Problem
The e2e test suite currently scans against the real advisory DB in the cache. Any fixture that pins a real package name picks up that package's live CVEs and flips "clean" tests whenever a new advisory lands. A fresh checkout with no synced DB fails most offline e2e tests entirely.
This was deferred during the v1.25.0 merge rather than folded into the release PRs. Issues #726 and #727 address the immediate breakage (CVE-free fixture names), but leave two gaps open:
- A fresh checkout with no synced DB still fails most offline e2e tests
- Broad-shape tests still read the live DB and drift over time
Proposed solution
A small seeded fixture DB consumed via --offline-db, built once and committed to the repo. The machinery already exists: LocalAdvisoryDatabase.bulkUpsertVulnerabilities and the builder in global-setup.mjs.
The seeded DB contains a curated, deterministic set of advisories - one per scenario, covering the full range of finding types the test suite needs to verify.
Triple-duty design
The same seeded scenario set serves three purposes:
- e2e fixtures - deterministic, network-free, never drifts with live OSV data
- Educational reference - one clear worked example per rule class (direct, transitive, override hygiene rules OA001-OA009, PD001/PD002, DM001 as those ship)
- Benchmark pool - stable baseline for performance comparisons across releases
Scenario structure
Each scenario is a self-contained directory:
examples/scenarios/
direct-fixable/ # one direct dep with a known fix
transitive-path/ # transitive dep with clear parent upgrade path
override-oa001/ # orphaned override target
override-oa009/ # stale >= floor (new)
phantom-pd001/ # import-only-via-override
maintenance-dm001/ # abandonware with downstream drag
...
Each contains a minimal package.json, lockfile, and the corresponding seeded advisory entries. The global test setup loads the seeded DB once; all e2e tests point at --offline-db instead of the live cache.
Acceptance criteria
- Fresh checkout passes all e2e tests without a network advisory sync
- Tests do not flip when new CVEs land in OSV for real package names
- Seeded DB covers all existing e2e scenario types
- Scenario directories are usable standalone as educational examples
- Builder is automated - adding a new scenario does not require manual DB editing
Related
Raised by Aaron Lamb during v1.25.0 integration. Connected to #726 and #727 (immediate fixture breakage). Scenario set will expand as OA009 (#730), PD001/PD002 (#731), and DM001 (#732) ship.
Problem
The e2e test suite currently scans against the real advisory DB in the cache. Any fixture that pins a real package name picks up that package's live CVEs and flips "clean" tests whenever a new advisory lands. A fresh checkout with no synced DB fails most offline e2e tests entirely.
This was deferred during the v1.25.0 merge rather than folded into the release PRs. Issues #726 and #727 address the immediate breakage (CVE-free fixture names), but leave two gaps open:
Proposed solution
A small seeded fixture DB consumed via
--offline-db, built once and committed to the repo. The machinery already exists:LocalAdvisoryDatabase.bulkUpsertVulnerabilitiesand the builder inglobal-setup.mjs.The seeded DB contains a curated, deterministic set of advisories - one per scenario, covering the full range of finding types the test suite needs to verify.
Triple-duty design
The same seeded scenario set serves three purposes:
Scenario structure
Each scenario is a self-contained directory:
Each contains a minimal
package.json, lockfile, and the corresponding seeded advisory entries. The global test setup loads the seeded DB once; all e2e tests point at--offline-dbinstead of the live cache.Acceptance criteria
Related
Raised by Aaron Lamb during v1.25.0 integration. Connected to #726 and #727 (immediate fixture breakage). Scenario set will expand as OA009 (#730), PD001/PD002 (#731), and DM001 (#732) ship.