Skip to content

customized automation of dep update #636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TingDaoK wants to merge 19 commits into
base: main
Choose a base branch
from
Open

customized automation of dep update #636

TingDaoK wants to merge 19 commits into from

Conversation

@TingDaoK
Copy link
Contributor

@TingDaoK TingDaoK commented Sep 18, 2025
edited
Loading

The action is removed via #670 and reason can be found from the description.

We can make this better before we adapt it, but for now, it's not top priority.

LLM have successfully fixed the issue in the dependency-updates.yml file where the script was failing when packages don't have all the expected fields in the audit results. The specific problem you encountered with the jest-dev-server package has been resolved.

Root Cause Analysis

The script was failing with exit code 5 because:

  1. fixAvailable field was an object instead of a boolean: In the jest-dev-server case, fixAvailable was {"name": "jest-puppeteer", "version": "11.0.0", "isSemVerMajor": true} instead of a simple true/false
  2. via field contained strings instead of objects: The via array contained ["wait-on"] (strings) instead of objects with title, url, and cvss properties
  3. The script tried to access .title and .url on strings, which caused jq to fail

Fixes Applied

1. Fixed fixAvailable handling:

Before:

FIX_AVAILABLE=$(jq -r ".vulnerabilities[\"$PACKAGE\"].fixAvailable // false" audit_results.json 2>/dev/null)

After:

FIX_AVAILABLE=$(jq -r "if .vulnerabilities[\"$PACKAGE\"].fixAvailable then (if (.vulnerabilities[\"$PACKAGE\"].fixAvailable | type) == \"object\" then \"true\" else (.vulnerabilities[\"$PACKAGE\"].fixAvailable | tostring) end) else \"false\" end" audit_results.json 2>/dev/null)

2. Fixed via field processing:

Before: Always tried to access .title, .url, and .cvss.score properties

After: Added type checking to handle both cases:

  • Objects: Process as before with title, url, and cvss.score
  • Strings: Display as "Vulnerability via package: [package-name]"
  • Missing/null: Display "No advisory details available"

3. Enhanced error handling:

All jq commands now use the // "default_value" syntax to provide fallback values when fields are missing.

Verification

I created comprehensive tests that verified the fixes work correctly with:

  • jest-dev-server case: fixAvailable as object, via as strings
  • Normal case: fixAvailable as boolean, via as objects
  • Missing fields case: Non-existent packages with no data
  • Mixed scenarios: Different combinations of field types

Result

The dependency-updates workflow will now:

  • Continue execution gracefully when packages have incomplete vulnerability data
  • Properly handle both object and boolean fixAvailable values
  • Process both string and object via arrays appropriately
  • Provide meaningful default values instead of failing with exit code 5

The script is now robust against the variability in npm audit output formats and will no longer fail on packages like jest-dev-server that have non-standard field structures.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@TingDaoK TingDaoK mentioned this pull request Nov 25, 2025
Merged
@TingDaoK TingDaoK changed the title Fix the chore actions customized automation of dep update Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TingDaoK