potiuk opened a new pull request, #366:
URL: https://github.com/apache/airflow-steward/pull/366
## Summary
A freshly-allocated Vulnogram CVE record (RESERVED state, title-only)
carries an empty `affected[]` array. The first `vulnogram-api-record-update`
push that populates the array was previously misclassified as a product
*change* by `_diff_affected_products` and refused unless the caller passed
`--allow-product-change` — a flag intended for genuine `packageName` /
`product` renames, not for the normal first push.
This caused real friction during the 2026-05 bulk regeneration: 7 of 17
trackers' first push refused with a `MergeModeRefused: product changed` error
and had to be retried with `--allow-product-change`, even though no product was
actually being changed.
The fix: surface the empty-`current` case as a non-diff so the guard does
not trip on first-time population.
```python
if current_sigs == new_sigs:
return []
if not current_sigs: # first-time population is not a change
return []
```
The genuine rename case is unaffected: a non-empty `current` with a
different signature than `new` still raises `MergeModeRefused`, still requires
`--allow-product-change`.
## Test plan
- [x] New unit test: `_diff_affected_products(current=[], new=[...])`
returns `[]`.
- [x] New unit test: `apply_merge_mode_guards` end-to-end succeeds for
empty→populated without `--allow-product-change`.
- [x] Existing 23 tests pass (rename refusal, `--allow-product-change`
override, order-insensitive set comparison, etc.).
- [x] `uv run pytest tools/vulnogram/oauth-api/tests/test_merge_mode.py` —
25 passed.
##### Was generative AI tooling used to co-author this PR?
- [x] Yes — Claude Opus 4.7 (1M context)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
