feat: add dependency enrichment backends#43
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces three new dependency enrichment backends for the Dependency Health V2 feature split (PR 3 of 6). These enrichers extend dependency objects with vulnerability, policy, and license information from the Cloudsmith package index. The PR includes a shared utility module for generating consistent dependency keys and comprehensive test coverage for each enricher.
Changes:
- Adds vulnerability enrichment with caching, concurrency management, and TTL-based expiration
- Adds policy enrichment for mapping policy violation flags and status information
- Adds license enrichment with license classification using an existing LicenseClassifier utility
- Adds a foundDependencyKey utility for consistent package identification across enrichers
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| util/foundDependencyKey.js | Utility function for generating consistent cache keys from dependency objects |
| util/dependencyVulnEnricher.js | Vulnerability enrichment backend with intelligent caching and concurrent API fetching |
| util/dependencyPolicyEnricher.js | Policy enrichment backend mapping Cloudsmith policy data to dependencies |
| util/dependencyLicenseEnricher.js | License enrichment backend using existing LicenseClassifier |
| test/dependencyVulnEnricher.test.js | Comprehensive tests for vulnerability enrichment including cache management |
| test/dependencyPolicyEnricher.test.js | Tests for policy enrichment mapping |
| test/dependencyLicenseEnricher.test.js | Tests for license classification |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| function getCloudsmithPackageKey(packageModel) { | ||
| if (!packageModel || typeof packageModel !== "object") { | ||
| return null; | ||
| } | ||
|
|
||
| const workspace = String(packageModel.namespace || "").trim().toLowerCase(); | ||
| const repo = String(packageModel.repository || "").trim().toLowerCase(); | ||
| const slug = String( | ||
| packageModel.slug_perm | ||
| || packageModel.slugPerm | ||
| || packageModel.slug | ||
| || packageModel.identifier | ||
| || "" | ||
| ).trim(); | ||
|
|
||
| if (!workspace || !repo || !slug) { | ||
| return null; | ||
| } | ||
|
|
||
| return `${workspace}:${repo}:${slug}`; | ||
| } |
There was a problem hiding this comment.
The getCloudsmithPackageKey function in this file duplicates the logic from getFoundDependencyKey in foundDependencyKey.js. Consider using the shared utility function from foundDependencyKey.js instead to reduce code duplication and improve maintainability.
|
|
||
| module.exports = { | ||
| enrichLicenses, | ||
| getFoundDependencyKey, |
There was a problem hiding this comment.
The module exports getFoundDependencyKey which is imported from foundDependencyKey.js, but this function is not used within this module and not used by any consumers. This re-export appears unintended and should be removed to keep the API surface clear. If this function is meant to be available through this module for a specific reason, that should be documented.
| getFoundDependencyKey, |
| // Copyright 2026 Cloudsmith Ltd. All rights reserved. | ||
| function getFoundDependencyKey(dependency) { | ||
| if (!dependency || !dependency.cloudsmithPackage) { | ||
| return null; | ||
| } | ||
|
|
||
| const pkg = dependency.cloudsmithPackage; | ||
| const workspace = String(pkg.namespace || "").trim().toLowerCase(); | ||
| const repo = String(pkg.repository || "").trim().toLowerCase(); | ||
| const slug = String(pkg.slug_perm || pkg.slugPerm || pkg.slug || pkg.identifier || "").trim(); | ||
|
|
||
| if (!workspace || !repo || !slug) { | ||
| return null; | ||
| } | ||
|
|
||
| return `${workspace}:${repo}:${slug}`; | ||
| } | ||
|
|
||
| module.exports = { | ||
| getFoundDependencyKey, | ||
| }; |
There was a problem hiding this comment.
This new utility module is not covered by any tests. Since it's a critical utility function used by multiple enrichers, it should have dedicated test coverage to ensure the key generation logic works correctly for edge cases.
DevonL
force-pushed
the
split/dependency-health-v2-03-dependency-enrichers
branch
3 times, most recently
from
b67eccf to
e26263e
Compare
DevonL
force-pushed
the
split/dependency-health-v2-03-dependency-enrichers
branch
from
e26263e to
8856cfb
Compare
|
Closing this PR because the initial split/stacking strategy was incorrect and produced oversized, overlapping diffs. A clean stacked PR set will be reopened from the original feature branch. |
📄 Summary
Dependency enrichment backend for updates to dependency health view
🔍 Related Issues
Link to any related GitHub issues (e.g.,
Fixes #12,Closes #34):🧪 Type of Change
Please check the relevant type tag for this PR title:
[FIX]Bug fix[NEW]New thing[REFACTOR]Internal changes such as code restructuring or optimization that does not alter functionality[DOC]Documentation-only changes[CHORE]Maintenance, cleanup, or CI configuration🧪 How Has This Been Tested?
Describe how you tested your changes. Include CI runs, local tests, manual verification, or screenshots if applicable.
📸 Screenshots (if applicable)
If UI or logs are affected, include before/after screenshots or output.
✅ Checklist