dependabot-bundler 0.120.1 → 0.121.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6bc52373798c13a207c93c926fa89fc1ba7f072c950895b0457e9303cce433ac
|
|
4
|
+
data.tar.gz: 0645a89f44241cd6a91eb4b887d7c38abf9a9801112b8c410abbfb8980e3dd82
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d8f9b85f728adcfef047bcbcbd28ed85280db7c8e03f62e573713940bda2cdeb4061bf20466846f956ad71332469faffa4c6d9b44c28254fb2f17e91590ad0dc
|
|
7
|
+
data.tar.gz: 56970fff452967df6a30678eabd61fea04013381fb380b98b2e2bfa929ce69e0ca0c68e0517daf53155bc12e77ad91b195e6938bca45a848907ad3800903079b
|
|
@@ -131,9 +131,8 @@ module Dependabot
|
|
|
131
131
|
response =
|
|
132
132
|
Excon.get(
|
|
133
133
|
gemspec_uri,
|
|
134
|
-
headers: registry_auth_headers,
|
|
135
134
|
idempotent: true,
|
|
136
|
-
**SharedHelpers.excon_defaults
|
|
135
|
+
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
|
137
136
|
)
|
|
138
137
|
|
|
139
138
|
if response.status >= 400
|
|
@@ -152,9 +151,8 @@ module Dependabot
|
|
|
152
151
|
response =
|
|
153
152
|
Excon.get(
|
|
154
153
|
"#{registry_url}api/v1/gems/#{dependency.name}.json",
|
|
155
|
-
headers: registry_auth_headers,
|
|
156
154
|
idempotent: true,
|
|
157
|
-
**SharedHelpers.excon_defaults
|
|
155
|
+
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
|
158
156
|
)
|
|
159
157
|
return @rubygems_api_response = {} if response.status >= 400
|
|
160
158
|
|
|
@@ -10,14 +10,13 @@ require "dependabot/bundler/update_checker"
|
|
|
10
10
|
require "dependabot/bundler/requirement"
|
|
11
11
|
require "dependabot/shared_helpers"
|
|
12
12
|
require "dependabot/errors"
|
|
13
|
+
require "dependabot/bundler/update_checker/latest_version_finder/" \
|
|
14
|
+
"dependency_source"
|
|
13
15
|
|
|
14
16
|
module Dependabot
|
|
15
17
|
module Bundler
|
|
16
18
|
class UpdateChecker
|
|
17
19
|
class LatestVersionFinder
|
|
18
|
-
require_relative "shared_bundler_helpers"
|
|
19
|
-
include SharedBundlerHelpers
|
|
20
|
-
|
|
21
20
|
def initialize(dependency:, dependency_files:, repo_contents_path: nil,
|
|
22
21
|
credentials:, ignored_versions:, raise_on_ignored: false,
|
|
23
22
|
security_advisories:)
|
|
@@ -44,11 +43,11 @@ module Dependabot
|
|
|
44
43
|
:credentials, :ignored_versions, :security_advisories
|
|
45
44
|
|
|
46
45
|
def fetch_latest_version_details
|
|
47
|
-
if dependency_source.
|
|
48
|
-
return latest_git_version_details
|
|
46
|
+
if dependency_source.git?
|
|
47
|
+
return dependency_source.latest_git_version_details
|
|
49
48
|
end
|
|
50
49
|
|
|
51
|
-
relevant_versions =
|
|
50
|
+
relevant_versions = dependency_source.versions
|
|
52
51
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
53
52
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
54
53
|
|
|
@@ -56,9 +55,9 @@ module Dependabot
|
|
|
56
55
|
end
|
|
57
56
|
|
|
58
57
|
def fetch_lowest_security_fix_version
|
|
59
|
-
return if dependency_source.
|
|
58
|
+
return if dependency_source.git?
|
|
60
59
|
|
|
61
|
-
relevant_versions =
|
|
60
|
+
relevant_versions = dependency_source.versions
|
|
62
61
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
63
62
|
relevant_versions = filter_vulnerable_versions(relevant_versions)
|
|
64
63
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
@@ -93,71 +92,6 @@ module Dependabot
|
|
|
93
92
|
select { |version| version > Gem::Version.new(dependency.version) }
|
|
94
93
|
end
|
|
95
94
|
|
|
96
|
-
def registry_versions
|
|
97
|
-
return rubygems_versions if dependency.name == "bundler"
|
|
98
|
-
return rubygems_versions unless dependency_source
|
|
99
|
-
return [] unless dependency_source.is_a?(::Bundler::Source::Rubygems)
|
|
100
|
-
|
|
101
|
-
remote = dependency_source.remotes.first
|
|
102
|
-
return rubygems_versions if remote.nil?
|
|
103
|
-
return rubygems_versions if remote.to_s == "https://rubygems.org/"
|
|
104
|
-
|
|
105
|
-
private_registry_versions
|
|
106
|
-
end
|
|
107
|
-
|
|
108
|
-
def rubygems_versions
|
|
109
|
-
@rubygems_versions ||=
|
|
110
|
-
begin
|
|
111
|
-
response = Excon.get(
|
|
112
|
-
"https://rubygems.org/api/v1/versions/#{dependency.name}.json",
|
|
113
|
-
idempotent: true,
|
|
114
|
-
**SharedHelpers.excon_defaults
|
|
115
|
-
)
|
|
116
|
-
|
|
117
|
-
JSON.parse(response.body).
|
|
118
|
-
map { |d| Gem::Version.new(d["number"]) }
|
|
119
|
-
end
|
|
120
|
-
rescue JSON::ParserError, Excon::Error::Timeout
|
|
121
|
-
@rubygems_versions = []
|
|
122
|
-
end
|
|
123
|
-
|
|
124
|
-
def private_registry_versions
|
|
125
|
-
@private_registry_versions ||=
|
|
126
|
-
in_a_temporary_bundler_context do
|
|
127
|
-
dependency_source.
|
|
128
|
-
fetchers.flat_map do |fetcher|
|
|
129
|
-
fetcher.
|
|
130
|
-
specs_with_retry([dependency.name], dependency_source).
|
|
131
|
-
search_all(dependency.name)
|
|
132
|
-
end.
|
|
133
|
-
map(&:version)
|
|
134
|
-
end
|
|
135
|
-
end
|
|
136
|
-
|
|
137
|
-
def latest_git_version_details
|
|
138
|
-
dependency_source_details =
|
|
139
|
-
dependency.requirements.map { |r| r.fetch(:source) }.
|
|
140
|
-
uniq.compact.first
|
|
141
|
-
|
|
142
|
-
in_a_temporary_bundler_context do
|
|
143
|
-
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
144
|
-
# Note: we don't set `ref`, as we want to unpin the dependency
|
|
145
|
-
source = ::Bundler::Source::Git.new(
|
|
146
|
-
"uri" => dependency_source_details[:url],
|
|
147
|
-
"branch" => dependency_source_details[:branch],
|
|
148
|
-
"name" => dependency.name,
|
|
149
|
-
"submodules" => true
|
|
150
|
-
)
|
|
151
|
-
|
|
152
|
-
# Tell Bundler we're fine with fetching the source remotely
|
|
153
|
-
source.instance_variable_set(:@allow_remote, true)
|
|
154
|
-
|
|
155
|
-
spec = source.specs.first
|
|
156
|
-
{ version: spec.version, commit_sha: spec.source.revision }
|
|
157
|
-
end
|
|
158
|
-
end
|
|
159
|
-
end
|
|
160
|
-
|
|
161
95
|
def wants_prerelease?
|
|
162
96
|
@wants_prerelease ||=
|
|
163
97
|
begin
|
|
@@ -174,18 +108,11 @@ module Dependabot
|
|
|
174
108
|
end
|
|
175
109
|
|
|
176
110
|
def dependency_source
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
specified_source =
|
|
184
|
-
definition.dependencies.
|
|
185
|
-
find { |dep| dep.name == dependency.name }&.source
|
|
186
|
-
|
|
187
|
-
specified_source || definition.send(:sources).default_source
|
|
188
|
-
end
|
|
111
|
+
@dependency_source ||= DependencySource.new(
|
|
112
|
+
dependency: dependency,
|
|
113
|
+
dependency_files: dependency_files,
|
|
114
|
+
credentials: credentials
|
|
115
|
+
)
|
|
189
116
|
end
|
|
190
117
|
|
|
191
118
|
def ignore_reqs
|
|
@@ -0,0 +1,151 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Dependabot
|
|
4
|
+
module Bundler
|
|
5
|
+
class UpdateChecker
|
|
6
|
+
class LatestVersionFinder
|
|
7
|
+
class DependencySource
|
|
8
|
+
require_relative "../shared_bundler_helpers"
|
|
9
|
+
include SharedBundlerHelpers
|
|
10
|
+
|
|
11
|
+
RUBYGEMS = "rubygems"
|
|
12
|
+
PRIVATE_REGISTRY = "private"
|
|
13
|
+
GIT = "git"
|
|
14
|
+
OTHER = "other"
|
|
15
|
+
|
|
16
|
+
attr_reader :dependency, :dependency_files, :repo_contents_path,
|
|
17
|
+
:credentials
|
|
18
|
+
|
|
19
|
+
def initialize(dependency:,
|
|
20
|
+
dependency_files:,
|
|
21
|
+
credentials:)
|
|
22
|
+
@dependency = dependency
|
|
23
|
+
@dependency_files = dependency_files
|
|
24
|
+
@credentials = credentials
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
# The latest version details for the dependency from a registry
|
|
28
|
+
#
|
|
29
|
+
# @return [Array<Gem::Version>]
|
|
30
|
+
def versions
|
|
31
|
+
return rubygems_versions if dependency.name == "bundler"
|
|
32
|
+
return rubygems_versions unless gemfile
|
|
33
|
+
|
|
34
|
+
case source_type
|
|
35
|
+
when OTHER, GIT
|
|
36
|
+
[]
|
|
37
|
+
when PRIVATE_REGISTRY
|
|
38
|
+
private_registry_versions
|
|
39
|
+
else
|
|
40
|
+
rubygems_versions
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
# The latest version details for the dependency from a git repo
|
|
45
|
+
#
|
|
46
|
+
# @return [Hash{Symbol => String}, nil]
|
|
47
|
+
def latest_git_version_details
|
|
48
|
+
return unless git?
|
|
49
|
+
|
|
50
|
+
dependency_source_details =
|
|
51
|
+
dependency.requirements.map { |r| r.fetch(:source) }.
|
|
52
|
+
uniq.compact.first
|
|
53
|
+
|
|
54
|
+
in_a_temporary_bundler_context do
|
|
55
|
+
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
56
|
+
# Note: we don't set `ref`, as we want to unpin the dependency
|
|
57
|
+
source = ::Bundler::Source::Git.new(
|
|
58
|
+
"uri" => dependency_source_details[:url],
|
|
59
|
+
"branch" => dependency_source_details[:branch],
|
|
60
|
+
"name" => dependency.name,
|
|
61
|
+
"submodules" => true
|
|
62
|
+
)
|
|
63
|
+
|
|
64
|
+
# Tell Bundler we're fine with fetching the source remotely
|
|
65
|
+
source.instance_variable_set(:@allow_remote, true)
|
|
66
|
+
|
|
67
|
+
spec = source.specs.first
|
|
68
|
+
{ version: spec.version, commit_sha: spec.source.revision }
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def git?
|
|
74
|
+
source_type == GIT
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
private
|
|
78
|
+
|
|
79
|
+
def rubygems_versions
|
|
80
|
+
@rubygems_versions ||=
|
|
81
|
+
begin
|
|
82
|
+
response = Excon.get(
|
|
83
|
+
dependency_rubygems_uri,
|
|
84
|
+
idempotent: true,
|
|
85
|
+
**SharedHelpers.excon_defaults
|
|
86
|
+
)
|
|
87
|
+
|
|
88
|
+
JSON.parse(response.body).
|
|
89
|
+
map { |d| Gem::Version.new(d["number"]) }
|
|
90
|
+
end
|
|
91
|
+
rescue JSON::ParserError, Excon::Error::Timeout
|
|
92
|
+
@rubygems_versions = []
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
def dependency_rubygems_uri
|
|
96
|
+
"https://rubygems.org/api/v1/versions/#{dependency.name}.json"
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def private_registry_versions
|
|
100
|
+
@private_registry_versions ||=
|
|
101
|
+
in_a_temporary_bundler_context do
|
|
102
|
+
bundler_source.
|
|
103
|
+
fetchers.flat_map do |fetcher|
|
|
104
|
+
fetcher.
|
|
105
|
+
specs_with_retry([dependency.name], bundler_source).
|
|
106
|
+
search_all(dependency.name)
|
|
107
|
+
end.
|
|
108
|
+
map(&:version)
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
def bundler_source
|
|
113
|
+
return nil unless gemfile
|
|
114
|
+
|
|
115
|
+
@bundler_source ||=
|
|
116
|
+
in_a_temporary_bundler_context do
|
|
117
|
+
definition = ::Bundler::Definition.build(gemfile.name, nil, {})
|
|
118
|
+
|
|
119
|
+
specified_source =
|
|
120
|
+
definition.dependencies.
|
|
121
|
+
find { |dep| dep.name == dependency.name }&.source
|
|
122
|
+
|
|
123
|
+
specified_source || definition.send(:sources).default_source
|
|
124
|
+
end
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
def source_type
|
|
128
|
+
@source_type ||= case bundler_source
|
|
129
|
+
when ::Bundler::Source::Rubygems
|
|
130
|
+
remote = bundler_source.remotes.first
|
|
131
|
+
if remote.nil? || remote.to_s == "https://rubygems.org/"
|
|
132
|
+
RUBYGEMS
|
|
133
|
+
else
|
|
134
|
+
PRIVATE_REGISTRY
|
|
135
|
+
end
|
|
136
|
+
when ::Bundler::Source::Git
|
|
137
|
+
GIT
|
|
138
|
+
else
|
|
139
|
+
OTHER
|
|
140
|
+
end
|
|
141
|
+
end
|
|
142
|
+
|
|
143
|
+
def gemfile
|
|
144
|
+
dependency_files.find { |f| f.name == "Gemfile" } ||
|
|
145
|
+
dependency_files.find { |f| f.name == "gems.rb" }
|
|
146
|
+
end
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
end
|
|
150
|
+
end
|
|
151
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-bundler
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.121.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-10-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.121.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.121.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -100,14 +100,14 @@ dependencies:
|
|
|
100
100
|
requirements:
|
|
101
101
|
- - "~>"
|
|
102
102
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: 0.
|
|
103
|
+
version: 0.92.0
|
|
104
104
|
type: :development
|
|
105
105
|
prerelease: false
|
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
107
|
requirements:
|
|
108
108
|
- - "~>"
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: 0.
|
|
110
|
+
version: 0.92.0
|
|
111
111
|
- !ruby/object:Gem::Dependency
|
|
112
112
|
name: vcr
|
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -168,6 +168,7 @@ files:
|
|
|
168
168
|
- lib/dependabot/bundler/update_checker/file_preparer.rb
|
|
169
169
|
- lib/dependabot/bundler/update_checker/force_updater.rb
|
|
170
170
|
- lib/dependabot/bundler/update_checker/latest_version_finder.rb
|
|
171
|
+
- lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb
|
|
171
172
|
- lib/dependabot/bundler/update_checker/requirements_updater.rb
|
|
172
173
|
- lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb
|
|
173
174
|
- lib/dependabot/bundler/update_checker/version_resolver.rb
|