From 2b8b7b2fd16d3feabec308e679291f4f71d5e1cb Mon Sep 17 00:00:00 2001 From: Aaron Powell Date: Fri, 10 Jul 2026 10:15:44 +1000 Subject: [PATCH] Narrow risk scan version matching (#2251) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --- eng/pr-risk-scan.mjs | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/eng/pr-risk-scan.mjs b/eng/pr-risk-scan.mjs index a6a12a28..ac31b9d9 100644 --- a/eng/pr-risk-scan.mjs +++ b/eng/pr-risk-scan.mjs @@ -57,9 +57,18 @@ function hasUnpinnedVersionIndicator(line) { return true; } - // pyproject/requirements style entries with broad lower-bound only specs. + // Python package install commands with broad lower-bound only specs. if ( - /\b[A-Za-z0-9_.-]+\s*(>=|>|~=)\s*\d+(?:\.\d+){0,2}\b(?!\s*,\s*<)/.test( + /\b(?:pip|pip3|uv|uvx|poetry|pdm)\s+install\b[^\n#]*\b[a-z0-9][a-z0-9_.-]*(?:\[[A-Za-z0-9_,.-]+\])?\s*(>=|>|~=)\s*\d+(?:\.\d+){0,2}\b(?!\s*,\s*<)/i.test( + trimmed + ) + ) { + return true; + } + + // requirements/constraints style entries that contain only a dependency spec. + if ( + /^\s*(?:-\s*)?(?:["'])?[a-z0-9][a-z0-9_.-]*(?:\[[A-Za-z0-9_,.-]+\])?(?:["'])?\s*(>=|>|~=)\s*\d+(?:\.\d+){0,2}\b(?!\s*,\s*<)(?:\s*(?:#.*)?)?$/.test( trimmed ) ) {