Improve detection of nuget source URL from Artifactory #28041
Replies: 3 comments 15 replies
-
Reproduction forked to https://github.com/renovate-reproductions/28041 (and renovate.json syntax error fixed) |
Beta Was this translation helpful? Give feedback.
-
Dependabot is not open source so we should not use their code in any way, ideally solve it independently/from first principles. @fgreinacher is the github source repo contained in any of the JSON responses from JFrog? Or is the idea to assume that the sourceUrl for package X on an alternative host is the same sourceUrl as package X on the default registry? |
Beta Was this translation helpful? Give feedback.
-
This is the upstream Artifactory ticket: https://jfrog.atlassian.net/browse/RTFACT-26507 We gave it a little push from our Artifactory team, let's see how it goes. |
Beta Was this translation helpful? Give feedback.
-
Tell us more.
Renovate currently tries to derive the source URL of a NuGet dependency via the
PackageBaseAddress
resource, see https://github.com/renovatebot/renovate/blob/main/lib/modules/datasource/nuget/v3.ts#L203-L214.This works well for packages from NuGet.org, but fails for Artifactory (and maybe others) because it does not provide this resource.
This issue has just recently been solved by Dependabot and I suggest we extend the current logic in a similar way.
I have set up a reproduction at https://github.com/fgreinacher/renovate-artifactory-source-url:
Beta Was this translation helpful? Give feedback.
All reactions