renovate/lib/workers/repository/init/vulnerability.js

module.exports = {
  detectVulnerabilityAlerts,
};

async function detectVulnerabilityAlerts(input) {
  if (!(input && input.vulnerabilityAlerts)) {
    return input;
  }
  if (input.vulnerabilityAlerts.enabled === false) {
    logger.debug('Vulnerability alerts are disabled');
    return input;
  }
  const alerts = await platform.getVulnerabilityAlerts();
  if (!alerts.length) {
    logger.debug('No vulnerability alerts found');
    if (input.vulnerabilityAlertsOnly) {
      throw new Error('no-vulnerability-alerts');
    }
    return input;
  }
  const config = { ...input };
  const alertPackageRules = alerts
    .map(alert => {
      if (!alert.fixedIn) {
        logger.info({ alert }, 'Vulnerability alert has no fixedIn version');
        return null;
      }
      const rule = {};
      rule.packageNames = [alert.packageName];
      // Raise only for where the currentVersion is vulnerable
      rule.matchCurrentVersion = `< ${alert.fixedIn}`;
      // Don't propose upgrades to any versions that are still vulnerable
      rule.allowedVersions = `>= ${alert.fixedIn}`;
      rule.force = {
        ...config.vulnerabilityAlerts,
        vulnerabilityAlert: true,
      };
      return rule;
    })
    .filter(Boolean);
  config.packageRules = (config.packageRules || []).concat(alertPackageRules);
  return config;
}