`updates.registries: "*"` incorrectly reported as invalid
SvenStaehs opened this issue · comments
Issue
false positive:
| keyword | message | dataPath |
| ------- | ------- | -------- |
| type | should be array | .updates[0].registries |
| type | should be array | .updates[1].registries |
Cause
According to the new schema introduced with #648, the "registries" property of "update" section should be an array:
"registries": {
"type": "array",
"items": {
"type": "string",
"minLength": 1
},
"uniqueItems": true,
"minItems": 1
},
But Dependabot also accepts a string value of "*"
with the special meaning "allow access to all private registries" (the default is to refuse access). From the docs:
You can allow all of the defined registries to be used by setting registries to "*"
There is an example usage as well:
updates:
- package-ecosystem: "bundler"
directory: "/rubygems-server"
insecure-external-code-execution: allow
registries: "*"
If "*"
is given as an array element Dependabot takes this to mean "registry with the name '*'" and fails.
Workaround:
- explicitly state all registries by name, this has several drawbacks
- stay at version 2.1.0 😉
Solution:
Schema needs fixing so it correctly states that it can be an array or the string "*"
, but I have no idea who maintains those schema files (and whether that's even possible?)
hm, I did find the commit that introduced this incomplete entry in the schema file. Maybe I can find the time to propose a PR, if I can find out how to write can be an array of strings or the single string "*"
😬
schema is fixed, validator works without this false positive now 👍