Add package_manager for Composer v1 deprecation warning and unsupported error #10716
Conversation
set composer v1 as deprecated set composer v1 as unsupported
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if parsed_lockfile && parsed_lockfile["plugin-api-version"] | ||
| version = Composer::Version.new(parsed_lockfile["plugin-api-version"]) | ||
| return version.canonical_segments.first == 1 ? "1" : "2" | ||
| return version.canonical_segments.first == 1 ? V1 : V2 | ||
| elsif v1_unsupported |
There was a problem hiding this comment.
We want to change fallback version to v2 when we are not supporting v1 anymore.
| end | ||
|
|
||
| "2" | ||
| # If no conditions are met return V2 by default. | ||
| V2 | ||
| end |
There was a problem hiding this comment.
Explanation for changes made in composer_version method
We are switching fallback from v1 to v2 if composer v1 is unsupported. As for the other changes we refined the code to improve the logic alongside with comments and reduced duplications for regex checks.
| # From composers json-schema: https://getcomposer.org/schema.json | ||
| COMPOSER_V2_NAME_REGEX = %r{^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]+)*$} | ||
| COMPOSER_V2_NAME_REGEX = %r{^[a-z0-9]([_.-]?[a-z0-9]++)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]++)*$} |
There was a problem hiding this comment.
Updated quantifiers from + to ++ to prevent backtracking and improve performance, addressing potential ReDoS vulnerabilities flagged by CodeQL.
Resolved CodeQL: #10716 (comment)
| @@ -6,8 +6,13 @@ | |||
| module Dependabot | |||
| module Composer | |||
| module Helpers | |||
| V1 = "1" | |||
There was a problem hiding this comment.
as a follow up; can this file be strongly typed please?
| @@ -1,6 +1,7 @@ | |||
| # typed: true | |||
There was a problem hiding this comment.
in the follow up; let's consider making this strong typing too
What are you trying to accomplish?
This PR introduces a
package_managersubclass for Composer and sets Composer v1 as deprecated and unsupported. The deprecation warning and unsupported error are controlled by the following feature flags:composer_v1_deprecation_warningcomposer_v1_unsupported_errorFeature Flags PR: https://github.com/github/dependabot-api/pull/5763
This mirrors the approach used for Bundler v1, allowing us to guide users towards migrating to Composer v2 while providing a controlled rollout.
Anything you want to highlight for special attention from reviewers?
The deprecation and unsupported checks for Composer v1 are controlled by feature flags, similar to how it was implemented for Bundler v1. Please focus on verifying that the logic tied to the feature flags works as expected.
How will you know you've accomplished your goal?
We will monitor logs and metrics to ensure:
Checklist