Dependabot exposes private Github repository details through changelogs
jwgmeligmeyling opened this issue · comments
I.e. the version bump commit for NewRelic Agent 5.10.0 listed:
Bumps newrelic-api from 5.9.0 to 5.10.0.
changelog
The link exposes the fact that the repository is hosted at https://github.com/newrelic/java_agent , but going to that repository results in a 404 exception. Unauthorised visitors should not be aware of the fact that a repository exists at that location. Therefore, links to private repositories should be omitted from the generated issue descriptions.
@jwgmeligmeyling could you send over a pull request URL where this is visible? Or is it a private repo PR?
Unfortunately I can't share the PR as its non-public.
Perhaps its actually NewRelics fault in the end, as they specifically mention their SCM location in their pom.xml artefact descriptor:
<scm>
<connection>scm:git:git@github.com:newrelic/java_agent.git</connection>
<url>git@github.com:newrelic/java_agent.git</url>
</scm>
(Which is publicly available in Maven Central)
If the value under SCM is used to generate the link, this issue isn't at Dependabots side. But of course I can't know for sure if the repository location is mapped to the dependency through some other unintentional way.
@jwgmeligmeyling nice find, yeah Dependabot uses that value and fetches it here: https://github.com/dependabot/dependabot-core/blob/master/maven/lib/dependabot/maven/metadata_finder.rb#L55
Going to close this as we can't change this in Dependabot.