Flag new maintainers

[jrjohnson]

We'd like to be able to label / prevent auto-merge on PRs where the release was published to NPM by a new maintainer. This would allow us to do a manual security review and probably wait a bit to ensure permissions to publish wasn't granted to a bad actor.

[feelepxyz]

@jrjohnson thanks for your suggestion, I like this idea! We've got some related ideas that we'll want to make sure fit together nicely before adding.

[mwaddell]

@jrjohnson I'd be happy to work on this - what is the logic that you would use to identify whether a release was published under a new maintainer?

[jrjohnson]

That would be fantastic and do a lot to improve our security stance against a specific kind of supply chain attack! I'm not sure of the specifics, but this was handled in dependabot v1. I don't think it was much more complicated than "has this account ever published this package before", but maybe you see an option for more granularity of better security?

[mwaddell]

@jrjohnson There are a few different options based on whether we just care if the primary owner/maintainer changed, or if we care about any changes to the list of people who have write access on that package.

I would worry that something like this could give a false sense of security if one of the users with write access is <packagename>bot and the list of users who can invoke that bot's workflow is maintained elsewhere.

Do you have a few examples of npm packages that changed owners between versions that I could use for testing some options?

[jrjohnson]

Here's an example of what this used to look like if that helps ilios/frontend#6342

[mwaddell]

Here's an example of what this used to look like if that helps ilios/frontend#6342

That PR is from 3 months ago using the Github-native Dependabot. So, am I correct that this feature is already working correctly in the PR that dependabot creates, but you just want access to that information from the fetch-metadata action?

[jrjohnson]

Yes. We don't want to auto-approve anything with a maintainer change. Those will need a look from a real human.

[mwaddell]

That makes sense. I'm not sure we want to have fetch-metadata graph the PR body and try to parse that because I'm not sure how that would work with internationalization. The best approach would be to add maintainer-change as another entry in the section that dependabot generates for fetch-metadata. Something like:

---
updated-dependencies:
- dependency-name: ember-cli-content-security-policy
  dependency-type: direct:development
  update-type: version-update:semver-major
  maintainer-change: true
...

I think it's a great idea! It's just not something we can change exclusively in fetch-metadata -- it would need to first be changed in dependabot-core and then we can change fetch-metadata to use it. Is just "true"/"false" useful, or is there additional detail that would be useful to pull as well?

[jrjohnson]

True/false would completely solve our use case.

[mwaddell]

@brrygrdn it doesn't look like the code which generates the fetch-metadata section of the commit is part of dependabot-core - is there a separate repo that manages that, or is that an internal github thing?

For example, if I run bin/dry-run.rb --pull-request I only get the following:

--commit--
Bump Mono.Options from 1.0 to 6.12.0.148 in /Compiler

Bumps Mono.Options from 1.0 to 6.12.0.148.
--/commit--

[brrygrdn]

@mwaddell I think that'll live inside the internal service layer at the moment. We've discussed having more of the API interaction to actually push diffs happen within core, but I'm not sure its something we'll change in the medium term.

I'll check where we augment the commits that are passed from dependabot-core and which objects we use, I think there's a Dependency object we use for most of the existing fields which could potentially be augmented to include this attribute so we can wire it up in the internal service.

[jeffwidman]

I just reviewed #174 and hopefully we can land it soon.

Also, this feature is neat, I had no idea before this PR that dependabot-core supported flagging when maintainer changes were happening. 🎉

It looks like it requires support from the registry/package manager ecosystem, and today npm may be the only one exposing that.

So down the road perhaps we can evangelize the feature to other package registries / language ecosystems, as I can see it being helpful for lots of folks.