency in a repo #4701

milind009 opened this issue Feb 4, 2022 · 2 comments
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working versioning

Comments

@milind009
Copy link
Contributor

milind009 commented Feb 4, 2022
edited
Loading

While parsing the dependencies for any JS based repos using npm or yarn, dependabot-core only maintains a single version for any dependency (from the logic in this code segment:

dependabot-core/common/lib/dependabot/file_parsers/base/dependency_set.rb

Line 59 in d6930a0

def combined_dependency(old_dep, new_dep)
) even though the repo might have multiple versions of the dependency. Therefore, this allows only updating a particular version of a dependency in a repo. Although this does'nt impact much in case of regular dependency updates, it poses a challenge while updating security vulnerabilities associated with any dependency via dependabot as it is possible that if multiple versions exist for a dependency, the vulnerable version might not be recognised by dependabot and hence won't be updated. Couple of questions which i had on this are -

  1. Could you explain the logic in the combined_dependency function in this code segment:

    dependabot-core/common/lib/dependabot/file_parsers/base/dependency_set.rb

    Line 59 in d6930a0

    def combined_dependency(old_dep, new_dep)
    . Is it based on some theory of how npm and yarn package managers work or is it just a custom implementation of dependabot?
  2. What is the reason behind parsing and updating just a single version of any dependency? Is it the complexity of implementation for multiple version or some other known fact or point that i might be missing?

@jurre Let me know your thoughts on these!
@milind009 milind009 added the T: bug 🐞 Something isn't working label Feb 4, 2022
@jeffwidman jeffwidman added the L: javascript:npm npm packages via npm label Sep 17, 2022
This was referenced Sep 17, 2022
Closed
Closed
@jeffwidman jeffwidman changed the title Dependabot recognises single version of a dependency in a repo Dependabot doesn't properly manage multiple versions of a npm dependency in a repo Sep 17, 2022
@jeffwidman
Copy link
Member

jeffwidman commented Sep 17, 2022
edited
Loading

I clarified the title. This causes #5741 which can create confusion as seen in #4222.

There may also be some unexpected interplay with how aliased packages are handled (#1693).

@G-Rath G-Rath mentioned this issue Nov 6, 2022
Closed
@kreintjes kreintjes mentioned this issue Jan 9, 2023
Open
@Seb33300
Copy link

Seb33300 commented Sep 9, 2024

I am facing the same issue, after adding both bootstrap 4 & 5 in our project, Dependabot is no longer warning about Bootstrap 4 cve.

{
    "dependencies": {
        "bootstrap": "^5.3.3",
        "bootstrap4": "npm:bootstrap@^4.2.1"
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: javascript:npm npm packages via npm T: bug 🐞 Something isn't working versioning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeffwidman @abdulapopoola @Seb33300 @milind009