Could renovatebot be used to fix issues caused by "Dependency Confusion" #8697
Replies: 1 comment
-
I've dived into this topic to a medium level in the past week. The core problem I see is that, when private registries are in use, package managers are doing something "unexpected" (even if documented) compared to what people expect, so fundamentally a tool like Renovate can't fix such a problem. Additionally, Renovate does its version resolution logic internally (not using the package managers directly), so there'd be a high chance that Renovate has false positives or negatives compared to the actual package manager behavior. But you're right that maybe there's something we can do to help. Something relevant is that Renovate also supports the concept of "merging" results from multiple registries, here's which ones specifically: So for example Renovate could potentially warn if merged results contain a mix of public and private packages. We don't have that awareness just yet, but it's on our todo list to have each datasource return One challenge: if all we do is warn, then the problem might be too late. People might want us to block upgrading from private to public unless expressly configured to do so. This assumes:
|
Beta Was this translation helpful? Give feedback.
-
Hi.
Very open question and not especially throught through but I wanted to bring up an idea I got.
I think most knows about the dependency confusion discussion that is going. Here's the blog that kicked off a lot of activity at work: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Basically I now need to go through 100+ repos and look for vulnerabilities in the dependency setup in NPM, gradle, sbt, gradle (kotlin), PIP, gem and so on.
I thought, since renovate bot is already looking through the dependencies in most of my repos could renovate find these issues for me? Should it find it for me or is it out of the scope for renovatebot.
Some of the issues we have identified so far:
I realize this could well be out of scope for renovatebot but renovate bot solves a tricky problem, traversing git repos and parsing the build scripts. So if out of scope could I hook on my own logic to the renovate bot somewhat easily?
Beta Was this translation helpful? Give feedback.
All reactions