8000 SEAB-6342: Ignore frozen cwltool dependencies by ll5zh · Pull Request #5870 · dockstore/dockstore · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

SEAB-6342: Ignore frozen cwltool dependencies #5870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 15, 2024
Merged

SEAB-6342: Ignore frozen cwltool dependencies #5870

merged 2 commits into from
Apr 15, 2024

Conversation

ll5zh
Copy link
Contributor
@ll5zh ll5zh commented Apr 12, 2024

Description
We want cwltool dependencies to be ignored when Dependabot makes dependency updates.

After taking a look with @denis-yuen, it appeared that package-ecosystem: "pip" was only opening PRs for cwltool dependencies and wasn't actually maintaining Swagger UI dependencies, contrary to what this comment suggests. If this is the case, then removing the pip package manager altogether should get rid of unwanted PRs associated with cwltool dependencies.

Review Instructions
Confirm (or deny) that Dependabot's pip updates are solely for cwltool dependencies (which we want to freeze), and that pip can be removed from dependabot.yml.

If we do need to keep the pip package manager: this workaround (suggested in the ticket) involves specifying a directory for Dependabot to ignore (via directory: "/directory-to-exclude"). What would be our "directory-to-exclude", in order to ignore cwltool dependencies?

Issue
SEAB-6342

Security and Privacy

If there are any concerns that require extra attention from the security team, highlight them here and check the box when complete.

  • Security and Privacy assessed

e.g. Does this change...

  • Any user data we collect, or data location?
  • Access control, authentication or authorization?
  • Encryption features?

Please make sure that you've checked the following before submitting your pull request. Thanks!

  • Check that you pass the basic style checks and unit tests by running mvn clean install
  • Ensure that the PR targets the correct branch. Check the milestone or fix version of the ticket.
  • Follow the existing JPA patterns for queries, using named parameters, to avoid SQL injection
  • If you are changing dependencies, check the Snyk status check or the dashboard to ensure you are not introducing new high/critical vulnerabilities
  • Assume that inputs to the API can be malicious, and sanitize and/or check for Denial of Service type values, e.g., massive sizes
  • Do not serve user-uploaded binary images through the Dockstore API
  • Ensure that endpoints that only allow privileged access enforce that with the @RolesAllowed annotation
  • Do not create cookies, although this may change in the future
  • If this PR is for a user-facing feature, create and link a documentation ticket for this feature (usually in the same milestone as the linked issue). Style points if you create a documentation PR directly and link that instead.

@ll5zh ll5zh self-assigned this Apr 12, 2024
@codecov Codecov
Copy link
codecov bot commented Apr 12, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.49%. Comparing base (7347da6) to head (1081bd5).

Additional details and impacted files 
@@            Coverage Diff             @@
##             develop    #5870   +/-   ##
==========================================
  Coverage      74.49%   74.49%           
  Complexity      5244     5244           
==========================================
  Files            368      368           
  Lines          18945    18945           
  Branches        1992     1992           
==========================================
  Hits           14114    14114           
  Misses          3880     3880           
  Partials         951      951
Flag Coverage Δ
bitbuckettests 27.22% <ø> (-0.02%) ⬇️
integrationtests 58.91% <ø> (ø)
languageparsingtests 11.08% <ø> (ø)
localstacktests 21.71% <ø> (ø)
toolintegrationtests 30.62% <ø> (ø)
unit-tests_and_non-confidential-tests 28.58% <ø> (ø)
workflowintegrationtests 38.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ll5zh ll5zh requested review from coverbeck and denis-yuen April 12, 2024 20:04
@denis-yuen
Copy link
Member

What would be our "directory-to-exclude", in order to ignore cwltool dependencies?

We'd want to ignore https://github.com/dockstore/dockstore/tree/develop/dockstore-webservice/src/main/resources/requirements/1.13.0 and https://github.com/dockstore/dockstore/tree/develop/dockstore-webservice/src/main/resources/requirements/1.14.0

That said, after looking at that directory, interestingly I see https://github.com/dockstore/dockstore/blob/develop/dockstore-webservice/src/main/resources/requirements/swagger-ui/requirements.properties but because of the way templating is being used, I doubt dependabot will work.

So let's give this a shot

@ll5zh ll5zh merged commit 600809d into develop Apr 15, 2024
@ll5zh ll5zh deleted the seab-6342/ignore-pip-dependencies branch April 15, 2024 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coverbeck coverbeck coverbeck approved these changes

@denis-yuen denis-yuen denis-yuen approved these changes

Assignees

@ll5zh ll5zh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ll5zh @denis-yuen @coverbeck
0