Adding compatibility-score to output

2026-03-12 18:07:12 -04:00 · 2022-02-20 18:43:16 -06:00
parent e79c4e95c1
commit e0099a154d
12 changed files with 2377 additions and 24 deletions
--- a/README.md
+++ b/README.md
@@ -47,6 +47,8 @@ Subsequent actions will have access to the following outputs:
  - The version that this PR updates the dependency from.
 - `steps.dependabot-metadata.outputs.new-version`
  - The version that this PR updates the dependency to.
+- `steps.dependabot-metadata.outputs.compatibility-score`
+  - The compatibility score of this update (if known, 0 otherwise)
 - `steps.dependabot-metadata.outputs.alert-state`
  - If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
 - `steps.dependabot-metadata.outputs.ghsa-id`
--- a/action.yml
+++ b/action.yml
@@ -26,6 +26,8 @@ outputs:
    description: 'The version that this PR updates the dependency from.'
  new-version:
    description: 'The version that this PR updates the dependency to.'
+  compatibility-score:
+    description: 'The compatibility score of this update (if known, 0 otherwise)'
  alert-state:
    description: 'If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
  ghsa-id:
--- a/dist/index.js
+++ b/dist/index.js
--- a/src/dependabot/output.test.ts
+++ b/src/dependabot/output.test.ts
@@ -18,6 +18,7 @@ const baseDependency = {
  targetBranch: '',
  prevVersion: '',
  newVersion: '',
+  compatScore: 0,
  alertState: '',
  ghsaId: '',
  cvss: 0
@@ -34,6 +35,7 @@ test('when given a single dependency it sets its values', async () => {
      targetBranch: 'main',
      prevVersion: '1.0.2',
      newVersion: '1.1.3-beta',
+      compatScore: 43,
      alertState: 'FIXED',
      ghsaId: 'VERY_LONG_ID',
      cvss: 4.6
@@ -56,6 +58,7 @@ test('when given a single dependency it sets its values', async () => {
  expect(core.setOutput).toBeCalledWith('target-branch', 'main')
  expect(core.setOutput).toBeCalledWith('previous-version', '1.0.2')
  expect(core.setOutput).toBeCalledWith('new-version', '1.1.3-beta')
+  expect(core.setOutput).toBeCalledWith('compatibility-score', 43)
  expect(core.setOutput).toBeCalledWith('alert-state', 'FIXED')
  expect(core.setOutput).toBeCalledWith('ghsa-id', 'VERY_LONG_ID')
  expect(core.setOutput).toBeCalledWith('cvss', 4.6)
@@ -101,6 +104,7 @@ test('when given a multiple dependencies, it uses the highest values for types',
  expect(core.setOutput).toBeCalledWith('target-branch', '')
  expect(core.setOutput).toBeCalledWith('previous-version', '')
  expect(core.setOutput).toBeCalledWith('new-version', '')
+  expect(core.setOutput).toBeCalledWith('compatibility-score', 0)
  expect(core.setOutput).toBeCalledWith('alert-state', '')
  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
  expect(core.setOutput).toBeCalledWith('cvss', 0)
@@ -131,6 +135,7 @@ test('when the dependency has no update type', async () => {
  expect(core.setOutput).toBeCalledWith('target-branch', '')
  expect(core.setOutput).toBeCalledWith('previous-version', '')
  expect(core.setOutput).toBeCalledWith('new-version', '')
+  expect(core.setOutput).toBeCalledWith('compatibility-score', 0)
  expect(core.setOutput).toBeCalledWith('alert-state', '')
  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
  expect(core.setOutput).toBeCalledWith('cvss', 0)
@@ -174,6 +179,7 @@ test('when given a multiple dependencies, and some do not have update types', as
  expect(core.setOutput).toBeCalledWith('target-branch', '')
  expect(core.setOutput).toBeCalledWith('previous-version', '')
  expect(core.setOutput).toBeCalledWith('new-version', '')
+  expect(core.setOutput).toBeCalledWith('compatibility-score', 0)
  expect(core.setOutput).toBeCalledWith('alert-state', '')
  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
  expect(core.setOutput).toBeCalledWith('cvss', 0)
--- a/src/dependabot/output.ts
+++ b/src/dependabot/output.ts
@@ -26,6 +26,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
  const target = firstDependency?.targetBranch
  const prevVersion = firstDependency?.prevVersion
  const newVersion = firstDependency?.newVersion
+  const compatScore = firstDependency?.compatScore
  const alertState = firstDependency?.alertState
  const ghsaId = firstDependency?.ghsaId
  const cvss = firstDependency?.cvss
@@ -39,6 +40,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
  core.info(`outputs.target-branch: ${target}`)
  core.info(`outputs.previous-version: ${prevVersion}`)
  core.info(`outputs.new-version: ${newVersion}`)
+  core.info(`outputs.compatibility-score: ${compatScore}`)
  core.info(`outputs.alert-state: ${alertState}`)
  core.info(`outputs.ghsa-id: ${ghsaId}`)
  core.info(`outputs.cvss: ${cvss}`)
@@ -53,6 +55,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
  core.setOutput('target-branch', target)
  core.setOutput('previous-version', prevVersion)
  core.setOutput('new-version', newVersion)
+  core.setOutput('compatibility-score', compatScore)
  core.setOutput('alert-state', alertState)
  core.setOutput('ghsa-id', ghsaId)
  core.setOutput('cvss', cvss)
--- a/src/dependabot/update_metadata.test.ts
+++ b/src/dependabot/update_metadata.test.ts
@@ -2,7 +2,8 @@ import * as updateMetadata from './update_metadata'

 test('it returns an empty array for a blank string', async () => {
  const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
-  expect(updateMetadata.parse('', 'dependabot/nuget/coffee-rails', 'main', getAlert)).resolves.toEqual([])
+  const getScore = async () => Promise.resolve(43)
+  expect(updateMetadata.parse('', 'dependabot/nuget/coffee-rails', 'main', getAlert, getScore)).resolves.toEqual([])
 })

 test('it returns an empty array for commit message with no dependabot yaml fragment', async () => {
@@ -14,7 +15,8 @@ test('it returns an empty array for commit message with no dependabot yaml fragm
  Signed-off-by: dependabot[bot] <support@github.com>`

  const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
-  expect(updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert)).resolves.toEqual([])
+  const getScore = async () => Promise.resolve(43)
+  expect(updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert, getScore)).resolves.toEqual([])
 })

 test('it returns the updated dependency information when there is a yaml fragment', async () => {
@@ -34,7 +36,8 @@ test('it returns the updated dependency information when there is a yaml fragmen
    'Signed-off-by: dependabot[bot] <support@github.com>'

  const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
-  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert)
+  const getScore = async () => Promise.resolve(43)
+  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert, getScore)

  expect(updatedDependencies).toHaveLength(1)

@@ -46,6 +49,7 @@ test('it returns the updated dependency information when there is a yaml fragmen
  expect(updatedDependencies[0].targetBranch).toEqual('main')
  expect(updatedDependencies[0].prevVersion).toEqual('4.0.1')
  expect(updatedDependencies[0].newVersion).toEqual('4.2.2')
+  expect(updatedDependencies[0].compatScore).toEqual(43)
  expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
  expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
  expect(updatedDependencies[0].cvss).toEqual(4.6)
@@ -78,7 +82,15 @@ test('it supports multiple dependencies within a single fragment', async () => {
    return Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })
  }

-  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/main/coffee-rails', 'main', getAlert)
+  const getScore = async (name: string) => {
+    if (name === 'coffee-rails') {
+      return Promise.resolve(34)
+    }
+
+    return Promise.resolve(0)
+  }
+
+  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/main/coffee-rails', 'main', getAlert, getScore)

  expect(updatedDependencies).toHaveLength(2)

@@ -90,6 +102,7 @@ test('it supports multiple dependencies within a single fragment', async () => {
  expect(updatedDependencies[0].targetBranch).toEqual('main')
  expect(updatedDependencies[0].prevVersion).toEqual('4.0.1')
  expect(updatedDependencies[0].newVersion).toEqual('4.2.2')
+  expect(updatedDependencies[0].compatScore).toEqual(34)
  expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
  expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
  expect(updatedDependencies[0].cvss).toEqual(4.6)
@@ -101,7 +114,7 @@ test('it supports multiple dependencies within a single fragment', async () => {
  expect(updatedDependencies[1].packageEcosystem).toEqual('nuget')
  expect(updatedDependencies[1].targetBranch).toEqual('main')
  expect(updatedDependencies[1].prevVersion).toEqual('')
-  expect(updatedDependencies[1].newVersion).toEqual('')
+  expect(updatedDependencies[1].compatScore).toEqual(0)
  expect(updatedDependencies[1].alertState).toEqual('')
  expect(updatedDependencies[1].ghsaId).toEqual('')
  expect(updatedDependencies[1].cvss).toEqual(0)
@@ -130,7 +143,8 @@ test('it only returns information within the first fragment if there are multipl
    'Signed-off-by: dependabot[bot] <support@github.com>'

  const getAlert = async () => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })
-  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', getAlert)
+  const getScore = async () => Promise.resolve(0)
+  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', getAlert, getScore)

  expect(updatedDependencies).toHaveLength(1)

@@ -142,6 +156,7 @@ test('it only returns information within the first fragment if there are multipl
  expect(updatedDependencies[0].targetBranch).toEqual('main')
  expect(updatedDependencies[0].prevVersion).toEqual('')
  expect(updatedDependencies[0].newVersion).toEqual('')
+  expect(updatedDependencies[0].compatScore).toEqual(0)
  expect(updatedDependencies[0].alertState).toEqual('')
  expect(updatedDependencies[0].ghsaId).toEqual('')
  expect(updatedDependencies[0].cvss).toEqual(0)
@@ -163,7 +178,8 @@ test('it properly handles dependencies which contain slashes', async () => {
    'Signed-off-by: dependabot[bot] <support@github.com>'

  const getAlert = async () => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })
-  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/rails/coffee', 'main', getAlert)
+  const getScore = async () => Promise.resolve(0)
+  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/rails/coffee', 'main', getAlert, getScore)

  expect(updatedDependencies).toHaveLength(1)

@@ -175,6 +191,7 @@ test('it properly handles dependencies which contain slashes', async () => {
  expect(updatedDependencies[0].targetBranch).toEqual('main')
  expect(updatedDependencies[0].prevVersion).toEqual('')
  expect(updatedDependencies[0].newVersion).toEqual('')
+  expect(updatedDependencies[0].compatScore).toEqual(0)
  expect(updatedDependencies[0].alertState).toEqual('')
  expect(updatedDependencies[0].ghsaId).toEqual('')
  expect(updatedDependencies[0].cvss).toEqual(0)
--- a/src/dependabot/update_metadata.ts
+++ b/src/dependabot/update_metadata.ts
@@ -14,14 +14,19 @@ export interface updatedDependency extends dependencyAlert {
  packageEcosystem: string,
  targetBranch: string,
  prevVersion: string,
-  newVersion: string
+  newVersion: string,
+  compatScore: number
 }

 export interface alertLookup {
    (dependencyName: string, dependencyVersion: string, directory: string): Promise<dependencyAlert>;
 }

-export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup: alertLookup): Promise<Array<updatedDependency>> {
+export interface scoreLookup {
+    (dependencyName: string, previousVersion: string, newVersion: string, ecosystem: string): Promise<number>;
+}
+
+export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup: alertLookup, getScore: scoreLookup): Promise<Array<updatedDependency>> {
  const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>\d[^ ]*) to (?<to>\d[^ ]*)\.$/m)
  const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m)

@@ -37,6 +42,8 @@ export async function parse (commitMessage: string, branchName: string, mainBran
    if (data['updated-dependencies']) {
      return await Promise.all(data['updated-dependencies'].map(async (dependency, index) => {
        const dirname = `/${chunks.slice(2, -1 * (1 + (dependency['dependency-name'].match(/\//g) || []).length)).join(delim) || ''}`
+        const lastVersion = index === 0 ? prev : ''
+        const nextVersion = index === 0 ? next : ''
        return {
          dependencyName: dependency['dependency-name'],
          dependencyType: dependency['dependency-type'],
@@ -44,9 +51,10 @@ export async function parse (commitMessage: string, branchName: string, mainBran
          directory: dirname,
          packageEcosystem: chunks[1],
          targetBranch: mainBranch,
-          prevVersion: index === 0 ? prev : '',
-          newVersion: index === 0 ? next : '',
-          ...await lookup(dependency['dependency-name'], index === 0 ? prev : '', dirname)
+          prevVersion: lastVersion,
+          newVersion: nextVersion,
+          compatScore: await getScore(dependency['dependency-name'], lastVersion, nextVersion, chunks[1]),
+          ...await lookup(dependency['dependency-name'], lastVersion, dirname)
        }
      }))
    }
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -2,7 +2,7 @@ import * as github from '@actions/github'
 import * as core from '@actions/core'
 import nock from 'nock'
 import { Context } from '@actions/github/lib/context'
-import { getAlert, getMessage, trimSlashes } from './verified_commits'
+import { getAlert, getMessage, trimSlashes, getCompatibility } from './verified_commits'

 beforeAll(() => {
  nock.disableNetConnect()
@@ -194,6 +194,48 @@ test('trimSlashes should only trim slashes from both ends', () => {
  expect(trimSlashes('//a//b//c//')).toEqual('a//b//c')
 })

+const svgContents = `<svg width="132.9" height="20" viewBox="0 0 1329 200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" role="img" aria-label="compatibility: 75%">
+  <title>compatibility: 75%</title>
+  <linearGradient id="a" x2="0" y2="100%">
+    <stop offset="0" stop-opacity=".1" stop-color="#EEE"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <mask id="m"><rect width="1329" height="200" rx="30" fill="#FFF"/></mask>
+  <g mask="url(#m)">
+    <rect width="969" height="200" fill="#555"/>
+    <rect width="360" height="200" fill="#3C1" x="969"/>
+    <rect width="1329" height="200" fill="url(#a)"/>
+  </g>
+  <g aria-hidden="true" fill="#fff" text-anchor="start" font-family="Verdana,DejaVu Sans,sans-serif" font-size="110">
+    <text x="220" y="148" textLength="709" fill="#000" opacity="0.25">compatibility</text>
+    <text x="210" y="138" textLength="709">compatibility</text>
+    <text x="1024" y="148" textLength="260" fill="#000" opacity="0.25">75%</text>
+    <text x="1014" y="138" textLength="260">75%</text>
+  </g>
+  <image x="40" y="35" width="130" height="130" xlink:href="data:image/svg+xml;base64,PHN2ZyBmaWxsPSJub25lIiB2aWV3Qm94PSIwIDAgNTQgNTQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHBhdGggY2xpcC1ydWxlPSJldmVub2RkIiBkPSJNMzAgMTV2LTNoLTVhMSAxIDAgMDEtMS0xVjRhMSAxIDAgMDExLTFoN2ExIDEgMCAwMTEgMXYxMWgxNWEzIDMgMCAwMTMgM3YxMmgyYTEgMSAwIDAxMSAxdjEwYTEgMSAwIDAxLTEgMWgtMnY2YTMgMyAwIDAxLTMgM0g2YTMgMyAwIDAxLTMtM3YtNkgxYTEgMSAwIDAxLTEtMVYzMWExIDEgMCAwMTEtMWgyVjE4YTMgMyAwIDAxMy0zem02Ljg1NCAyMy42NDNsNi4yOS02LjI4OWExLjIxIDEuMjEgMCAwMDAtMS43MWwtMS4yOS0xLjI5YTEuMjEgMS4yMSAwIDAwLTEuNzEgMEwzNS45OTggMzMuNWwtMS42NDUtMS42NDVhMS4yMSAxLjIxIDAgMDAtMS43MSAwbC0xLjI5IDEuMjlhMS4yMSAxLjIxIDAgMDAwIDEuNzFsMy43OSAzLjc5YTEuMjEgMS4yMSAwIDAwMS43MSAwem0tMTMuNzEtNi4yODlsLTYuMjkgNi4yOWExLjIxIDEuMjEgMCAwMS0xLjcxIDBsLTMuNzktMy43OWExLjIxIDEuMjEgMCAwMTAtMS43MWwxLjI5LTEuMjlhMS4yMSAxLjIxIDAgMDExLjcxIDBMMTYgMzMuNWw0LjE0NC00LjE0NWExLjIxIDEuMjEgMCAwMTEuNzExIDBsMS4yOSAxLjI5YTEuMjEgMS4yMSAwIDAxMCAxLjcxeiIgZmlsbD0iI2ZmZiIgZmlsbC1ydWxlPSJldmVub2RkIi8+PC9zdmc+Cg=="/>
+</svg>`
+
+test('getCompatibility pulls out the score', async () => {
+  nock('https://dependabot-badges.githubapp.com').get('/badges/compatibility_score?dependency-name=coffee-script&package-manager=npm_and_yarn&previous-version=2.1.3&new-version=2.2.0')
+    .reply(200, svgContents)
+
+  expect(await getCompatibility('coffee-script', '2.1.3', '2.2.0', 'npm_and_yarn')).toEqual(75)
+})
+
+test('getCompatibility fails gracefully', async () => {
+  nock('https://dependabot-badges.githubapp.com').get('/badges/compatibility_score?dependency-name=coffee-script&package-manager=npm_and_yarn&previous-version=2.1.3&new-version=2.2.0')
+    .reply(200, '')
+
+  expect(await getCompatibility('coffee-script', '2.1.3', '2.2.0', 'npm_and_yarn')).toEqual(0)
+})
+
+test('getCompatibility handles errors', async () => {
+  nock('https://dependabot-badges.githubapp.com').get('/badges/compatibility_score?dependency-name=coffee-script&package-manager=npm_and_yarn&previous-version=2.1.3&new-version=2.2.0')
+    .reply(500, '')
+
+  expect(await getCompatibility('coffee-script', '2.1.3', '2.2.0', 'npm_and_yarn')).toEqual(0)
+})
+
 const mockGitHubClient = github.getOctokit('mock-token')

 function mockGitHubOtherContext (): Context {
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -2,6 +2,7 @@ import * as core from '@actions/core'
 import { GitHub } from '@actions/github/lib/utils'
 import { Context } from '@actions/github/lib/context'
 import type { dependencyAlert } from './update_metadata'
+import https from 'https'

 const DEPENDABOT_LOGIN = 'dependabot[bot]'

@@ -100,3 +101,16 @@ export async function getAlert (name: string, version: string, directory: string
 export function trimSlashes (value: string): string {
  return value.replace(/^\/+/, '').replace(/\/+$/, '')
 }
+
+export async function getCompatibility (name: string, oldVersion: string, newVersion: string, ecosystem: string): Promise<number> {
+  const svg = await new Promise<string>((resolve) => {
+    https.get(`https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=${name}&package-manager=${ecosystem}&previous-version=${oldVersion}&new-version=${newVersion}`, res => {
+      let data = ''
+      res.on('data', chunk => { data += chunk.toString('utf8') })
+      res.on('end', () => { resolve(data) })
+    }).on('error', () => { resolve('') })
+  })
+
+  const scoreChunk = svg.match(/<title>compatibility: (?<score>\d+)%<\/title>/m)
+  return scoreChunk?.groups ? parseInt(scoreChunk.groups.score) : 0
+}
--- a/src/dry-run.ts
+++ b/src/dry-run.ts
@@ -5,7 +5,7 @@ import * as dotenv from 'dotenv'
 import { Argv } from 'yargs'
 import { hideBin } from 'yargs/helpers'

-import { getMessage, getAlert } from './dependabot/verified_commits'
+import { getMessage, getAlert, getCompatibility } from './dependabot/verified_commits'
 import { parse } from './dependabot/update_metadata'
 import { getBranchNames, parseNwo } from './dependabot/util'

@@ -52,7 +52,7 @@ async function check (args: any): Promise<void> {
      const branchNames = getBranchNames(newContext)
      const alertLookup = (name, version, directory) => getAlert(name, version, directory, githubClient, actionContext)

-      const updatedDependencies = await parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup)
+      const updatedDependencies = await parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup, getCompatibility)

      if (updatedDependencies.length > 0) {
        console.log('Updated dependencies:')
--- a/src/main.test.ts
+++ b/src/main.test.ts
@@ -86,6 +86,9 @@ test('it sets the updated dependency as an output for subsequent actions', async
  jest.spyOn(dependabotCommits, 'getAlert').mockImplementation(jest.fn(
    () => Promise.resolve(mockAlert)
  ))
+  jest.spyOn(dependabotCommits, 'getCompatibility').mockImplementation(jest.fn(
+    () => Promise.resolve(34)
+  ))
  jest.spyOn(core, 'setOutput').mockImplementation(jest.fn())

  await run()
@@ -106,6 +109,7 @@ test('it sets the updated dependency as an output for subsequent actions', async
        targetBranch: 'main',
        prevVersion: '4.0.1',
        newVersion: '4.2.2',
+        compatScore: 34,
        alertState: 'FIXED',
        ghsaId: 'GSHA',
        cvss: 3.4
@@ -121,6 +125,7 @@ test('it sets the updated dependency as an output for subsequent actions', async
  expect(core.setOutput).toBeCalledWith('target-branch', 'main')
  expect(core.setOutput).toBeCalledWith('previous-version', '4.0.1')
  expect(core.setOutput).toBeCalledWith('new-version', '4.2.2')
+  expect(core.setOutput).toBeCalledWith('compatibility-score', 34)
  expect(core.setOutput).toBeCalledWith('alert-state', 'FIXED')
  expect(core.setOutput).toBeCalledWith('ghsa-id', 'GSHA')
  expect(core.setOutput).toBeCalledWith('cvss', 3.4)
@@ -155,6 +160,9 @@ test('if there are multiple dependencies, it summarizes them', async () => {
  jest.spyOn(dependabotCommits, 'getAlert').mockImplementation(jest.fn(
    () => Promise.resolve(mockAlert)
  ))
+  jest.spyOn(dependabotCommits, 'getCompatibility').mockImplementation(jest.fn(
+    () => Promise.resolve(34)
+  ))
  jest.spyOn(core, 'setOutput').mockImplementation(jest.fn())

  await run()
@@ -175,6 +183,7 @@ test('if there are multiple dependencies, it summarizes them', async () => {
        targetBranch: 'trunk',
        prevVersion: '4.0.1',
        newVersion: '4.2.2',
+        compatScore: 34,
        alertState: '',
        ghsaId: '',
        cvss: 0
@@ -188,6 +197,7 @@ test('if there are multiple dependencies, it summarizes them', async () => {
        targetBranch: 'trunk',
        prevVersion: '',
        newVersion: '',
+        compatScore: 34,
        alertState: '',
        ghsaId: '',
        cvss: 0
@@ -203,6 +213,7 @@ test('if there are multiple dependencies, it summarizes them', async () => {
  expect(core.setOutput).toBeCalledWith('target-branch', 'trunk')
  expect(core.setOutput).toBeCalledWith('previous-version', '4.0.1')
  expect(core.setOutput).toBeCalledWith('new-version', '4.2.2')
+  expect(core.setOutput).toBeCalledWith('compatibility-score', 34)
  expect(core.setOutput).toBeCalledWith('alert-state', '')
  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
  expect(core.setOutput).toBeCalledWith('cvss', 0)
--- a/src/main.ts
+++ b/src/main.ts
@@ -30,7 +30,7 @@ export async function run (): Promise<void> {
      // Parse metadata
      core.info('Parsing Dependabot metadata')

-      const updatedDependencies = await updateMetadata.parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup)
+      const updatedDependencies = await updateMetadata.parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup, verifiedCommits.getCompatibility)

      if (updatedDependencies.length > 0) {
        output.set(updatedDependencies)