Compatibilty Score

[sailro]

Is your feature request related to a problem? Please describe. Dependabot running on Github is using a compatibility score for specific dependencies. See: https://github.com/datagalaxy-lab/datagalaxy-toolbox/pull/50

Dependabot security updates may include compatibility scores to let you know whether updating a dependency could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.

Describe the solution you'd like For now I never saw such a compatibility score on PRs made by Dependabot on Azdo

Additional context I do not want private stats on my Azdo server but rather reuse stats from Github. Is this something we can get from Dependabot CLI ?

[rhyskoedijk]

This was briefly experimented with in V1 of the task, but has not been added to V2 since it is not an official configuration that can be used with Dependabot CLI.

It was supported in task V1 by injecting extra markup in to the PR description: https://github.com/tinglesoftware/dependabot-azure-devops/blob/a55a34798922fdbd6fd9dab3ac4c4fe08782f2ac/updater/lib/tinglesoftware/dependabot/api_clients/azure_api_client.rb#L443-L460

This still could be added to task V2, it would just have to be injected by the TypeScript extension prior to creating the pull request, rather than handling it via Dependabot directly.

@mburumaxwell what are your thoughts on this? It's a fairly trivial change, happy to add it if you are ok with it. It would require adding an extra task input to toggle on/off though.

[sailro]

That's super nice. I played a bit with the url and perhaps you need a little mapping depending on the ecosystem used.

Like if you use the npm ecosystem in your dependabot configuration, you have to pass the value npm_and_yarn to this url.

See the following error when testing:

{
   "errors":[
      {
         "status":400,
         "title":"Bad Request",
         "detail":"Invalid package manager - must be 'bundler', 'cargo', 'composer', 'devcontainers', 'docker', 'elm', 'github_actions', 'go_modules', 'gradle', 'hex', 'maven', 'nuget', 'npm_and_yarn', 'pip', 'pub', 'submodules', 'swift' or 'terraform'"
      }
   ]
}

[rhyskoedijk]

I played a bit with the url and perhaps you need a little mapping depending on the ecosystem used.

If you are building the url yourself, then yes. The extension automatically maps between the configuration value and the dependabot-core value in: https://github.com/tinglesoftware/dependabot-azure-devops/blob/a55a34798922fdbd6fd9dab3ac4c4fe08782f2ac/updater/lib/tinglesoftware/dependabot/job.rb#L187-L204

[sailro]

I played a bit with the url and perhaps you need a little mapping depending on the ecosystem used.

If you are building the url yourself, then yes. The extension automatically maps between the configuration value and the dependabot-core value in:

https://github.com/tinglesoftware/dependabot-azure-devops/blob/a55a34798922fdbd6fd9dab3ac4c4fe08782f2ac/updater/lib/tinglesoftware/dependabot/job.rb#L187-L204

Perfect

[mburumaxwell]

@rhyskoedijk a contribution for it is okay. If we can avoid the new input but have it on by default, then it would be better (the fewer knobs, the better). If not, then it's okay.

[sailro]

@rhyskoedijk how can we move forward on this? Could I offer help? You seem to know exactly what needs to be done on the technical side. I can test and report any problems to you :)

Thanks!

[rhyskoedijk]

@sailro this will be implemented by https://github.com/tinglesoftware/dependabot-azure-devops/pull/1458.