CLAassistant
commented
11 months ago
All committers have signed the CLA.
Closed dotkas closed 11 months ago
CLAassistant
commented
11 months ago
All committers have signed the CLA.
snyksec
commented
11 months ago :tada: This PR is included in version 4.0.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
What this does
There is a discrepancy between what we call our projects and what we call our root nodes in the dependency graphs. This sounds like it should not matter, but it does.
We have a regression introduced after a bugfix was made last month, where
snyk testnow does not correctly pick up ignores in the ui after asnyk monitoron certain types of Gradle projects.Doing this change will fix that.
Problem
(Links to internal projects)
monitor.test.Since the bugfix last month, root package names no longer match the project names in Gradle projects. Doing a
--list-depsor looking at the UI will show one name in the project name and another in the root package list.This is the root cause of the bug why
snyk testdoes not pick up changes, as the project identity that is being tested against is generated from the root package name, not the "defaultProjectName" likesnyk monitor.Breaking change
I'm bumping the major version for this one, unless anybody objects. Not technically a breaking change, as this should not cause orphaned projects. It should merely create a new element in the history i the same project - but out of caution i find it makes sense, just to show that we're changing expected behavior. In case any consumer is relying on this value.
Project identity?
The
projectNameshould not change because of these changes. This change actually more aligns the root package name to what is already done for project names: https://github.com/snyk/snyk-gradle-plugin/blob/a444194f1199afece07232f4568773f36f9bfb9f/lib/index.ts#L306-L316Snapshot churn?
This should change dependency graphs for CLI monitor projects, and only a part of Gradle customers, so after discussing with some stakeholders in Team Fix, have deemed it should not be dangerous to snapshot churn.