Add API integration to fetch blocked versions at job construction by kbukum1 · Pull Request #14917 · dependabot/dependabot-core

kbukum1 · 2026-05-05T20:31:24Z

What are you trying to accomplish?

Add the API client integration that fetches blocked versions from the API and injects them into the job definition at construction time. Blocked versions are globally managed (not per-job configuration), so they need to be fetched fresh at execution time. This ensures the updater always uses the latest blocked versions list.

This PR also renames the blocked versions field from version to version-requirement to align with ignore_conditions conventions and the API endpoint contract.

Stacks on #14915 which adds the blocked_versions attribute to the Job class.

Anything you want to highlight for special attention from reviewers?

The fetch is gated behind Experiments.enabled?(:dependabot_blocked_versions) — no behavior change without the flag.
Experiments are pre-registered from the job definition (with hyphen-to-underscore normalization) before the gate, so the flag works when set via the job payload.
The job definition is deep-copied (JSON.parse(JSON.generate(...))) to avoid mutating the memoized Environment.job_definition.
On API failure (500, timeout, network error, invalid JSON, non-Hash/non-Array response), the updater continues without blocked versions (graceful degradation).
version-requirement field name matches ignore_conditions conventions — the API endpoint transforms from the model's version field to version-requirement in the response.

How will you know you've accomplished your goal?

api_client_spec.rb: 6 tests covering success, error, timeout, empty response, invalid JSON, non-object JSON, and non-array data.
update_files_command_spec.rb: 3 tests covering fetch + inject, experiment flag via job definition, and empty response handling.
job_spec.rb: All blocked versions test data updated to use version-requirement field name.
Once the dependabot_blocked_versions experiment is enabled, blocked versions will appear in updater logs as "Blocked versions (by GitHub Security)" for matching dependencies.

Checklist

I have run the complete test suite to ensure all tests and linters pass.
I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
I have written clear and descriptive commit messages.
I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
I have ensured that the code is well-documented and easy to understand.

Copilot

Pull request overview

This PR wires a new updater-side integration to fetch globally managed “blocked versions” from dependabot-api at execution time (behind an experiment flag) and flow them into Dependabot::Job so they participate in the normal ignore/version filtering and logging paths.

Changes:

Add ApiClient#fetch_blocked_versions(package_manager) and expose it via Dependabot::Service.
Fetch blocked versions during UpdateFilesCommand#job construction when Experiments.enabled?(:blocked_versions) and inject them into the job definition before Job.new_update_job.
Extend Dependabot::Job to carry blocked_versions, apply them as additional ignore requirements, and log matching blocked entries (plus add/extend specs).

Show a summary per file

File	Description
updater/lib/dependabot/api_client.rb	Adds a new API call to retrieve blocked versions for a job.
updater/lib/dependabot/service.rb	Delegates `fetch_blocked_versions` to the API client.
updater/lib/dependabot/update_files_command.rb	Fetches/injects blocked versions at job construction time behind an experiment flag.
updater/lib/dependabot/job.rb	Adds `blocked_versions` to job attributes; applies/logs blocked version ignores.
updater/spec/dependabot/api_client_spec.rb	Adds unit tests for `fetch_blocked_versions` behavior.
updater/spec/dependabot/update_files_command_spec.rb	Adds tests for the job-construction-time fetch behavior.
updater/spec/dependabot/job_spec.rb	Adds tests for blocked versions being enforced/logged via job ignore logic.

Copilot's findings

Files reviewed: 7/7 changed files
Comments generated: 3

Copilot

Copilot's findings

Files reviewed: 5/5 changed files
Comments generated: 2

Copilot

Copilot's findings

Files reviewed: 5/5 changed files
Comments generated: 2

Copilot

Copilot's findings

Files reviewed: 7/7 changed files
Comments generated: 1

Copilot

Copilot's findings

Files reviewed: 7/8 changed files
Comments generated: 1

Copilot

Copilot's findings

Files reviewed: 7/8 changed files
Comments generated: 0 new

Implement the API call that fetches blocked versions from dependabot-api and injects them into the job definition before the Job object is constructed. Changes: - ApiClient#fetch_blocked_versions: GET endpoint that retrieves blocked versions for a given package manager. Gracefully handles errors (returns [] on failure, logs warning). - Service: delegate fetch_blocked_versions to client - UpdateFilesCommand#job: fetch blocked versions during job construction (gated behind :blocked_versions experiment flag) and inject into job_definition hash - Remove the TODO placeholder from previous PR Tests: - ApiClient spec: success, error, timeout, and empty response cases - UpdateFilesCommand spec: verifies fetch is called with correct package manager and handles empty responses Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Handle JSON::ParserError and validate data is an Array in fetch_blocked_versions - Deep-copy Environment.job_definition to avoid mutating the memoized global - Rename experiment flag from :blocked_versions to :dependabot_blocked_versions - Assert blocked versions are actually injected into the Job in tests - Add specs for invalid JSON and non-array data responses Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…riments - Validate parsed response is a Hash before calling fetch on it - Add test for non-object JSON body (e.g. bare array) - Pre-register experiments from job definition before the blocked_versions gate - Add test verifying experiment flag works when set via job definition Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…nore_conditions Align the blocked_versions data structure with ignore_conditions conventions and the dependabot-api BlockedDependency model which stores version requirement strings (e.g. '= 3.3.6', '>= 3.0, < 4.0') rather than bare versions. The API endpoint will transform from the model's 'version' field to 'version-requirement' in the response, matching how ignore_conditions uses 'version-requirement' throughout the stack. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Update bin/dry-run.rb (from merged PR #14916) to use 'version-requirement' instead of 'version' in the blocked_versions data structure, matching the rename done in job.rb and the API contract. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

kbukum1 force-pushed the kbukum1/add-blocked-versions-support branch from 8c7af59 to b5d414c Compare May 5, 2026 22:10

kbukum1 force-pushed the kbukum1/add-blocked-versions-api-integration branch 2 times, most recently from a74d6bb to 37b3dc0 Compare May 5, 2026 22:41

kbukum1 force-pushed the kbukum1/add-blocked-versions-support branch from b5d414c to db2d4dd Compare May 5, 2026 22:51

kbukum1 force-pushed the kbukum1/add-blocked-versions-api-integration branch from 37b3dc0 to f682877 Compare May 5, 2026 22:52

kbukum1 force-pushed the kbukum1/add-blocked-versions-support branch 4 times, most recently from 237ee63 to 4446560 Compare May 7, 2026 18:11

kbukum1 force-pushed the kbukum1/add-blocked-versions-api-integration branch from f682877 to f3936b1 Compare May 7, 2026 18:20

kbukum1 requested a review from Copilot May 7, 2026 18:20

Copilot started reviewing on behalf of kbukum1 May 7, 2026 18:21 View session

Copilot AI reviewed May 7, 2026

View reviewed changes

Comment thread updater/lib/dependabot/api_client.rb

Comment thread updater/lib/dependabot/update_files_command.rb Outdated

Comment thread updater/spec/dependabot/update_files_command_spec.rb

kbukum1 commented May 8, 2026

View reviewed changes

Comment thread updater/lib/dependabot/update_files_command.rb Outdated

kbukum1 force-pushed the kbukum1/add-blocked-versions-support branch 6 times, most recently from 8347d57 to bfaf2eb Compare May 18, 2026 15:37

Base automatically changed from kbukum1/add-blocked-versions-support to main May 18, 2026 16:15

kbukum1 force-pushed the kbukum1/add-blocked-versions-api-integration branch 2 times, most recently from 8551485 to fac5354 Compare May 18, 2026 17:34

kbukum1 requested a review from Copilot May 18, 2026 17:40

Copilot started reviewing on behalf of kbukum1 May 18, 2026 17:40 View session