Skip to content

test: Validate minimumReleaseAge is ignored for security updates#44272

Open
zharinov wants to merge 4 commits into
renovatebot:mainfrom
zharinov:test/minimum-release-age-security-updates
Open

test: Validate minimumReleaseAge is ignored for security updates#44272
zharinov wants to merge 4 commits into
renovatebot:mainfrom
zharinov:test/minimum-release-age-security-updates

Conversation

@zharinov

@zharinov zharinov commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Changes

Add tests that prove minimumReleaseAge is skipped for security (vulnerability) updates.

A security fix should not wait out the minimumReleaseAge delay. It already skips the delay because vulnerabilityAlerts forces minimumReleaseAge: null onto the update. Nothing tested this, so two tests in vulnerabilities.spec.ts lock it down:

  • The generated vulnerability packageRule carries force: { minimumReleaseAge: null }.
  • End-to-end: a real vulnerability runs through appendVulnerabilityPackageRules and then lookupUpdates. A fix released yesterday is proposed right away with no pending status check, even with minimumReleaseAge: 14 days and internalChecksFilter: strict.

Context

Please select one of the following:

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

  • No — I did not use AI for this contribution.
  • Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
  • Yes — substantive assistance (AI-generated non‑trivial portions of code, tests, or documentation).
  • Yes — other (please describe):

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests, but ran on a real repository, or
  • Both unit tests + ran on a real repository

The public repository: N/A (unit tests only)

@github-actions github-actions Bot requested a review from viceice June 27, 2026 18:53
@zharinov zharinov force-pushed the test/minimum-release-age-security-updates branch from 89be549 to 051dd25 Compare June 27, 2026 19:04
…ypass

Drive the real vulnerability flow (appendVulnerabilityPackageRules) through the
real lookupUpdates, instead of only simulating the generated packageRule. Also
reword the inline comment and use luxon/asTimestamp for timestamps.
@zharinov zharinov changed the title test: validate minimumReleaseAge does not apply to security updates test: Validate minimumReleaseAge is ignored for security updates Jun 27, 2026
zharinov added 2 commits June 27, 2026 16:39
Cast the spread config to satisfy partial() overload resolution, matching the
existing `getConfig() as never` idiom in the lookup spec.
The simulated lookup test hand-built the security packageRule; the end-to-end
test plus the generated-rule assertion in vulnerabilities.spec.ts cover the same
behavior against the real flow, so the inline test added no unique coverage.

@RahulGautamSingh RahulGautamSingh left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm except the one comment

currentValue: dep.currentValue,
datasource: dep.datasource,
versioning: 'maven',
} as never);

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currentValue: dep.currentValue ?? undefined,

this with a comment to fix the types of currentValue by removing null from it or adding null to other places its declared,.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

test: validate that minimumReleaseAge doesn't apply to security updates

2 participants