You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
findings (list) and finding (detail) now render the vulnerable dependency's import chain from the new SCA dependencyChains field.
Each finding is labelled Direct (Update <pkg> to <fixedVersion>) or Transitive (<pkg> → … → <pkg> (Fixed in <fixedVersion>)); chains with 4+ packages collapse their middle to <first> → ... N more ... → <last>. The list shows the first chain + ... and X more; the detail lists every chain aligned under one label. When chains are present, the redundant version segment is dropped from the status line. dependencyChains is also included in --output json.
Rendering lives in three shared helpers in src/utils/formatting.ts (formatDependencyChain, formatDependencyChainsLine, formatDependencyChainsBlock). No API-client regeneration needed — the field was already in the generated SrmItem model.
Also updates the personal /ship-it command to wait for the AI reviewers and auto-run /pr-fixup after opening a PR.
Test plan
npm test (17 new tests, 390 total — unit tests for the helpers plus list/detail command tests)
npm run build (strict-mode type-check)
Manual: npx ts-node src/index.ts findings gh <org> <repo> --scan-types SCA and npx ts-node src/index.ts finding gh <org> <findingId> against an SCA finding with transitive deps; confirm the Direct/Transitive line, the ... and X more suffix, and middle collapse. Add --output json to confirm dependencyChains is present.
Surface the new SCA `dependencyChains` field on both `findings` (list)
and `finding` (detail). Findings are labelled Direct (actionable
"Update X to Y") or Transitive (the import path + "Fixed in Y"), and
chains with 4+ packages collapse their middle to "... N more ...". The
list shows the first chain plus "... and X more"; the detail lists every
chain aligned under a single label. `dependencyChains` is also added to
both JSON projections. Rendering lives in three shared helpers in
utils/formatting.ts.
Also updates the personal /ship-it command to wait for the AI reviewers
and auto-run /pr-fixup after opening a PR.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The reason will be displayed to describe this comment to others. Learn more.
Code Review
This pull request introduces support for displaying vulnerable dependency import chains (SCA findings) in both the findings list and finding detail commands, utilizing a new dependencyChains field. It adds formatting utilities, comprehensive unit tests, and updates the corresponding specifications and documentation. Additionally, the .claude/commands/ship-it.md command has been updated to support waiting for AI reviews and automatically running /pr-fixup by default. There are no review comments to address, so I have no additional feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
The implementation successfully adds dependency import chain visibility to SCA findings; however, the PR includes significant scope expansion into the /ship-it automation tool that is unrelated to the core feature. While the project remains up to standards according to Codacy, there is a lack of verification for the complex bash logic introduced in .claude/commands/ship-it.md. Additionally, code duplication exists in how version transitions are formatted across different command outputs, which should be consolidated to ensure consistency.
About this PR
The complex bash script added to .claude/commands/ship-it.md for polling GitHub reviews is not covered by any automated tests or verification logic, posing a maintenance risk.
This PR contains significant scope expansion. Changes to the /ship-it automation tool should ideally be handled in a separate PR to maintain focused review cycles and clear history.
Test suggestions
Unit test formatDependencyChain to verify arrow joining and middle-collapse logic for 4+ packages.
Unit test formatDependencyChainsLine to verify single-line summary with 'more' suffix and correct labeling.
Unit test formatDependencyChainsBlock to verify multi-line aligned output for finding details.
Command test for findings (list) ensuring the version segment is suppressed when SCA chains are present.
Command test for finding (detail) ensuring all chains are rendered and redundant versions are suppressed.
Verification that dependencyChains is present in the pickDeep whitelist for JSON output in both commands.
Verification of the bash polling logic in ship-it.md (checking bot logins and submitted_at timestamps).
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verification of the bash polling logic in `ship-it.md` (checking bot logins and `submitted_at` timestamps).
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
Suggestion: The logic for calculating and formatting the version transition (affectedVersion -> fixedVersion) while suppressing it when dependency chains are present is duplicated between finding.ts and findings.ts. Since you've already introduced dependency chain helpers in src/utils/formatting.ts, this logic should also be centralized to ensure consistency.
Try running the following prompt in your IDE agent:
In src/utils/formatting.ts, create a helper formatVersionSegment(affectedVersion?: string, fixedVersion?: string[], options?: { includeUpdatePrefix?: boolean }) that handles the logic seen in src/commands/finding.ts (lines 83-89) and src/commands/findings.ts (lines 117-123). Then refactor both files to use it.
The reason will be displayed to describe this comment to others. Learn more.
Good call — extracted formatVersionSegment(affectedVersion, fixedVersion, { includeUpdatePrefix }) in utils/formatting.ts and refactored both finding.ts and findings.ts to use it (the list passes includeUpdatePrefix: true; the detail omits it). Fixed in d0c8341.
The reason will be displayed to describe this comment to others. Learn more.
Pull request overview
This PR enhances the findings (list) and finding (detail) commands to display SCA vulnerable dependency import chains using the dependencyChains field, including Direct vs Transitive labeling, chain collapsing for long paths, and inclusion in --output json.
Changes:
Added shared dependency-chain formatting helpers (formatDependencyChain, formatDependencyChainsLine, formatDependencyChainsBlock) and unit tests for them.
Updated findings and finding command output to render dependency chains (and omit the redundant affected→fixed segment when chains are present), plus expanded JSON projections.
Updated specs/docs, changeset, and the repo’s .claude/commands/ship-it.md workflow instructions.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
- Bump the fetch-api spec URL to 56.1.1, the version that introduces the
SCA dependencyChains field. The generated API client is gitignored and
regenerated in CI via update-api, so the spec bump is what makes
dependencyChains exist on SrmItem there — fixes the CI type-check.
- Extract a shared formatVersionSegment helper so the affected→fixed
status-line segment isn't duplicated across finding.ts and findings.ts
(Codacy review).
- Make the chains parameter optional on the dependency-chain helpers to
match their internal guards, dropping the non-null assertions at the
call sites (Copilot review).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Thanks for the reviews. Addressing the review-level points from the Codacy overview:
CI type-check failure (build-and-test): fixed. The generated API client (src/api/client/) and api-v3/api-swagger.yaml are gitignored and regenerated in CI via npm run update-api, which fetches the spec from the URL in package.json. That URL was still pointing at spec 55.12.1, which has no dependencyChains — so CI generated a client without the field and the type-check failed. Bumped the spec to 56.1.1 (the version that introduces dependencyChains) in d0c8341. Verified locally by running the exact CI flow (npm run update-api → npx tsc --noEmit).
Scope expansion (/ship-it): intentional for this PR — the maintainer opted to include the /ship-it command update here. Point taken that command/tooling changes are generally cleaner as a separate PR.
Untested bash in ship-it.md:ship-it.md is a Claude Code command (prompt/instructions), not executable code shipped in the package, so it's outside the repo's automated test scope. The polling logic was exercised end-to-end by using it to open and watch this very PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
Summary
findings(list) andfinding(detail) now render the vulnerable dependency's import chain from the new SCAdependencyChainsfield.Update <pkg> to <fixedVersion>) or Transitive (<pkg> → … → <pkg> (Fixed in <fixedVersion>)); chains with 4+ packages collapse their middle to<first> → ... N more ... → <last>. The list shows the first chain +... and X more; the detail lists every chain aligned under one label. When chains are present, the redundant version segment is dropped from the status line.dependencyChainsis also included in--output json.src/utils/formatting.ts(formatDependencyChain,formatDependencyChainsLine,formatDependencyChainsBlock). No API-client regeneration needed — the field was already in the generatedSrmItemmodel./ship-itcommand to wait for the AI reviewers and auto-run/pr-fixupafter opening a PR.Test plan
npm test(17 new tests, 390 total — unit tests for the helpers plus list/detail command tests)npm run build(strict-mode type-check)npx ts-node src/index.ts findings gh <org> <repo> --scan-types SCAandnpx ts-node src/index.ts finding gh <org> <findingId>against an SCA finding with transitive deps; confirm the Direct/Transitive line, the... and X moresuffix, and middle collapse. Add--output jsonto confirmdependencyChainsis present.🤖 Generated with Claude Code