Add support for relationship attribute in DependencySubmission payload
#12768
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brrygrdn
force-pushed
the
brrygrdn/experiment-dependency-submission
branch
from
aa28e82 to
8782ea9
Compare
5 tasks
Base automatically changed from
brrygrdn/experiment-dependency-submission
to
main
August 4, 2025 15:40
…? Could we use it to track transitive dependencies?
This commit: - backs out previous WIP that added `dependency_file` to `Dependabot::Dependency` - introduces `Dependabot::DependencyFile#dependencies` list Now, for the bundler ecosystem at least, DependencyFiles included in DependencySnapshots will be aware of their Dependabot::Dependency objects – and DependencySubmission payloads can accurately reflect the contents of the specified manifests.
brrygrdn
force-pushed
the
phillmv/experiment-dependency-submission-with-dep-files
branch
from
2e98f11 to
f02ba8a
Compare
brrygrdn
force-pushed
the
phillmv/experiment-dependency-submission-with-dep-files
branch
from
36eed25 to
5c56412
Compare
brrygrdn
force-pushed
the
phillmv/experiment-dependency-submission-with-dep-files
branch
from
5c56412 to
ea7d193
Compare
In order to create DependencySubmission payloads, we must keep track of dependencies on a per-DependencyFile level, and those dependency objects must know whether they are direct dependencies (`#top_level?`) and whether they are usined in `production?`. First we tried faking `Dependency#requirements` objects but this broke a number of tests; somewhere deep within Dependabot there is an assumption that lockfiles do not produce dependencies with requirements. Instead of trying to fix the tests, here is a different approach: - Instead of faking `requirements` objects, we instead directly supply the `top_level?` boolean at instantiation, i.e. before, top_level was a synonym for `requirements.any?` and now it is not. Hopefully this turns out to be a simpler modification going forward.
brrygrdn
reviewed
Aug 6, 2025
Instead of overriding `top_level?`, which on inspection is a leaky abstraction – it's often used elsewhere as a synonym for "has requirements" – here we introduce our own method that only means "this dependency has a direct relationship".
Co-authored-by: Barry Gordon <[email protected]>
phillmv
commented
Aug 7, 2025
phillmv
changed the title
relationship attribute in DependencySubmission payloadrelationship attribute in DependencySubmission payload
brrygrdn
approved these changes
Aug 7, 2025
Comment on lines
+136
to
+137
| gemfile = payload[:manifests].fetch("/Gemfile") | ||
| expect(gemfile[:name]).to eq("/Gemfile") |
There was a problem hiding this comment.
I was going to ask why we were adding a / here, but on checking the API docs, this is just an arbitrary name. Comparing with a real world payload, I note people doing esoteric things like:
project-a/pom.xml > project-a
| expect(capybara[:scope]).to eq("development") | ||
| # the lockfile should be reporting 4 direct dependencies and 24 indirect ones | ||
| expect(lockfile[:resolved].values.count { |dep| dep[:relationship] == "direct" }).to eq(4) | ||
| expect(lockfile[:resolved].values.count { |dep| dep[:relationship] == "indirect" }).to eq(24) |
|
Huh, I do not lack the real power of approval 😅 - I'll set it to neutral until a |
-er has a chance to review
brrygrdn
reviewed
Aug 7, 2025
jakecoffman
approved these changes
Aug 7, 2025
IIRC @phillmv and I talked about this lightly where we'd ideally replace |
phillmv
deleted the
phillmv/experiment-dependency-submission-with-dep-files
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
Per https://github.com/github/dependency-graph/issues/7121,
[for those of you who do not work at GitHub, the above link describes an effort we're undergoing to refactor technical debt and start using dependabot-core to parse dependencies for our dependency graph service.]
This PR is a follow up on #12734 . Now that we can generate payloads, the next step is to fill out the remaining attributes that the Dependency Submission API expects.
This PR then:
Dependency#direct?as a bit of state we can track when parsing dependenciesAnything you want to highlight for special attention from reviewers?
In order to get here there was a meandering path. The first step involved realizing that the
DependencySetclass squashes all of theDependenciesit has parsed and combines them into a flat list; this means that we could not produce an accurate list of thelockfile's dependencies because the overlapping ones would be assigned to thegemfile.In order to get around this now associate dependencies directly with their
DependencyFilevia a new associationDependencyFile#dependencies.In order to start tracking whether a dependency is direct or transitive, we need to keep track of this within the
Dependencyclass. At first we tried addingrequirementsobjects to direct dependencies parsed from thelockfilebut this caused weird test failures deep within Dependabot, so we skipped that. We eventually settled on adding a newDependency#direct?method that either mimicstop_level?or can be set directly via ivar on initialize.How will you know you've accomplished your goal?
All tests pass & we deploy it and see it send requests to our API.
Checklist