dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PR's.

Home Page:https://docs.github.com/en/code-security/dependabot

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

enforce Dependabot version comparison matches Go's implementation

jakecoffman opened this issue · comments

Code improvement description

It's important that Dependabot matches native behavior when it comes to version comparison, otherwise we see strange behavior like downgrades.

Some of our ecosystems have native tests and we can enforce that we're getting it right. To do that, remove the following program from the comment and add it as a native test:

# Tested against the following Go program:
# package main
#
# import (
# "golang.org/x/mod/semver"
# "log"
# "reflect"
# )
#
# func main() {
# expected := []string{
# "v1.0.0",
# "v1.0.1-1",
# "v1.0.1-2",
# "v1.0.1",
# "v1.1.0-rc.6",
# "v1.1.0-rc5",
# "v1.1.0-rc6",
# "v1.1.0",
# }
# actual := make([]string, len(expected))
# copy(actual, expected)
# semver.Sort(actual)
# if !reflect.DeepEqual(actual, expected) {
# log.Fatalf("got %v", actual)
# }
# }

Then, from both the version_spec.rb and this new native Go test, extract the list of version strings into, for instance, an ordered_version_list.json they both can use as a fixture.

This will ensure that with any changes, Dependabot will remain in sync with Go.