Add API integration to fetch blocked versions at job construction

kbukum1 · Copilot · kbukum1 · commit f682877a7ef2 · 2026-05-05T17:51:47.000-05:00
Implement the API call that fetches blocked versions from
dependabot-api and injects them into the job definition before
the Job object is constructed.

Changes:
- ApiClient#fetch_blocked_versions: GET endpoint that retrieves
  blocked versions for a given package manager. Gracefully handles
  errors (returns [] on failure, logs warning).
- Service: delegate fetch_blocked_versions to client
- UpdateFilesCommand#job: fetch blocked versions during job
  construction (gated behind :blocked_versions experiment flag)
  and inject into job_definition hash
- Remove the TODO placeholder from previous PR

Tests:
- ApiClient spec: success, error, timeout, and empty response cases
- UpdateFilesCommand spec: verifies fetch is called with correct
  package manager and handles empty responses

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/updater/lib/dependabot/api_client.rb b/updater/lib/dependabot/api_client.rb
@@ -389,6 +389,26 @@ def record_cooldown_meta(job)
     # rubocop:enable Metrics/AbcSize
     # rubocop:enable Metrics/MethodLength
 
+    sig { params(package_manager: String).returns(T::Array[T::Hash[String, T.untyped]]) }
+    def fetch_blocked_versions(package_manager)
+      ::Dependabot::OpenTelemetry.tracer.in_span("fetch_blocked_versions", kind: :internal) do |span|
+        span.set_attribute(::Dependabot::OpenTelemetry::Attributes::JOB_ID, job_id.to_s)
+
+        api_url = "#{http_client.params[:path]}/update_jobs/#{job_id}/blocked_versions"
+        response = http_client.get(path: api_url, query: { "package-manager": package_manager })
+
+        if response.status >= 400
+          Dependabot.logger.warn("Failed to fetch blocked versions (HTTP #{response.status}), continuing without them")
+          return []
+        end
+
+        JSON.parse(response.body).fetch("data", [])
+      rescue Excon::Error::Socket, Excon::Error::Timeout, OpenSSL::SSL::SSLError => e
+        Dependabot.logger.warn("Failed to fetch blocked versions: #{e.message}, continuing without them")
+        []
+      end
+    end
+
     private
 
     # Update return type to allow returning a Hash or nil
diff --git a/updater/lib/dependabot/service.rb b/updater/lib/dependabot/service.rb
@@ -40,7 +40,8 @@ def initialize(client:)
                    :record_ecosystem_versions,
                    :increment_metric,
                    :record_ecosystem_meta,
-                   :record_cooldown_meta
+                   :record_cooldown_meta,
+                   :fetch_blocked_versions
 
     sig { void }
     def wait_for_calls_to_finish
diff --git a/updater/lib/dependabot/update_files_command.rb b/updater/lib/dependabot/update_files_command.rb
@@ -50,10 +50,6 @@ def perform_job
         # As above, we can remove the responsibility for handling fatal/job halting
         # errors from Dependabot::Updater entirely.
         begin
-          # TODO: Fetch blocked versions from dependabot-api and inject into the job.
-          # Call GET /blocked_versions?ecosystem=<job.package_manager> to retrieve
-          # versions blocked by GitHub Security, then pass them into the job so they
-          # are excluded from update candidates.
           Dependabot::Updater.new(service:, job:, dependency_snapshot:).run
         rescue Dependabot::DependencyFileNotParseable => e
           handle_dependency_file_not_parseable_error(e)
@@ -73,11 +69,24 @@ def perform_job
     sig { override.returns(Dependabot::Job) }
     def job
       @job ||= T.let(
-        Job.new_update_job(
-          job_id: job_id,
-          job_definition: Environment.job_definition,
-          repo_contents_path: Environment.repo_contents_path
-        ),
+        begin
+          definition = Environment.job_definition
+          job_hash = definition["job"]
+
+          # Fetch blocked versions from the API if the experiment is enabled.
+          # Inject them into the job definition so they're available at construction time.
+          if Experiments.enabled?(:blocked_versions)
+            package_manager = job_hash["package-manager"] || job_hash["package_manager"] || ""
+            blocked = service.fetch_blocked_versions(package_manager)
+            job_hash["blocked-versions"] = blocked if blocked.any?
+          end
+
+          Job.new_update_job(
+            job_id: job_id,
+            job_definition: definition,
+            repo_contents_path: Environment.repo_contents_path
+          )
+        end,
         T.nilable(Dependabot::Job)
       )
     end
diff --git a/updater/spec/dependabot/api_client_spec.rb b/updater/spec/dependabot/api_client_spec.rb
@@ -800,4 +800,80 @@
       end
     end
   end
+
+  describe "fetch_blocked_versions" do
+    let(:blocked_versions_url) { "http://example.com/update_jobs/1/blocked_versions" }
+
+    context "when the API returns blocked versions" do
+      before do
+        stub_request(:get, blocked_versions_url)
+          .with(query: { "package-manager": "npm_and_yarn" })
+          .to_return(
+            status: 200,
+            body: {
+              data: [
+                { "dependency-name" => "event-stream", "version" => "3.3.6", "reason" => "malware" },
+                { "dependency-name" => "flatmap-stream", "version" => "0.1.1", "reason" => "malware" }
+              ]
+            }.to_json,
+            headers: headers
+          )
+      end
+
+      it "returns the blocked versions array" do
+        result = client.fetch_blocked_versions("npm_and_yarn")
+        expect(result).to eq(
+          [
+            { "dependency-name" => "event-stream", "version" => "3.3.6", "reason" => "malware" },
+            { "dependency-name" => "flatmap-stream", "version" => "0.1.1", "reason" => "malware" }
+          ]
+        )
+      end
+    end
+
+    context "when the API returns an error" do
+      before do
+        stub_request(:get, blocked_versions_url)
+          .with(query: { "package-manager": "npm_and_yarn" })
+          .to_return(status: 500, body: "Internal Server Error", headers: headers)
+      end
+
+      it "returns an empty array and logs a warning" do
+        expect(Dependabot.logger).to receive(:warn).with(/Failed to fetch blocked versions/)
+        result = client.fetch_blocked_versions("npm_and_yarn")
+        expect(result).to eq([])
+      end
+    end
+
+    context "when the API times out" do
+      before do
+        stub_request(:get, blocked_versions_url)
+          .with(query: { "package-manager": "npm_and_yarn" })
+          .to_timeout
+      end
+
+      it "returns an empty array and logs a warning" do
+        expect(Dependabot.logger).to receive(:warn).with(/Failed to fetch blocked versions/)
+        result = client.fetch_blocked_versions("npm_and_yarn")
+        expect(result).to eq([])
+      end
+    end
+
+    context "when the API returns no blocked versions" do
+      before do
+        stub_request(:get, blocked_versions_url)
+          .with(query: { "package-manager": "npm_and_yarn" })
+          .to_return(
+            status: 200,
+            body: { data: [] }.to_json,
+            headers: headers
+          )
+      end
+
+      it "returns an empty array" do
+        result = client.fetch_blocked_versions("npm_and_yarn")
+        expect(result).to eq([])
+      end
+    end
+  end
 end
diff --git a/updater/spec/dependabot/update_files_command_spec.rb b/updater/spec/dependabot/update_files_command_spec.rb
@@ -438,4 +438,53 @@
       end
     end
   end
+
+  describe "#perform_job with blocked versions experiment enabled" do
+    subject(:perform_job) { job.perform_job }
+
+    before do
+      Dependabot::Experiments.register(:blocked_versions, true)
+      allow(service).to receive(:fetch_blocked_versions).and_return(blocked_versions)
+    end
+
+    after do
+      Dependabot::Experiments.reset!
+    end
+
+    let(:blocked_versions) do
+      [
+        { "dependency-name" => "rails", "version" => "7.0.0", "reason" => "vulnerability" }
+      ]
+    end
+
+    it "fetches blocked versions and injects them into the job definition" do
+      dummy_runner = double(run: nil)
+      allow(Dependabot::Updater).to receive(:new).and_return(dummy_runner)
+      allow(dummy_runner).to receive(:run)
+      allow(service).to receive(:mark_job_as_processed)
+      allow(service).to receive(:update_dependency_list)
+
+      expect(service).to receive(:fetch_blocked_versions).with("bundler")
+
+      perform_job
+    end
+
+    context "when the API returns no blocked versions" do
+      let(:blocked_versions) { [] }
+
+      it "does not inject blocked versions into the job definition" do
+        dummy_runner = double(run: nil)
+        allow(Dependabot::Updater).to receive(:new).and_return(dummy_runner)
+        allow(dummy_runner).to receive(:run)
+        allow(service).to receive(:mark_job_as_processed)
+        allow(service).to receive(:update_dependency_list)
+
+        perform_job
+
+        # Job should still have empty blocked_versions (the default)
+        job_instance = job.send(:job)
+        expect(job_instance.blocked_versions).to eq([])
+      end
+    end
+  end
 end
