Skip to content

feat: allow ignore packages#53

Open
9romise wants to merge 6 commits intomainfrom
ignore/vulnerability
Open

feat: allow ignore packages#53
9romise wants to merge 6 commits intomainfrom
ignore/vulnerability

Conversation

@9romise
Copy link
Member

@9romise 9romise commented Mar 1, 2026

Resolve #52

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 1, 2026
edited
Loading

Warning

Rate limit exceeded

@9romise has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 27 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 11c1331 and c85a43e.

📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

Adds workspace/user ignore lists for package diagnostics and wire-up for adding entries to those lists. New configuration keys for ignore.upgrade, ignore.deprecation, ignore.replacement and ignore.vulnerability are declared and documented. Diagnostic rules for upgrade, deprecation, replacement and vulnerability now consult the corresponding ignore list and skip emitting diagnostics when matched. The quick-fix provider produces additional "add to ignore" actions (workspace and user scopes). Tests and test mocks/setup were updated to include the new configuration shape.

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The pull request description references issue #52, which directly relates to the changeset focused on implementing ignore/safelist functionality for dependencies.
Linked Issues check ✅ Passed The implementation fully addresses issue #52 by introducing ignore mechanisms for vulnerabilities, deprecations, replacements, and upgrades across workspace and user scopes.
Out of Scope Changes check ✅ Passed All changes are scoped to implementing the ignore/safelist feature for dependencies; no unrelated modifications are present.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ignore/vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
tests/code-actions/quick-fix.test.ts (2)

35-58: Consider verifying command arguments for ignore actions.

The tests verify action titles and counts, but do not assert that the command arguments are correct. Consider adding assertions to verify the action.command.arguments contain the expected values (code, ignoreTarget, configTarget). This would catch regressions if the argument order or values change.

Example addition for the "vulnerability with fix" test:

expect(actions[1]!.command?.arguments).toEqual([
  'vulnerability',
  'lodash@4.17.20',
  ConfigurationTarget.Workspace,
])

71-84: Add tests for deprecation and replacement ignore actions.

The test suite only covers upgrade and vulnerability scenarios. The addIgnoreRules function in src/providers/code-actions/quick-fix.ts defines handlers for deprecation and replacement diagnostic types, but no tests exercise these code paths. Adding test cases for both would improve coverage of the ignore-rule functionality.

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d880133 and c8f65c8.

📒 Files selected for processing (10)
  • README.md
  • package.json
  • src/providers/code-actions/index.ts
  • src/providers/code-actions/quick-fix.ts
  • src/providers/diagnostics/rules/deprecation.ts
  • src/providers/diagnostics/rules/replacement.ts
  • src/providers/diagnostics/rules/vulnerability.ts
  • tests/__mocks__/vscode.ts
  • tests/__setup__/index.ts
  • tests/code-actions/quick-fix.test.ts

src/providers/code-actions/index.ts
Comment on lines +10 to +17
useCommand('npmx.addToIgnore', async (scope: string, name: string, target: ConfigurationTarget) => {
scope = `ignore.${scope}`
const config = workspace.getConfiguration(scopedConfigs.scope)
const current = config.get<string[]>(scope, [])
if (current.includes(name))
return
await config.update(scope, [...current, name], target)
})
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Validate command arguments before mutating configuration.

npmx.addToIgnore currently trusts runtime arguments. A malformed invocation can write unexpected keys or values into settings.

Suggested patch 
   useCommand('npmx.addToIgnore', async (scope: string, name: string, target: ConfigurationTarget) => {
+    if (!scope || !name)
+      return
+    if (!['deprecation', 'replacement', 'vulnerability'].includes(scope))
+      return
+
     scope = `ignore.${scope}`
     const config = workspace.getConfiguration(scopedConfigs.scope)
     const current = config.get<string[]>(scope, [])
     if (current.includes(name))
       return
     await config.update(scope, [...current, name], target)
   })

coderabbitai[bot]
coderabbitai bot reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
README.md (1)

41-55: Consider adding a short note on ignore-setting precedence.

Now that ignore lists exist in multiple scopes, a one-liner on precedence (e.g. project vs workspace vs user) would reduce ambiguity for users.

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c8f65c8 and 11c1331.

📒 Files selected for processing (4)
  • README.md
  • package.json
  • src/providers/diagnostics/rules/upgrade.ts
  • tests/__setup__/index.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • tests/setup/index.ts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature : Add a way to ignore/safelist some vulnerable versions of dependencies

1 participant

@9romise