Add package_manager for Composer v1 deprecation warning and unsupported error #10716
Conversation
set composer v1 as deprecated set composer v1 as unsupported
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if parsed_lockfile && parsed_lockfile["plugin-api-version"] | ||
| version = Composer::Version.new(parsed_lockfile["plugin-api-version"]) | ||
| return version.canonical_segments.first == 1 ? "1" : "2" | ||
| return version.canonical_segments.first == 1 ? V1 : V2 | ||
| elsif v1_unsupported |
There was a problem hiding this comment.
We want to change fallback version to v2 when we are not supporting v1 anymore.
| end | ||
|
|
||
| "2" | ||
| # If no conditions are met return V2 by default. | ||
| V2 | ||
| end |
There was a problem hiding this comment.
Explanation for changes made in composer_version method
We are switching fallback from v1 to v2 if composer v1 is unsupported. As for the other changes we refined the code to improve the logic alongside with comments and reduced duplications for regex checks.
| # From composers json-schema: https://getcomposer.org/schema.json | ||
| COMPOSER_V2_NAME_REGEX = %r{^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]+)*$} | ||
| COMPOSER_V2_NAME_REGEX = %r{^[a-z0-9]([_.-]?[a-z0-9]++)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]++)*$} |
There was a problem hiding this comment.
Updated quantifiers from + to ++ to prevent backtracking and improve performance, addressing potential ReDoS vulnerabilities flagged by CodeQL.
Resolved CodeQL: #10716 (comment)
| @@ -6,8 +6,13 @@ | |||
| module Dependabot | |||
| module Composer | |||
| module Helpers | |||
| V1 = "1" | |||
There was a problem hiding this comment.
as a follow up; can this file be strongly typed please?
There was a problem hiding this comment.
Should I do that in this PR?
There was a problem hiding this comment.
A separate PR will be great.
There was a problem hiding this comment.
For sorbet typings another PR will be created.
| @@ -1,6 +1,7 @@ | |||
| # typed: true | |||
There was a problem hiding this comment.
in the follow up; let's consider making this strong typing too
There was a problem hiding this comment.
Should I do that in this PR?
There was a problem hiding this comment.
It can be a separate PR to avoid blocking this one and for readability too.
There was a problem hiding this comment.
For sorbet typings another PR will be created.
|
For sorbet typings another PR will be created. |
kbukum1
deleted the
kamil/composer_v1_deprecation_warning_and_unsupported_error
branch
|
FYI @abdulapopoola Another PR is created for the sorbet typings |
What are you trying to accomplish?
This PR introduces a
package_managersubclass for Composer and sets Composer v1 as deprecated and unsupported. The deprecation warning and unsupported error are controlled by the following feature flags:composer_v1_deprecation_warningcomposer_v1_unsupported_errorFeature Flags PR: https://github.com/github/dependabot-api/pull/5763
This mirrors the approach used for Bundler v1, allowing us to guide users towards migrating to Composer v2 while providing a controlled rollout.
Anything you want to highlight for special attention from reviewers?
The deprecation and unsupported checks for Composer v1 are controlled by feature flags, similar to how it was implemented for Bundler v1. Please focus on verifying that the logic tied to the feature flags works as expected.
How will you know you've accomplished your goal?
We will monitor logs and metrics to ensure:
Checklist