From c20cb30d9ac93487fb90ab1ea79796520c2fe7d5 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Mon, 20 Apr 2020 18:52:15 +0200
Subject: [PATCH] =?UTF-8?q?fix(poetry):=20don=E2=80=99t=20error=20vulnerab?=
 =?UTF-8?q?ility=20alerts=20(#6013)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/workers/repository/process/lookup/filter.ts     | 13 +++++++++++++
 lib/workers/repository/process/lookup/index.spec.ts | 10 ++++++++++
 2 files changed, 23 insertions(+)

diff --git a/lib/workers/repository/process/lookup/filter.ts b/lib/workers/repository/process/lookup/filter.ts
index 7d7f9d729f..7fbf76f36e 100644
--- a/lib/workers/repository/process/lookup/filter.ts
+++ b/lib/workers/repository/process/lookup/filter.ts
@@ -4,6 +4,8 @@ import * as allVersioning from '../../../../versioning';
 import { Release } from '../../../../datasource';
 import { CONFIG_VALIDATION } from '../../../../constants/error-messages';
 import * as npmVersioning from '../../../../versioning/npm';
+import * as pep440 from '../../../../versioning/pep440';
+import * as poetryVersioning from '../../../../versioning/poetry';
 import { regEx } from '../../../../util/regex';
 
 export interface FilterConfig {
@@ -95,6 +97,17 @@ export function filterVersions(
       filteredVersions = filteredVersions.filter((v) =>
         semver.satisfies(semver.coerce(v), allowedVersions)
       );
+    } else if (
+      versioning === poetryVersioning.id &&
+      pep440.isValid(allowedVersions)
+    ) {
+      logger.debug(
+        { depName: config.depName },
+        'Falling back to pypi syntax for allowedVersions'
+      );
+      filteredVersions = filteredVersions.filter((v) =>
+        pep440.matches(v, allowedVersions)
+      );
     } else {
       const error = new Error(CONFIG_VALIDATION);
       error.configFile = 'config';
diff --git a/lib/workers/repository/process/lookup/index.spec.ts b/lib/workers/repository/process/lookup/index.spec.ts
index d3ff35ed83..698a49a006 100644
--- a/lib/workers/repository/process/lookup/index.spec.ts
+++ b/lib/workers/repository/process/lookup/index.spec.ts
@@ -13,6 +13,7 @@ import * as dockerVersioning from '../../../../versioning/docker';
 import * as gitVersioning from '../../../../versioning/git';
 import * as npmVersioning from '../../../../versioning/npm';
 import * as pep440Versioning from '../../../../versioning/pep440';
+import * as poetryVersioning from '../../../../versioning/poetry';
 import * as datasourceNpm from '../../../../datasource/npm';
 import * as datasourcePypi from '../../../../datasource/pypi';
 import * as datasourcePackagist from '../../../../datasource/packagist';
@@ -171,6 +172,15 @@ describe('workers/repository/process/lookup', () => {
       nock('https://registry.npmjs.org').get('/q').reply(200, qJson);
       expect((await lookup.lookupUpdates(config)).updates).toHaveLength(1);
     });
+    it('falls back to pep440 syntax allowedVersions', async () => {
+      config.currentValue = '0.4.0';
+      config.allowedVersions = '==0.9.4';
+      config.depName = 'q';
+      config.versioning = poetryVersioning.id; // this doesn't make sense but works for this test
+      config.datasource = datasourceNpm.id; // this doesn't make sense but works for this test
+      nock('https://registry.npmjs.org').get('/q').reply(200, qJson);
+      expect((await lookup.lookupUpdates(config)).updates).toHaveLength(1);
+    });
     it('skips invalid allowedVersions', async () => {
       config.currentValue = '0.4.0';
       config.allowedVersions = 'less than 1';
-- 
GitLab