Skip to content

feat(dependabot): validator, tests and example config for issue #73 #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kallal79 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(dependabot): validator, tests and example config for issue #73 #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
version: 2
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Normalize file line endings to LF to satisfy YAMLlint.

Line 1 indicates CRLF newlines; YAMLlint expects \n and will fail until this file is normalized.

🧰 Tools
🪛 YAMLlint (1.38.0)

[error] 1-1: wrong new line character: expected \n

(new-lines)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml at line 1, The file contains CRLF line endings
causing YAMLlint to fail; normalize the file to use LF-only newlines (replace
CRLF with \n) so the "version: 2" YAML line ends with a LF; ensure your
editor/git config saves .github/dependabot.yml with Unix-style line endings (or
run a utility like dos2unix) and commit the normalized file.

updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: weekly
multi-ecosystem-groups:
"all-deps":
patterns:
- "*"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: monthly

groups:
"frontend-backend":
patterns:
- "@myorg/frontend*"
- "@myorg/backend*"
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,10 @@ _minted*
# nomencl
*.nlg
*.nlo

# Node dependencies
/node_modules

*.nls

# pax
Expand Down
17 changes: 17 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,23 @@ TODO: Complete applicable items based on your project type

---

## 🧰 Automation & CI

This repository includes a helper script to validate the
[Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically) configuration
and ensure **groups or multi-ecosystem groups** are defined per issue
[#73](https://github.com/AOSSIE-Org/Template-Repo/issues/73).

Run the validator with Node:

```bash
node scripts/validate-dependabot.js
```

Tests for the validator are located under `tests/dependabot.test.js`
and executed via `npm test` (sample configuration is in
`.github/dependabot.yml`).

## 🔗 Repository Links

TODO: Update with your repository structure
Expand Down
14 changes: 14 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"name": "template-repo",
"version": "0.1.0",
"private": true,
"scripts": {
"test": "vitest run",
"test:watch": "vitest",
"check": "echo \"No checks configured yet\""
},
"devDependencies": {
"vitest": "^1.0.0",
"js-yaml": "^4.1.0"
}
Comment on lines +10 to +13
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm js-yaml is imported by runtime validator code:"
rg -n --type=js "require\\(['\"]js-yaml['\"]\\)|from ['\"]js-yaml['\"]" scripts

echo
echo "2) Confirm js-yaml is currently declared only in devDependencies:"
rg -n "\"dependencies\"|\"devDependencies\"|\"js-yaml\"" package.json -C2

Repository: AOSSIE-Org/Template-Repo

Length of output: 415

Move js-yaml to runtime dependencies.

js-yaml is required by scripts/validate-dependabot.js at runtime. Installing with npm install --omit=dev will fail with MODULE_NOT_FOUND.

Proposed fix 
 {
   "name": "template-repo",
   "version": "0.1.0",
   "private": true,
   "scripts": {
     "test": "vitest run",
     "test:watch": "vitest",
     "check": "echo \"No checks configured yet\""
   },
-  "devDependencies": {
-    "vitest": "^1.0.0",
-    "js-yaml": "^4.1.0"
-  }
+  "dependencies": {
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "vitest": "^1.0.0"
+  }
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"devDependencies": {
"vitest": "^1.0.0",
"js-yaml": "^4.1.0"
}
{
"name": "template-repo",
"version": "0.1.0",
"private": true,
"scripts": {
"test": "vitest run",
"test:watch": "vitest",
"check": "echo \"No checks configured yet\""
},
"dependencies": {
"js-yaml": "^4.1.0"
},
"devDependencies": {
"vitest": "^1.0.0"
}
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 10 - 13, package.json currently lists "js-yaml"
under devDependencies but it's required at runtime by
scripts/validate-dependabot.js; move "js-yaml" from devDependencies to
dependencies by removing the "js-yaml" entry under devDependencies and adding it
under the dependencies object (preserve the version "^4.1.0"), then run npm
install to update lockfile so npm install --omit=dev won't fail; ensure
scripts/validate-dependabot.js still imports "js-yaml" without changes.

}
61 changes: 61 additions & 0 deletions scripts/validate-dependabot.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
const fs = require('fs');
const yaml = require('js-yaml');

/**
* Load dependabot configuration and check whether it contains
* either (1) top-level "groups" definitions, or (2) multi-ecosystem groups
* under "updates" entries.
*
* Returns an object {ok: boolean, issues: string[]} where ok is true if
* configuration satisfies the feature requirement (groups or multi-ecosystem groups).
*/
function validateDependabot(path = '.github/dependabot.yml') {
if (!fs.existsSync(path)) {
return { ok: false, issues: [`file not found: ${path}`] };
}
const raw = fs.readFileSync(path, 'utf-8');
let doc;
try {
doc = yaml.load(raw);
} catch (e) {
return { ok: false, issues: ['YAML parse error: ' + e.message] };
}

const issues = [];
// if the document isn't an object, treat as parse error
if (typeof doc !== 'object' || doc === null) {
return { ok: false, issues: ['YAML parse error: document is not an object'] };
}

// the structure: typically at root there's "updates" array.
if (!doc || !Array.isArray(doc.updates)) {
issues.push('missing updates array');
return { ok: false, issues };
}

// check if any update has groups or if there's top-level groups
let foundGroup = false;
if (doc.groups && Object.keys(doc.groups).length > 0) {
foundGroup = true;
}

for (const upd of doc.updates) {
if (upd.groups && Object.keys(upd.groups).length > 0) {
foundGroup = true;
}
if (upd['multi-ecosystem'] || upd['multi-ecosystem-groups']) {
foundGroup = true;
Comment on lines +42 to +47
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, examine the specific lines mentioned in the review
echo "=== File content around lines 42-47 ==="
sed -n '35,55p' scripts/validate-dependabot.js

echo ""
echo "=== Full file content ==="
wc -l scripts/validate-dependabot.js

echo ""
echo "=== Complete file ==="
cat -n scripts/validate-dependabot.js

Repository: AOSSIE-Org/Template-Repo

Length of output: 2983

Guard updates items against null/non-object values before property access.

Line 31 validates doc.updates is an array but does not check element types. If an update entry is null, undefined, or non-object, accessing upd.groups or upd['multi-ecosystem'] on lines 43 and 46 will throw a TypeError and crash the validation.

Proposed fix 
  for (const upd of doc.updates) {
+   if (!upd || typeof upd !== 'object') {
+     continue;
+   }
    if (upd.groups && Object.keys(upd.groups).length > 0) {
      foundGroup = true;
    }
    if (upd['multi-ecosystem'] || upd['multi-ecosystem-groups']) {
      foundGroup = true;
    }
  }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
for (const upd of doc.updates) {
if (upd.groups && Object.keys(upd.groups).length > 0) {
foundGroup = true;
}
if (upd['multi-ecosystem'] || upd['multi-ecosystem-groups']) {
foundGroup = true;
for (const upd of doc.updates) {
if (!upd || typeof upd !== 'object') {
continue;
}
if (upd.groups && Object.keys(upd.groups).length > 0) {
foundGroup = true;
}
if (upd['multi-ecosystem'] || upd['multi-ecosystem-groups']) {
foundGroup = true;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@scripts/validate-dependabot.js` around lines 42 - 47, The loop over
doc.updates can crash if an element is null or not an object; before accessing
upd.groups or upd['multi-ecosystem'] in the for (const upd of doc.updates) loop,
guard each element with a type check (e.g., if (typeof upd !== 'object' || upd
=== null) continue) and only then perform the existing checks that set
foundGroup; update the checks around upd.groups and upd['multi-ecosystem'] (and
any other property reads on upd) to rely on that guard so the validator skips
invalid entries safely.

}
}

if (!foundGroup) {
issues.push('no groups or multi-ecosystem groups defined');
}

return { ok: foundGroup, issues };
}

// Export for tests
module.exports = {
validateDependabot,
};
Comment on lines +58 to +61
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get current working directory and list files
echo "=== Repository structure ==="
git ls-files | head -20

echo -e "\n=== Content of scripts/validate-dependabot.js ==="
cat -n scripts/validate-dependabot.js

echo -e "\n=== Check README for documented CLI usage ==="
if [ -f "README.md" ]; then
  rg -n "node scripts/validate-dependabot.js" README.md || echo "Pattern not found in README"
else
  echo "README.md not found"
fi

Repository: AOSSIE-Org/Template-Repo

Length of output: 3085

🏁 Script executed:

#!/bin/bash
# Let's see the context around line 129 in README to understand the documented usage
sed -n '120,140p' README.md

Repository: AOSSIE-Org/Template-Repo

Length of output: 757

Add a CLI entrypoint for the documented node scripts/validate-dependabot.js usage.

The README documents running the validator with node scripts/validate-dependabot.js, but the script currently only exports the validateDependabot function without a CLI entry point. Direct execution produces no output and doesn't report validation results or exit with a non-zero status code on failures.

Proposed fix 
 module.exports = {
   validateDependabot,
 };
+
+if (require.main === module) {
+  const result = validateDependabot(process.argv[2]);
+  if (!result.ok) {
+    for (const issue of result.issues) {
+      console.error(issue);
+    }
+    process.exit(1);
+  }
+  console.log('dependabot config is valid');
+}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// Export for tests
module.exports = {
validateDependabot,
};
// Export for tests
module.exports = {
validateDependabot,
};
if (require.main === module) {
const result = validateDependabot(process.argv[2]);
if (!result.ok) {
for (const issue of result.issues) {
console.error(issue);
}
process.exit(1);
}
console.log('dependabot config is valid');
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@scripts/validate-dependabot.js` around lines 58 - 61, Add a CLI entrypoint so
running `node scripts/validate-dependabot.js` actually invokes the validator:
detect direct invocation (e.g. if require.main === module), call the exported
validateDependabot() function, print or console.log the validation results, and
ensure the process exits non-zero on failure (process.exit(1)) and zero on
success (process.exit(0)); update the module.exports block to keep exporting
validateDependabot while adding this execution guard and proper error handling
for thrown/rejected errors.

12 changes: 12 additions & 0 deletions setup.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/usr/bin/env pwsh
Write-Host "Running setup (PowerShell)"
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

find . -name "setup.ps1" -type f

Repository: AOSSIE-Org/Template-Repo

Length of output: 79

🏁 Script executed:

cat -n setup.ps1

Repository: AOSSIE-Org/Template-Repo

Length of output: 512

Replace Write-Host with Write-Output for output portability.

Lines 2, 7, and 10 use Write-Host, which outputs directly to the host console and cannot be redirected or captured. Use Write-Output instead to support pipeline operations and script composition.

Proposed fix 
-Write-Host "Running setup (PowerShell)"
+Write-Output "Running setup (PowerShell)"
@@
-Write-Host "Installing npm dependencies..."
+Write-Output "Installing npm dependencies..."
@@
-Write-Host "Running tests..."
+Write-Output "Running tests..."
🧰 Tools
🪛 PSScriptAnalyzer (1.24.0)

[warning] 2-2: File 'setup.ps1' uses Write-Host. Avoid using Write-Host because it might not work in all hosts, does not work when there is no host, and (prior to PS 5.0) cannot be suppressed, captured, or redirected. Instead, use Write-Output, Write-Verbose, or Write-Information.

(PSAvoidUsingWriteHost)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@setup.ps1` at line 2, Replace all uses of Write-Host with Write-Output in
this script: change the three occurrences of Write-Host (the one at the top
"Running setup (PowerShell)" and the other two occurrences referenced in the
comment) to Write-Output so output is pipeline-friendly and can be
redirected/captured; ensure the messages and spacing remain identical and run a
quick test to confirm behavior is unchanged when redirected.

if (!(Test-Path package.json)) {
Write-Error "package.json not found. Aborting."
exit 1
}
Write-Host "Installing npm dependencies..."
npm install
if ($LASTEXITCODE -ne 0) { Write-Error "npm install failed"; exit $LASTEXITCODE }
Write-Host "Running tests..."
npm test
exit $LASTEXITCODE
11 changes: 11 additions & 0 deletions setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/usr/bin/env bash
set -euo pipefail
echo "Running setup (bash)"
if [ ! -f package.json ]; then
echo "package.json not found. Aborting." >&2
exit 1
fi
echo "Installing npm dependencies..."
npm install
echo "Running tests..."
npm test
104 changes: 104 additions & 0 deletions tests/dependabot.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
import { describe, it, expect, beforeAll, afterAll } from 'vitest';
import fs from 'fs';
import path from 'path';
import { validateDependabot } from '../scripts/validate-dependabot.js';

// Helper to write temporary config
function writeConfig(content) {
const file = path.join(process.cwd(), '.github', 'dependabot.yml');
fs.mkdirSync(path.dirname(file), { recursive: true });
fs.writeFileSync(file, content);
}

function removeConfig() {
const file = path.join(process.cwd(), '.github', 'dependabot.yml');
if (fs.existsSync(file)) fs.unlinkSync(file);
}
Comment on lines +7 to +16
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Do not mutate the real .github/dependabot.yml in tests.

These tests currently overwrite and delete repository config files; use an isolated temporary file path and pass it to validateDependabot(testPath).

Proposed fix (isolate test fixture path) 
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import fs from 'fs';
 import path from 'path';
+import os from 'os';
 import { validateDependabot } from '../scripts/validate-dependabot.js';
 
+const TEST_DIR = fs.mkdtempSync(path.join(os.tmpdir(), 'dependabot-validator-'));
+const TEST_CONFIG = path.join(TEST_DIR, 'dependabot.yml');
+
 // Helper to write temporary config
 function writeConfig(content) {
-  const file = path.join(process.cwd(), '.github', 'dependabot.yml');
-  fs.mkdirSync(path.dirname(file), { recursive: true });
-  fs.writeFileSync(file, content);
+  fs.mkdirSync(path.dirname(TEST_CONFIG), { recursive: true });
+  fs.writeFileSync(TEST_CONFIG, content);
 }
 
 function removeConfig() {
-  const file = path.join(process.cwd(), '.github', 'dependabot.yml');
-  if (fs.existsSync(file)) fs.unlinkSync(file);
+  if (fs.existsSync(TEST_CONFIG)) fs.unlinkSync(TEST_CONFIG);
 }
@@
-    const result = validateDependabot();
+    const result = validateDependabot(TEST_CONFIG);

Also applies to: 19-21, 23-103

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tests/dependabot.test.js` around lines 7 - 16, The tests currently mutate the
repo’s real .github/dependabot.yml via writeConfig and removeConfig; change them
to create and operate on an isolated temporary directory (e.g., using fs.mkdtemp
or a temp helper) and construct the test config path (tempDir +
'/.github/dependabot.yml') instead of process.cwd(); update calls to
validateDependabot() to pass that testPath (validateDependabot(testPath)) so the
functions writeConfig and removeConfig accept and use a filePath parameter or
are replaced by helpers that take the tempDir, ensuring no real repository files
are overwritten.


describe('dependabot configuration validation', () => {
afterAll(() => {
removeConfig();
});

it('fails when file is missing', () => {
removeConfig();
const result = validateDependabot();
expect(result.ok).toBe(false);
expect(result.issues).toContain('file not found: .github/dependabot.yml');
});

it('fails with malformed yaml', () => {
writeConfig('::notyaml');
const result = validateDependabot();
expect(result.ok).toBe(false);
expect(result.issues[0]).toMatch(/YAML parse error/);
});

it('fails when no updates array', () => {
writeConfig('version: 2');
const result = validateDependabot();
expect(result.ok).toBe(false);
expect(result.issues).toContain('missing updates array');
});

it('fails when no groups or multi-ecosystem groups', () => {
writeConfig(`version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
`);
const result = validateDependabot();
expect(result.ok).toBe(false);
expect(result.issues).toContain('no groups or multi-ecosystem groups defined');
});

it('passes when top-level groups defined', () => {
writeConfig(`version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
groups:
"all":
patterns:
- "*"
`);
const result = validateDependabot();
expect(result.ok).toBe(true);
});

it('passes when an update has groups', () => {
writeConfig(`version: 2
updates:
- package-ecosystem: maven
directory: "/"
schedule:
interval: monthly
groups:
"java":
patterns:
- "org.apache.*"
`);
const result = validateDependabot();
expect(result.ok).toBe(true);
});

it('passes when multi-ecosystem groups are used', () => {
writeConfig(`version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: weekly
multi-ecosystem-groups:
"base":
patterns:
- "*"
`);
const result = validateDependabot();
expect(result.ok).toBe(true);
});
});