Refine GoModGraph handling and improve reconciliation logic in GoModUpdater

kbukum1 · kbukum1 · commit 6b4b62e059fa · 2026-05-21T14:32:54.000-05:00
diff --git a/go_modules/lib/dependabot/go_modules/file_updater/go_mod_graph.rb b/go_modules/lib/dependabot/go_modules/file_updater/go_mod_graph.rb
@@ -74,7 +74,9 @@ def parse_graph(output)
 
             output.each_line do |line|
               line.strip.split(/\s+/).each do |entry|
-                result.add(entry) unless entry.empty?
+                # Only include versioned entries (module@version), skip
+                # the root module which has no @version suffix.
+                result.add(entry) if entry.include?("@")
               end
             end
 
@@ -91,14 +93,14 @@ def group_by_path(entries)
           result = T.let(Hash.new { |h, k| h[k] = Set.new }, T::Hash[String, T::Set[String]])
 
           entries.each do |entry|
-            at_index = T.must(entry).rindex("@")
+            at_index = entry.rindex("@")
             next unless at_index
 
-            path = T.must(entry)[0...at_index]
-            version = T.must(entry)[(at_index + 1)..]
+            path = entry[0...at_index]
+            version = entry[(at_index + 1)..]
             next unless path && version && !path.empty?
 
-            result[path].add(version)
+            T.must(result[path]).add(version)
           end
 
           result
diff --git a/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb b/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb
@@ -234,11 +234,13 @@ def update_files
             # to the update — Go tooling can over-prune /go.mod checksums.
             if original_go_sum && updated_go_sum
               graph_after = GoModGraph.capture
-              updated_go_sum = reconcile_go_sum(
-                original_go_sum,
-                updated_go_sum,
-                graph_before.changed_modules(graph_after)
-              )
+              unless graph_before.empty? || graph_after.empty?
+                updated_go_sum = reconcile_go_sum(
+                  original_go_sum,
+                  updated_go_sum,
+                  graph_before.changed_modules(graph_after)
+                )
+              end
             end
 
             { go_mod: updated_go_mod, go_sum: updated_go_sum }
@@ -432,8 +434,6 @@ def in_repo_path(&block)
           ).returns(String)
         end
         def reconcile_go_sum(original, updated, changed_modules)
-          return updated if changed_modules.empty?
-
           updated_lines = updated.lines(chomp: true).reject(&:empty?)
           updated_set = updated_lines.to_set
 
diff --git a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_graph_spec.rb b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_graph_spec.rb
@@ -47,17 +47,21 @@
 
   describe "#changed_modules" do
     it "detects modules with changed versions" do
-      before_graph = described_class.new(modules: Set[
-        "github.com/onsi/gomega@v1.39.0",
-        "google.golang.org/grpc@v1.81.1",
-        "gonum.org/v1/gonum@v0.17.0"
-      ])
-
-      after_graph = described_class.new(modules: Set[
-        "github.com/onsi/gomega@v1.40.0",
-        "google.golang.org/grpc@v1.81.1",
-        "gonum.org/v1/gonum@v0.17.0"
-      ])
+      before_graph = described_class.new(
+        modules: Set[
+          "github.com/onsi/gomega@v1.39.0",
+          "google.golang.org/grpc@v1.81.1",
+          "gonum.org/v1/gonum@v0.17.0"
+        ]
+      )
+
+      after_graph = described_class.new(
+        modules: Set[
+          "github.com/onsi/gomega@v1.40.0",
+          "google.golang.org/grpc@v1.81.1",
+          "gonum.org/v1/gonum@v0.17.0"
+        ]
+      )
 
       changed = before_graph.changed_modules(after_graph)
       expect(changed).to include("github.com/onsi/gomega")
@@ -66,40 +70,46 @@
     end
 
     it "detects added modules" do
-      before_graph = described_class.new(modules: Set[
-        "github.com/onsi/gomega@v1.39.0"
-      ])
+      before_graph = described_class.new(
+        modules: Set["github.com/onsi/gomega@v1.39.0"]
+      )
 
-      after_graph = described_class.new(modules: Set[
-        "github.com/onsi/gomega@v1.39.0",
-        "github.com/kr/pretty@v0.3.1"
-      ])
+      after_graph = described_class.new(
+        modules: Set[
+          "github.com/onsi/gomega@v1.39.0",
+          "github.com/kr/pretty@v0.3.1"
+        ]
+      )
 
       changed = before_graph.changed_modules(after_graph)
       expect(changed).to include("github.com/kr/pretty")
       expect(changed).not_to include("github.com/onsi/gomega")
     end
 
     it "detects removed modules" do
-      before_graph = described_class.new(modules: Set[
-        "github.com/onsi/gomega@v1.39.0",
-        "github.com/old/dep@v1.0.0"
-      ])
+      before_graph = described_class.new(
+        modules: Set[
+          "github.com/onsi/gomega@v1.39.0",
+          "github.com/old/dep@v1.0.0"
+        ]
+      )
 
-      after_graph = described_class.new(modules: Set[
-        "github.com/onsi/gomega@v1.39.0"
-      ])
+      after_graph = described_class.new(
+        modules: Set["github.com/onsi/gomega@v1.39.0"]
+      )
 
       changed = before_graph.changed_modules(after_graph)
       expect(changed).to include("github.com/old/dep")
       expect(changed).not_to include("github.com/onsi/gomega")
     end
 
     it "returns empty set when graphs are identical" do
-      graph = described_class.new(modules: Set[
-        "github.com/onsi/gomega@v1.39.0",
-        "gonum.org/v1/gonum@v0.17.0"
-      ])
+      graph = described_class.new(
+        modules: Set[
+          "github.com/onsi/gomega@v1.39.0",
+          "gonum.org/v1/gonum@v0.17.0"
+        ]
+      )
 
       expect(graph.changed_modules(graph)).to be_empty
     end
diff --git a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
@@ -290,13 +290,17 @@ module github.com/dependabot/vgotest
                              "#{gonum_zip_line}\n#{gonum_gomod_line}\n"
               pruned_sum = original_sum.lines.reject { |l| l.chomp == gonum_gomod_line }.join
 
+              read_count = 0
               allow(File).to receive(:read).and_call_original
-              allow(File).to receive(:read).with("go.sum").and_return(original_sum, pruned_sum)
+              allow(File).to receive(:read).with("go.sum") do
+                read_count += 1
+                read_count == 1 ? original_sum : pruned_sum
+              end
 
-              # Graph shows gonum unchanged before and after
-              graph_with_gonum = Dependabot::GoModules::FileUpdater::GoModGraph.new(
+              # Graph: rsc.io/quote updated, gonum unchanged
+              graph_before = Dependabot::GoModules::FileUpdater::GoModGraph.new(
                 modules: Set[
-                  "rsc.io/quote@v1.5.2",
+                  "rsc.io/quote@v1.4.0",
                   "gonum.org/v1/gonum@v0.16.0"
                 ]
               )
@@ -309,7 +313,7 @@ module github.com/dependabot/vgotest
 
               allow(Dependabot::GoModules::FileUpdater::GoModGraph)
                 .to receive(:capture)
-                .and_return(graph_with_gonum, graph_after)
+                .and_return(graph_before, graph_after)
             end
 
             it "restores the unrelated go.mod checksum line" do
@@ -319,11 +323,6 @@ module github.com/dependabot/vgotest
 
           context "when a module version changes legitimately" do
             before do
-              original_sum = fixture("projects", project_name, "go.sum")
-
-              allow(File).to receive(:read).and_call_original
-              allow(File).to receive(:read).with("go.sum").and_return(original_sum)
-
               # Graph shows rsc.io/quote changed version (it's being updated)
               graph_before = Dependabot::GoModules::FileUpdater::GoModGraph.new(
                 modules: Set["rsc.io/quote@v1.4.0"]
