feat: include pins optionally

lili2311 · lili2311 · commit f94c558f573b · 2021-03-29T15:49:48.000+01:00
diff --git a/packages/snyk-fix/src/plugins/python/handlers/pip-requirements/update-dependencies/index.ts b/packages/snyk-fix/src/plugins/python/handlers/pip-requirements/update-dependencies/index.ts
@@ -19,6 +19,7 @@ const debug = debugLib('snyk-fix:python:update-dependencies');
 export function updateDependencies(
   parsedRequirementsData: ParsedRequirements,
   updates: DependencyPins,
+  directUpgradesOnly = false,
 ): { updatedManifest: string; changes: FixChangesSummary[] } {
   const {
     requirements,
@@ -38,11 +39,15 @@ export function updateDependencies(
   );
   debug('Finished generating upgrades to apply');
 
-  const { pinnedRequirements, changes: pinChanges } = generatePins(
-    requirements,
-    updates,
-  );
-  debug('Finished generating pins to apply');
+  let pinnedRequirements: string[] = [];
+  let pinChanges: FixChangesSummary[] = [];
+  if (!directUpgradesOnly) {
+    ({ pinnedRequirements, changes: pinChanges } = generatePins(
+      requirements,
+      updates,
+    ));
+    debug('Finished generating pins to apply');
+  }
 
   let updatedManifest = [
     ...applyUpgrades(requirements, updatedRequirements),
diff --git a/packages/snyk-fix/test/unit/plugins/python/handlers/update-dependencies/update-dependencies.spec.ts b/packages/snyk-fix/test/unit/plugins/python/handlers/update-dependencies/update-dependencies.spec.ts
@@ -306,4 +306,40 @@ describe('remediation', () => {
       );
     }
   });
+  it('skips pins if asked', () => {
+    const upgrades = {
+      'django@1.6.1': {
+        upgradeTo: 'django@2.0.1',
+        vulns: [],
+        upgrades: [],
+        isTransitive: false,
+      },
+      'transitive@1.0.0': {
+        upgradeTo: 'transitive@1.1.1',
+        vulns: [],
+        upgrades: [],
+        isTransitive: true,
+      },
+    };
+
+    const manifestContents = 'Django==1.6.1';
+
+    const expectedManifest =
+      'Django==2.0.1\ntransitive>=1.1.1 # not directly required, pinned by Snyk to avoid a vulnerability';
+    const directUpgradesOnly = false;
+    const requirements = parseRequirementsFile(manifestContents);
+    const result = updateDependencies(
+      requirements,
+      upgrades,
+      directUpgradesOnly,
+    );
+    expect(result.changes.map((c) => c.userMessage).sort()).toEqual(
+      [
+        'Pinned transitive from 1.0.0 to 1.1.1',
+        'Upgraded Django from 1.6.1 to 2.0.1',
+      ].sort(),
+    );
+    // Note no extra newline was added to the expected manifest
+    expect(result.updatedManifest).toEqual(expectedManifest);
+  });
 });
