How to discover the dependency list prior to running a security-only update

[rhyskoedijk]

I'm trying to convert tinglesoftware/dependabot-azure-devops over to CLI, which currently uses the dry-run.rb and updater scripts to perform updates.

Everything works well so far using the CLI, except for security-only updates. I've run in to a "chicken or the egg" situation where you need to list the [vulnerable] dependency names in input.yaml, but you don't know what the dependencies are until you've already run a dependabot update first and parsed the dependency list from output.yaml.

For example:

job:
    package-manager: npm_and_yarn
    security-updates-only: true
    dependencies:
      - express # how would I know this is a dependency before executing `dependabot update`?
    security-advisories:
      - dependency-name: express
        affected-versions:
          - <5.0.0
        patched-versions: []
        unaffected-versions: []

Do you have any advise on how I could solve this problem? It would be ideal if there was a command like dependabot fetch --run-discovery, that was able return the "dependency_list" output, but skip the actual updates. Assuming I'm not missing something obvious, would you be open to me submitting a pull request to add this command?

The only way I can currently work around this issue is to do two "updates"; First with security-updates-only: false so I can parse the discovered dependency list, then a 2nd update with security-updates-only: true and the dependencies list populated.

[rhyskoedijk]

It looks like @jakecoffman proposed something similar to what I'm looking for in https://github.com/dependabot/cli/pull/325. Is there anything I could do to help with this? It sounds like a change might be needed to dependabot-core first which is maybe why this has stalled?