Documentation
¶
Overview ¶
Package freshness checks for outdated dependencies across ecosystems: Dockerfile base images, pinned tool versions, Go modules, Rust crates, npm packages, Alpine APK, Debian/Ubuntu APT, and pip packages.
Each checker extracts structured Dependency records from project files, resolves the latest available version from upstream registries, and reports findings through the lint engine. The same Dependency data is designed to feed a future "stagefreight update" command for automated MR creation.
Index ¶
- Constants
- func DominantUpdateType(d VersionDelta) string
- type Dependency
- type DigestEntry
- type DigestLock
- type DockerFreshnessInfo
- type FreshnessConfig
- type Group
- type PackageRule
- type RegistryConfig
- type RegistryEndpoint
- type SeverityConfig
- type SourceConfig
- type VersionDelta
- type VulnConfig
- type VulnInfo
Constants ¶
const ( EcosystemDockerImage = "docker-image" EcosystemGitHubRelease = "github-release" EcosystemGoMod = "gomod" EcosystemCargo = "cargo" EcosystemNpm = "npm" EcosystemAlpineAPK = "alpine-apk" EcosystemDebianAPT = "debian-apt" EcosystemPip = "pip" )
Ecosystem constants identify the origin of a dependency.
Variables ¶
This section is empty.
Functions ¶
func DominantUpdateType ¶
func DominantUpdateType(d VersionDelta) string
DominantUpdateType is the exported form of dominantUpdateType. It returns "major", "minor", or "patch" for the highest-priority axis in a delta.
Types ¶
type Dependency ¶
type Dependency struct {
Name string // e.g. "golang", "github.com/spf13/cobra", "react"
Current string // currently pinned version string
Latest string // latest available (filled by resolver)
Ecosystem string // one of the Ecosystem* constants below
File string // relative path from repo root
Line int // line number of the pinned version
Indirect bool // e.g. go.mod // indirect
SourceURL string // registry/API URL that was queried
Binding string // editable anchor used by source-specific updaters (e.g. ENV var name)
// Vulnerability info populated by the OSV correlation pass.
Vulnerabilities []VulnInfo // known CVEs affecting the current version
// Advisory is an optional informational message set by the resolver
// when a non-versioned or pre-release tag has stable releases available.
Advisory string
// Fields populated by the config/rule engine after resolution.
// Used by future update commands for MR grouping and automerge.
Group string // assigned group name from package rules
Automerge bool // whether this dep's MR should automerge
}
Dependency is a version-pinned reference extracted from a project file. It is the bridge type consumed by both lint reporting and future update commands (à la Renovate managers).
func ResolveDeps ¶
func ResolveDeps(ctx context.Context, opts map[string]any, files []lint.FileInfo) ([]Dependency, error)
ResolveDeps runs the full dependency resolution pipeline across all files and returns raw Dependency structs with vulnerabilities correlated. opts is passed to Configure; nil uses FreshnessConfig defaults.
type DigestEntry ¶
DigestEntry records a single image tag's digest.
type DigestLock ¶
type DigestLock struct {
Digests map[string]DigestEntry `yaml:"digests"`
}
DigestLock tracks non-versioned tag digests over time.
type DockerFreshnessInfo ¶
type DockerFreshnessInfo struct {
Stages []stageInfo
EnvVars map[string]envVar
PinnedTools []pinnedTool
ApkPackages []packageRef
AptPackages []packageRef
PipPackages []packageRef
}
DockerFreshnessInfo holds everything extracted from a Dockerfile relevant to freshness checking.
type FreshnessConfig ¶
type FreshnessConfig struct {
Sources SourceConfig `json:"sources"`
Severity SeverityConfig `json:"severity"`
Vulnerability VulnConfig `json:"vulnerability"`
Registries RegistryConfig `json:"registries"`
Ignore []string `json:"ignore"`
PackageRules []PackageRule `json:"package_rules"`
Groups []Group `json:"groups"`
Timeout int `json:"timeout"` // HTTP timeout in seconds (default 10)
CacheTTLSecs int `json:"cache_ttl"` // cache TTL in seconds (default 300; 0 = cache forever; <0 = never cache)
}
FreshnessConfig holds per-source toggles, severity mapping, package rules, registry overrides, vulnerability correlation, and grouping configuration.
func DefaultConfig ¶
func DefaultConfig() FreshnessConfig
DefaultConfig returns production defaults.
type Group ¶
type Group struct {
Name string `json:"name"`
CommitMessagePrefix string `json:"commit_message_prefix"`
Automerge *bool `json:"automerge"` // group-level automerge default
SeparateMajor bool `json:"separate_major"` // split major bumps into own MR
}
Group configures how matched dependencies are batched together for future MR creation. Reserved in config shape now; the MR engine will consume these when update mode is implemented.
.stagefreight.yml example:
groups:
- name: "go-patch-updates"
commit_message_prefix: "deps(go): "
automerge: true
- name: "docker-base-images"
separate_major: true
type PackageRule ¶
type PackageRule struct {
// Pattern matching — all specified fields must match (AND logic).
MatchPackages []string `json:"match_packages"` // glob patterns on dependency name
MatchEcosystems []string `json:"match_ecosystems"` // ecosystem constants (docker-image, gomod, etc.)
MatchUpdateTypes []string `json:"match_update_types"` // "major", "minor", "patch"
MatchVulnerability *bool `json:"match_vulnerability"` // true = only match deps with known CVEs
// Overrides applied when matched.
Enabled *bool `json:"enabled"` // false = skip this dependency entirely
Severity *SeverityConfig `json:"severity"` // override severity/tolerance for matched deps
Group string `json:"group"` // assign to a named group (for future MR batching)
// Future update-mode fields (wired later, config-shape reserved now).
Automerge *bool `json:"automerge"` // auto-merge MR if CI passes
}
PackageRule overrides severity, tolerance, or behaviour for dependencies that match its patterns. Rules are evaluated in order; first match wins. Modeled after Renovate's packageRules.
.stagefreight.yml example:
package_rules:
- match_packages: ["golang", "alpine"]
severity: { major: 2, minor: 2, patch: 1 }
- match_packages: ["*.test", "mock-*"]
enabled: false
- match_ecosystems: ["gomod"]
match_update_types: ["patch"]
automerge: true
group: "go-patch-updates"
type RegistryConfig ¶
type RegistryConfig struct {
Docker *RegistryEndpoint `json:"docker"`
Go *RegistryEndpoint `json:"go"`
Npm *RegistryEndpoint `json:"npm"`
PyPI *RegistryEndpoint `json:"pypi"`
Crates *RegistryEndpoint `json:"crates"`
Alpine *RegistryEndpoint `json:"alpine"`
Debian *RegistryEndpoint `json:"debian"`
Ubuntu *RegistryEndpoint `json:"ubuntu"`
GitHub *RegistryEndpoint `json:"github"` // GitHub API for tool version checks
}
RegistryConfig overrides the default public registry URLs per ecosystem. Each field accepts a RegistryEndpoint; if URL is empty the public default is used. Auth is resolved from environment variables at runtime.
.stagefreight.yml example:
registries:
docker:
url: "https://jcr.pcfae.com/v2"
auth_env: "JCR_TOKEN"
go:
url: "https://goproxy.company.com"
npm:
url: "https://npm.company.com"
auth_env: "NPM_TOKEN"
type RegistryEndpoint ¶
type RegistryEndpoint struct {
URL string `json:"url"` // base URL (e.g. "https://jcr.pcfae.com/v2")
AuthEnv string `json:"auth_env"` // env var name holding auth token (Bearer)
}
RegistryEndpoint is a custom registry URL with optional auth.
type SeverityConfig ¶
type SeverityConfig struct {
Major int `json:"major"` // 0=info, 1=warning, 2=critical (default: 2)
Minor int `json:"minor"` // default: 1
Patch int `json:"patch"` // default: 0
MajorTolerance int `json:"major_tolerance"` // default: 0
MinorTolerance int `json:"minor_tolerance"` // default: 0
PatchTolerance int `json:"patch_tolerance"` // default: 1
}
SeverityConfig maps version-delta levels to lint severities and controls how many versions behind are tolerated before reporting.
type SourceConfig ¶
type SourceConfig struct {
DockerImages *bool `json:"docker_images"`
GitHubReleases *bool `json:"github_releases"`
GoModules *bool `json:"go_modules"`
RustCrates *bool `json:"rust_crates"`
NpmPackages *bool `json:"npm_packages"`
AlpineAPK *bool `json:"alpine_apk"`
DebianAPT *bool `json:"debian_apt"`
PipPackages *bool `json:"pip_packages"`
}
SourceConfig toggles individual dependency ecosystems on or off. nil means "use default" (true for all).
type VersionDelta ¶
VersionDelta describes how far behind a dependency is.
func CompareDependencyVersions ¶
func CompareDependencyVersions(current, latest, ecosystem string) VersionDelta
CompareDependencyVersions is the exported form of compareDependencyVersions. It dispatches to ecosystem-aware version comparison and returns a VersionDelta.
func (VersionDelta) IsZero ¶
func (d VersionDelta) IsZero() bool
IsZero returns true when there is no version difference.
type VulnConfig ¶
type VulnConfig struct {
Enabled *bool `json:"enabled"` // default true
MinSeverity string `json:"min_severity"` // "low", "moderate", "high", "critical" (default: "moderate")
SeverityOverride *bool `json:"severity_override"` // CVE-affected deps escalate to critical (default: true)
}
VulnConfig controls vulnerability correlation via the OSV database.
.stagefreight.yml example:
vulnerability: enabled: true min_severity: "moderate" severity_override: true
type VulnInfo ¶
type VulnInfo struct {
ID string // e.g. "GHSA-xxxx-yyyy-zzzz", "CVE-2024-12345"
Summary string // short description
Severity string // "LOW", "MODERATE", "HIGH", "CRITICAL" (from OSV/CVSS)
FixedIn string // version that fixes the vulnerability (if known)
Source string // provenance: "osv" (default), "trivy", "grype", "trivy+grype"
}
VulnInfo describes a single known vulnerability affecting a dependency.
Source Files