dependabot / fetch-metadata

Extract information about the dependencies being updated by a Dependabot-generated PR.
MIT License
182 stars 61 forks source link

Does not work reliably if there are more than 100 vulnerability alerts for the repo #542

Open severin opened 3 months ago

severin commented 3 months ago

Currently the workflow makes a GraphQL request that looks something like:

repository(owner: "${context.repo.owner}", name: "${context.repo.repo}") { 
  vulnerabilityAlerts(first: 100) {
    nodes {
      ...
    }
  }
}

So only the first 100 alerts are fetched and searched for the current dependency. If a repo has 101 vulnerability alerts and the the one about the current dependency is the 101st then it is not found and no metadata is returned.

This could be addressed by paginating through all vulnerability alerts or by narrowing the query down, i.e. only look up vulnerability alerts for the current dependency (not sure if that is supported though).