feat(npm)!: drop transitiveRemediation option (#27985)

This option only worked for npm <7, which is now EOL.

BREAKING CHANGE: Transitive remediation for npm <7 is no longer supported.

docs/usage/configuration-options.md

@@ -3828,15 +3828,6 @@ The above config will suppress the comment which is added to a PR whenever you c
 It is only recommended to configure this field if you wish to use the `schedules` feature and want to write them in your local timezone.
 Please see the above link for valid timezone names.
 
-## transitiveRemediation
-
-When enabled, Renovate tries to remediate vulnerabilities even if they exist only in transitive dependencies.
-
-Applicable only for GitHub platform (with vulnerability alerts enabled) and `npm` manager.
-When the `lockfileVersion` is higher than `1` in `package-lock.json`, remediations are only possible when changes are made to `package.json`.
-
-This is considered a feature flag with the aim to remove it and default to this behavior once it has been more widely tested.
-
 ## updateInternalDeps
 
 Renovate defaults to skipping any internal package dependencies within monorepos.

lib/config/migrations/migrations-service.ts

@@ -71,6 +71,7 @@ export class MigrationsService {
     'maintainYarnLock',
     'statusCheckVerify',
     'supportPolicy',
+    'transitiveRemediation',
     'yarnCacheFolder',
     'yarnMaintenanceBranchName',
     'yarnMaintenanceCommitMessage',

lib/config/options/index.ts

@@ -2017,14 +2017,6 @@ const options: RenovateOptions[] = [
     parents: ['customDatasources'],
     default: [],
   },
-  {
-    name: 'transitiveRemediation',
-    description: 'Enable remediation of transitive dependencies.',
-    type: 'boolean',
-    default: false,
-    supportedManagers: ['npm'],
-    supportedPlatforms: ['github'],
-  },
   {
     name: 'vulnerabilityAlerts',
     description:

lib/modules/manager/npm/post-update/index.spec.ts

@@ -615,23 +615,6 @@ describe('modules/manager/npm/post-update/index', () => {
       });
     });
 
-    it('skip transitive remediation', async () => {
-      expect(
-        await getAdditionalFiles(
-          {
-            ...baseConfig,
-            upgrades: [{ isVulnerabilityAlert: true }],
-            transitiveRemediation: true,
-            updateLockFiles: true,
-          },
-          additionalFiles,
-        ),
-      ).toStrictEqual({
-        artifactErrors: [],
-        updatedArtifacts: [],
-      });
-    });
-
     it('fails for npm', async () => {
       spyNpm.mockResolvedValueOnce({ error: true, stderr: 'some-error' });
       expect(

lib/modules/manager/npm/post-update/index.ts

@@ -441,16 +441,6 @@ export async function getAdditionalFiles(
     logger.debug('Skipping lock file generation');
     return { artifactErrors, updatedArtifacts };
   }
-  if (
-    !config.updatedPackageFiles?.length &&
-    config.transitiveRemediation &&
-    config.upgrades?.every(
-      (upgrade) => upgrade.isRemediation ?? upgrade.isVulnerabilityAlert,
-    )
-  ) {
-    logger.debug('Skipping lock file generation for remediations');
-    return { artifactErrors, updatedArtifacts };
-  }
   if (
     config.reuseExistingBranch &&
     !config.updatedPackageFiles?.length &&

lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap

@@ -154,22 +154,3 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
   },
 ]
 `;
-
-exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns remediations 1`] = `
-{
-  "backend/package-lock.json": [
-    {
-      "currentVersion": "1.8.2",
-      "datasource": "npm",
-      "depName": "electron",
-      "newVersion": "1.8.3",
-      "prBodyNotes": [
-        "### GitHub Vulnerability Alerts",
-        "#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136)
-
-Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.",
-      ],
-    },
-  ],
-}
-`;

lib/workers/repository/init/vulnerability.spec.ts

@@ -367,78 +367,5 @@ describe('workers/repository/init/vulnerability', () => {
       expect(res.packageRules).toMatchSnapshot();
       expect(res.packageRules).toHaveLength(1);
     });
-
-    it('returns remediations', async () => {
-      config.transitiveRemediation = true;
-      // TODO #22198
-      delete config.vulnerabilityAlerts!.enabled;
-      platform.getVulnerabilityAlerts.mockResolvedValue([
-        partial<VulnerabilityAlert>(),
-        {
-          dismissReason: null,
-          vulnerableManifestFilename: 'package-lock.json',
-          vulnerableManifestPath: 'backend/package-lock.json',
-          vulnerableRequirements: '= 1.8.2',
-          securityAdvisory: {
-            description:
-              'Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.',
-            identifiers: [{ type: 'GHSA', value: 'GHSA-8xwg-wv7v-4vqp' }],
-            references: [
-              { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000136' },
-            ],
-            severity: 'HIGH',
-          },
-          securityVulnerability: {
-            package: { name: 'electron', ecosystem: 'NPM' },
-            firstPatchedVersion: { identifier: '1.8.3' },
-            vulnerableVersionRange: '>= 1.8, < 1.8.3',
-          },
-        },
-      ]);
-      const res = await detectVulnerabilityAlerts(config);
-      expect(res.packageRules).toHaveLength(1);
-      expect(res.remediations).toMatchSnapshot({
-        'backend/package-lock.json': [
-          {
-            currentVersion: '1.8.2',
-            datasource: 'npm',
-            depName: 'electron',
-            newVersion: '1.8.3',
-          },
-        ],
-      });
-    });
-
-    it('ignores unsupported remediation file types', async () => {
-      config.transitiveRemediation = true;
-      // TODO #22198
-      delete config.vulnerabilityAlerts!.enabled;
-      platform.getVulnerabilityAlerts.mockResolvedValue([
-        partial<VulnerabilityAlert>(),
-        {
-          dismissReason: null,
-          vulnerableManifestFilename: 'package.json',
-          vulnerableManifestPath: 'backend/package.json',
-          vulnerableRequirements: '= 1.8.2',
-          securityAdvisory: {
-            description:
-              'Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.',
-            identifiers: [{ type: 'GHSA', value: 'GHSA-8xwg-wv7v-4vqp' }],
-            references: [
-              { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000136' },
-            ],
-            severity: 'HIGH',
-          },
-          securityVulnerability: {
-            package: { name: 'electron', ecosystem: 'NPM' },
-            firstPatchedVersion: { identifier: '1.8.3' },
-            vulnerableVersionRange: '>= 1.8, < 1.8.3',
-          },
-        },
-      ]);
-      const res = await detectVulnerabilityAlerts(config);
-      expect(res.packageRules).toHaveLength(1);
-      expect(res.remediations).toBeEmptyObject();
-    });
   });
 });

lib/workers/repository/init/vulnerability.ts

@@ -218,45 +218,16 @@ export async function detectVulnerabilityAlerts(
             matchCurrentVersion,
             matchFileNames,
           };
-          const supportedRemediationFileTypes = ['package-lock.json'];
-          if (
-            config.transitiveRemediation &&
-            supportedRemediationFileTypes.includes(val.fileType!)
-          ) {
-            const remediations = config.remediations as Record<
-              string,
-              unknown[]
-            >;
-            remediations[fileName] ??= [];
-            const currentVersion = matchCurrentVersion.replace('=', '').trim();
-            const newVersion = allowedVersions;
-            const remediation = {
-              datasource,
-              depName,
-              currentVersion,
-              newVersion,
-              prBodyNotes,
-            };
-            remediations[fileName].push(remediation);
-          } else {
-            // Remediate only direct dependencies
-            matchRule = {
-              ...matchRule,
-              allowedVersions,
-              prBodyNotes,
-              isVulnerabilityAlert: true,
-              force: {
-                ...config.vulnerabilityAlerts,
-              },
-            };
-            // istanbul ignore if
-            if (
-              config.transitiveRemediation &&
-              matchRule.matchFileNames?.[0] === 'package.json'
-            ) {
-              matchRule.force!.rangeStrategy = 'replace';
-            }
-          }
+          // Remediate only direct dependencies
+          matchRule = {
+            ...matchRule,
+            allowedVersions,
+            prBodyNotes,
+            isVulnerabilityAlert: true,
+            force: {
+              ...config.vulnerabilityAlerts,
+            },
+          };
           alertPackageRules.push(matchRule);
         }
       }