`updates.registries: "*"` incorrectly reported as invalid

Question

`updates.registries: "*"` incorrectly reported as invalid

SvenStaehs opened this issue 6 months ago · comments

Issue

false positive:

| keyword | message | dataPath |
| ------- | ------- | -------- |
| type | should be array | .updates[0].registries |
| type | should be array | .updates[1].registries |

Cause

According to the new schema introduced with #648, the "registries" property of "update" section should be an array:

        "registries": {
          "type": "array",
          "items": {
            "type": "string",
            "minLength": 1
          },
          "uniqueItems": true,
          "minItems": 1
        },

But Dependabot also accepts a string value of "*" with the special meaning "allow access to all private registries" (the default is to refuse access). From the docs:

You can allow all of the defined registries to be used by setting registries to "*"

There is an example usage as well:

updates:
  - package-ecosystem: "bundler"
    directory: "/rubygems-server"
    insecure-external-code-execution: allow
    registries: "*"

If "*" is given as an array element Dependabot takes this to mean "registry with the name '*'" and fails.

Workaround:

explicitly state all registries by name, this has several drawbacks
stay at version 2.1.0 😉

Solution:

Schema needs fixing so it correctly states that it can be an array or the string "*", but I have no idea who maintains those schema files (and whether that's even possible?)

SvenStaehs · Answer 1 · Mon Jan 08 2024 20:49:37 GMT+0800 (China Standard Time)

hm, I did find the commit that introduced this incomplete entry in the schema file. Maybe I can find the time to propose a PR, if I can find out how to write can be an array of strings or the single string "*" 😬

SvenStaehs · Answer 2 · Wed Jan 17 2024 17:13:37 GMT+0800 (China Standard Time)

schema is fixed, validator works without this false positive now 👍