Skip to content

fix: validate EXEMPT_ECOSYSTEMS against supported package ecosystems#514

Merged
zkoppert merged 5 commits intomainfrom
fix/validate-exempt-ecosystems
Mar 26, 2026
Merged

fix: validate EXEMPT_ECOSYSTEMS against supported package ecosystems#514
zkoppert merged 5 commits intomainfrom
fix/validate-exempt-ecosystems

Conversation

@zkoppert
Copy link
Collaborator

@zkoppert zkoppert commented Mar 26, 2026

Problem

EXEMPT_ECOSYSTEMS silently accepts any string without validating against the list of supported package ecosystems. A typo like docekr instead of docker would be ignored, leading to unexpected behavior where the ecosystem isn't actually exempted.

Solution

  • Extract the hardcoded ecosystem list from parse_repo_specific_exemptions into a module-level SUPPORTED_PACKAGE_ECOSYSTEMS constant, eliminating duplication
  • Add validation to the EXEMPT_ECOSYSTEMS parsing logic that checks each ecosystem against the constant
  • Raise a ValueError with a clear message identifying the unrecognized ecosystem, consistent with how parse_repo_specific_exemptions handles invalid ecosystems

Testing

  • Added test_get_env_vars_exempt_ecosystems_unsupported_ecosystem test case that verifies a ValueError is raised when an invalid ecosystem (e.g., docekr) is provided
  • All 156 existing tests continue to pass
  • 99% code coverage maintained

Closes #489

@zkoppert
fix: validate EXEMPT_ECOSYSTEMS against supported package ecosystems
cfd1818 
Extract hardcoded ecosystem list into SUPPORTED_PACKAGE_ECOSYSTEMS constant
and add validation to EXEMPT_ECOSYSTEMS parsing. A typo like 'docekr' instead
of 'docker' now raises a ValueError with a clear message, consistent with
how parse_repo_specific_exemptions already validates ecosystems.

Closes #489

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert zkoppert self-assigned this Mar 26, 2026
@github-actions github-actions bot added the fix label Mar 26, 2026
zkoppert and others added 2 commits March 25, 2026 21:48
@zkoppert
fix: add missing ecosystems and normalize case in repo-specific exemp…
8d48234 
…tions

Add maven, gradle, and devcontainers to SUPPORTED_PACKAGE_ECOSYSTEMS -
these are actively supported in dependabot_file.py but were missing from
the validation list, which would have rejected valid configurations.

Also add .lower() to parse_repo_specific_exemptions for consistent
case-insensitive handling across both EXEMPT_ECOSYSTEMS and
REPO_SPECIFIC_EXEMPTIONS.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert
fix: tolerate trailing commas in EXEMPT_ECOSYSTEMS
174421b 
Skip empty strings after split/strip instead of rejecting them as
unrecognized ecosystems. A trailing comma (e.g. 'npm,docker,') was
previously harmless and should remain so.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert zkoppert marked this pull request as ready for review March 26, 2026 05:18
@zkoppert zkoppert requested a review from jmeridth as a code owner March 26, 2026 05:18
Copilot AI review requested due to automatic review settings March 26, 2026 05:18
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens configuration validation by ensuring EXEMPT_ECOSYSTEMS values are checked against the same supported package ecosystem list used elsewhere, preventing typos from being silently ignored.

Changes:

  • Introduces a module-level SUPPORTED_PACKAGE_ECOSYSTEMS constant and reuses it in ecosystem validation.
  • Validates EXEMPT_ECOSYSTEMS, raising a ValueError for unrecognized ecosystems (and ignoring empty entries like trailing commas).
  • Adds tests covering unsupported ecosystems and trailing-comma tolerance for EXEMPT_ECOSYSTEMS.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
env.py Adds SUPPORTED_PACKAGE_ECOSYSTEMS, reuses it in parse_repo_specific_exemptions, and validates EXEMPT_ECOSYSTEMS entries against it.
test_env.py Adds regression tests for invalid EXEMPT_ECOSYSTEMS values and trailing comma handling.

jmeridth
jmeridth reviewed Mar 26, 2026
View reviewed changes
Copy link
Collaborator

@jmeridth jmeridth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There were a few others mentioned in the documentation. Are we purposefully excluding them?

zkoppert and others added 2 commits March 26, 2026 15:33
@zkoppert
docs: update README with full ecosystem list and fix brittle test ass…
5f1eafd 
…ertion

Update EXEMPT_ECOSYSTEMS docs to include devcontainers and gradle, add
note about ValueError on unrecognized values, and alphabetize the list.

Replace brittle result[21] index assertion in trailing comma test with
full expected tuple comparison, matching the pattern used by all other
tests in the file.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert
fix: align README table column widths for markdown linter
b384c04 
Fix MD060 table-column-style error caused by misaligned pipe character
in the EXEMPT_ECOSYSTEMS row after updating the description text.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert zkoppert merged commit 1a503a0 into main Mar 26, 2026
35 checks passed
@zkoppert zkoppert deleted the fix/validate-exempt-ecosystems branch March 26, 2026 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jmeridth jmeridth jmeridth approved these changes

Assignees

@zkoppert zkoppert

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

EXEMPT_ECOSYSTEMS accepts invalid ecosystem names without validation

3 participants

@zkoppert @jmeridth