Native semver and dependabot

[vim-zz]

✨ PR Description

Purpose: Add native semver version comparison and dependabot version extraction functions to replace existing plugin implementations.
Main changes:

• Added native filter functions checkSemver and checkDependabot to improve performance
• Updated documentation to reflect native implementation availability and usage
• Modified example code to use new native functions instead of plugins
• Fixed minor issues in extractSnykVersionBump implementation

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀}

[orca-security-us]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

[Copilot]

Pull Request Overview

This PR migrates from plugin-based filters to native implementations for version bump detection and semantic version comparison. The change introduces checkDependabot and checkSemver as native filter functions to replace the extractDependabotVersionBump and compareSemver plugins.

• Updates all references from compareSemver to checkSemver across documentation and examples
• Removes the entire extractDependabotVersionBump plugin implementation
• Adds comprehensive documentation for the new native filter functions

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
plugins/filters/extractSnykVersionBump/*	Updates example usage to use checkSemver instead of compareSemver
plugins/filters/extractDependabotVersionBump/*	Complete removal of plugin files (index.js, tests, docs, etc.)
plugins/filters/compareSemver/reference.md	Fixes example to show correct version order for comparison
docs/filter-functions.md	Adds documentation for new checkDependabot and checkSemver native functions
docs/filter-function-plugins.md	Adds migration notes directing users to native implementations
docs/execution-model.md	Updates examples to use native functions and removes plugin warning
docs/downloads/automation-library/*	Updates automation examples to use new native functions
docs/automations/integrations/dependabot/*	Removes plugin requirements from documentation

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The example shows using compareSemver but the documentation indicates this has been replaced by checkSemver. The example should be updated to use the new native function name.

Suggested change

	{{ ["1.2.3", "1.2.1"] | compareSemver == "patch" }}
	{{ ["1.2.3", "1.2.1"] | checkSemver == "patch" }}

[claude]

Code Review Feedback 📋

Thank you for this PR that migrates from plugin-based implementations to native filter functions! Here's my comprehensive review:

✅ Positive Aspects

1. Performance Improvement

• Excellent decision to replace JavaScript plugins with native implementations
• Native functions (checkSemver, checkDependabot) should provide better performance than external plugins
• Eliminates plugin installation overhead for common use cases

2. Documentation Quality

• Comprehensive documentation updates in docs/filter-functions.md with clear examples
• Good migration notes in docs/filter-function-plugins.md explaining the transition
• Proper deprecation notices rather than breaking changes

3. Code Consistency

• Consistent API design: both functions return predictable data structures
• Clear parameter documentation with usage examples
• Maintains backward compatibility through deprecation notices

⚠️ Areas for Improvement

1. Test Coverage Concerns

• CRITICAL: The removal of plugins/filters/extractDependabotVersionBump/test.js eliminates important test cases
• The deleted test file contained valuable edge cases (HTML escaped content, complex Dependabot descriptions)
• No evidence of native function tests to replace the plugin tests
• Recommendation: Create comprehensive tests for the new native functions before merging

2. Migration Path

• Consider providing a migration script or clearer upgrade instructions
• The deprecation notices are good, but actual migration steps would be helpful
• Timeline for plugin removal should be clearly communicated

3. Documentation Consistency

• Some examples still mix old and new function names in comments
• The compareSemver reference documentation shows incorrect example (line should show checkSemver)

🔧 Minor Issues

1. Code Quality

• docs/execution-model.md:505: Extra blank line should be removed for consistency
• plugins/filters/extractSnykVersionBump/index.js:12: Trailing space on line 12

2. Example Accuracy

• plugins/filters/compareSemver/reference.md:25: Example shows compareSemver instead of checkSemver

🔒 Security & Performance

Security: ✅ No security concerns identified

• Native functions should be more secure than external plugins
• No exposed credentials or unsafe operations

Performance: ✅ Expected improvement

• Native implementation should be faster than JavaScript plugins
• Reduced external dependencies

📋 Recommendations

1. HIGH PRIORITY: Add comprehensive tests for checkSemver and checkDependabot native functions
2. MEDIUM: Create migration documentation with specific steps
3. LOW: Fix documentation inconsistencies and formatting issues

💡 Overall Assessment

This is a valuable improvement that modernizes the codebase by replacing plugins with native functions. The implementation appears sound, but the lack of test coverage is a significant concern that should be addressed before merging.

Recommendation: Request tests for the native functions before approval.

---

🤖 Generated with Claude Code

[gitstream-cm]

✨ PR Review

LGTM

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀}

Review dismissed

[claude]

PR Review: Native semver and dependabot

✅ Overall Assessment: Strong Implementation

This PR successfully migrates from plugin-based to native filter functions for semantic versioning and Dependabot integration. The implementation follows good practices and provides a clear upgrade path.

Code Quality & Best Practices

✅ Strengths:

• Comprehensive documentation: Excellent documentation in docs/filter-functions.md with clear parameter descriptions, examples, and usage patterns
• Backwards compatibility: Smart migration strategy with deprecation notices instead of breaking changes
• Consistent naming: checkDependabot and checkSemver follow clear naming conventions
• Example-driven approach: Multiple practical examples showing real-world usage patterns

⚠️ Areas for improvement:

1. Missing CM file update (plugins/filters/compareSemver/compare_semver.cm:26):

   # Current (uses old plugin)
   bump: {{ ["1.2.3", "1.2.1"] | compareSemver }}
   
   # Should be updated to
   bump: {{ ["1.2.3", "1.2.1"] | checkSemver }}

2. Inconsistent parameter documentation: The checkSemver function shows optional parameters (lexicographical, zeroExtend) in the docs but doesn't clearly indicate how to use them in the examples.

Potential Bugs & Issues

✅ Low risk overall, but consider:

1. Array bounds checking: The new checkSemver function should validate input array length (docs suggest [to, from] format but should handle edge cases)

2. Null handling consistency: Documentation shows checkDependabot returns null on failure, but usage examples don't show defensive programming patterns

Performance Considerations

✅ Excellent improvement:

• Native functions will have better performance than JavaScript plugins
• Reduced plugin loading overhead
• Better memory usage without external plugin dependencies

Security Concerns

✅ No significant security issues identified:

• Functions parse version strings, which is low-risk
• No external API calls or file system operations
• Input validation appears appropriate for the use case

Test Coverage

⚠️ Major gap:

• Missing tests: No unit tests found for the new native checkDependabot and checkSemver functions
• The old extractDependabotVersionBump plugin had comprehensive tests (test.js) that were removed
• Recommendation: Add native function tests to ensure regex patterns work correctly with various Dependabot PR formats

Migration & Compatibility

✅ Well executed:

• Clear deprecation notices in docs/filter-function-plugins.md
• Updated all example files and documentation
• Maintains API compatibility (same input/output format)

Recommendations

1. Fix remaining CM file: Update plugins/filters/compareSemver/compare_semver.cm to use checkSemver
2. Add comprehensive tests: Port test cases from the old plugin or create new ones
3. Add parameter usage examples: Show how to use optional parameters in checkSemver
4. Consider error handling examples: Document what happens when functions receive invalid input

Security & Best Practices Score: 8.5/10

This is a solid implementation that improves performance while maintaining functionality. The main areas for improvement are test coverage and completing the migration consistently across all files.

[gitstream-cm]

✨ PR Review

The PR successfully migrates from plugin-based functions to native implementations for version comparison and dependency parsing, with comprehensive documentation updates. However, there's a potentially problematic change in the extractSnykVersionBump function.

1 issues detected:

🐞 Bug - The restoration of previously removed conditional logic without clear justification could introduce regressions.

Details: The condition check for validating the description parameter was previously removed and is now being added back. This change could reintroduce a bug if the condition was removed for a valid reason, or it could fix a bug if the condition was needed but incorrectly removed.
File: plugins/filters/extractSnykVersionBump/index.js (13-13)

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using. We'd love your feedback! 🚀}

[gitstream-cm]

🐞 Bug - Conditional Logic Restored: Verify the original reason for removing this condition and ensure that adding it back doesn't break existing functionality or introduce edge cases where valid descriptions are incorrectly filtered out.

Suggested change

	if (desc && desc !== '""' && desc !== "''" ) {
	if (desc && typeof desc === 'string' && desc.trim() !== '') {

[MishaKav]

👑