Add defensive checks to prevent inscrutable error messages #4913
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,7 +7,19 @@ module ResolvabilityErrors | |
| GITHUB_REPO_REGEX = %r{github.com/[^:@]*} | ||
|
|
||
| def self.handle(message, goprivate:) | ||
| # TODO: currently this matches last. Instead, if more than one match, and they | ||
| # aren't identical, then don't try to be clever with GitDependenciesNotReachable | ||
| # but instead raise DependencyFileNotResolvable and report the whole error. | ||
| # This would have resulted in a more obvious error message for #4625 | ||
| mod_path = message.scan(GITHUB_REPO_REGEX).last | ||
| if mod_path | ||
| # TODO: if mod_path doesn't look like a URL, don't continue, but instead raise | ||
| # DependencyFileNotResolvable and report the whole error. | ||
| # This would have resulted in a more obvious error message for #4625 | ||
| # How to implement this though? | ||
| # * Ruby has no built-in URL parsing, and no great alternatives in https://stackoverflow.com/q/1805761/770425... | ||
| # Not sure what Dependabot team policy is on using 3rd-party gems? | ||
| # Alternatively a basic sanity check of "it should not contain whitespace" may suffice for now... ?? | ||
|
There was a problem hiding this comment. There was a problem hiding this comment. Do we expect a URL here or just the module path? If it's the path we could use some of the basic character checks from https://pkg.go.dev/golang.org/x/mod/module#CheckImportPath / https://pkg.go.dev/golang.org/x/mod/module#CheckPath as a start? Agree we just need a simple defensive check rather than a robust validation here. |
||
| raise Dependabot::DependencyFileNotResolvable, message unless mod_path | ||
|
|
||
| # Module not found on github.com - query for _any_ version to know if it | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually wasn't 100% sure on this... I could see a case where a multi-line error string may have multiple URLs, and the last one is indeed the proper one to match on...
But given that
GitDependenciesNotReachabletells the user that Dependabot can't reach the repo and to update their access creds, that's a fairly opinionated solution...IMO I'd only want to report that if 110% sure that's the issue, otherwise surface the whole error message and let the user diagnose the issue.
(I assume
DependencyFileNotResolvablereports the message to the end user... if it just hides it in logs that only Dependabot devs can see, then that's not so helpful either.)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see these cases as most useful to raise
GitDependenciesNotReachable.Do we have examples of what multiple URLs look like in this error message handy? I imagine this could get tricky if you had a failing indirect dependency on another host that came from one of your direct github dependencies.