dependabot-bundler 0.121.1 → 0.124.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9702d2fb4d55854395b475a6cf258c881222f6052aa2866c9afa3e7ccf380af
-  data.tar.gz: 31e57d6a1b51ca27333521e539ab891599a6339ca39b9bce2dc5a5213a64657c
+  metadata.gz: 1edaccffd72ca0c5fc2377068bf44ecaa1c259d53b94109609e9581868f8db72
+  data.tar.gz: 022ee19b12c75c443beb6c248cc2c0d058b63d7b33d28f9328eab9e23a8bf1ac
 SHA512:
-  metadata.gz: d287fdf1b96b8ef28491c6325f83cab75a8ef5f571e0b45e2462fc2ddbc81969a4628932564f48780e3563fd0ecff3409c9a185f96ba02a8da6f20fea9cad6ac
-  data.tar.gz: 385581b53698e6dfbbbdce6e9d76f8c47a2e207b6e2dc8fabcd0942012304ef9952a59939648849dd7a01717f5908ba3ddcfdd7461444e51691a227f7a2b48dc
+  metadata.gz: 7383f465ab884f9c26a391506edb759b1b58d33173b2d20dc65667748677de20fe86a3f0e3d333b837e8defd4ff6ba78d43c5bfea3f9f29c73d318a84b73b676
+  data.tar.gz: df53175fc3d9af18602b323e22810c2d07eb9a54e6f60288aa8381a1ec22e4c04a340d7c3962c625a540611e7b71e1067eadafe21f1ce8fc059c9bb277cadde9

data/lib/dependabot/bundler/file_fetcher.rb

@@ -192,6 +192,7 @@ module Dependabot
           fetch_child_gemfiles(file: gemfile, previously_fetched_files: [])
       end
 
+      # TODO: Stop sanitizing the lockfile once we have bundler 2 installed
       def sanitized_lockfile_content
         regex = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
         lockfile.content.gsub(regex, "")

data/lib/dependabot/bundler/file_parser.rb

@@ -4,6 +4,7 @@ require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
 require "dependabot/bundler/file_updater/lockfile_updater"
+require "dependabot/bundler/native_helpers"
 require "dependabot/bundler/version"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
@@ -25,19 +26,6 @@ module Dependabot
 
       private
 
-      # Can't be a constant because some of these don't exist in bundler
-      # 1.15, which Heroku uses, which causes an exception on boot.
-      def sources
-        [
-          NilClass,
-          ::Bundler::Source::Rubygems,
-          ::Bundler::Source::Git,
-          ::Bundler::Source::Path,
-          ::Bundler::Source::Gemspec,
-          ::Bundler::Source::Metadata
-        ]
-      end
-
       def gemfile_dependencies
         dependencies = DependencySet.new
 
@@ -51,12 +39,12 @@ module Dependabot
 
             dependencies <<
               Dependency.new(
-                name: dep.name,
-                version: dependency_version(dep.name)&.to_s,
+                name: dep.fetch("name"),
+                version: dependency_version(dep.fetch("name"))&.to_s,
                 requirements: [{
                   requirement: gemfile_declaration_finder.enhanced_req_string,
-                  groups: dep.groups,
-                  source: source_for(dep),
+                  groups: dep.fetch("groups").map(&:to_sym),
+                  source: dep.fetch("source")&.transform_keys(&:to_sym),
                   file: file.name
                 }],
                 package_manager: "bundler"
@@ -71,15 +59,19 @@ module Dependabot
         dependencies = DependencySet.new
 
         gemspecs.each do |gemspec|
-          parsed_gemspec(gemspec).dependencies.each do |dependency|
+          parsed_gemspec(gemspec).each do |dependency|
             dependencies <<
               Dependency.new(
-                name: dependency.name,
-                version: dependency_version(dependency.name)&.to_s,
+                name: dependency.fetch("name"),
+                version: dependency_version(dependency.fetch("name"))&.to_s,
                 requirements: [{
-                  requirement: dependency.requirement.to_s,
-                  groups: dependency.runtime? ? ["runtime"] : ["development"],
-                  source: source_for(dependency),
+                  requirement: dependency.fetch("requirement").to_s,
+                  groups: if dependency.fetch("type") == "runtime"
+                            ["runtime"]
+                          else
+                            ["development"]
+                          end,
+                  source: dependency.fetch("source")&.transform_keys(&:to_sym),
                   file: gemspec.name
                 }],
                 package_manager: "bundler"
@@ -122,28 +114,25 @@ module Dependabot
                                                       repo_contents_path) do
             write_temporary_dependency_files
 
-            SharedHelpers.in_a_forked_process do
-              ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-
-              ::Bundler::Definition.build(gemfile.name, nil, {}).
-                dependencies.
-                select(&:current_platform?).
-                # We can't dump gemspec sources, and we wouldn't bump them
-                # anyway, so we filter them out.
-                reject { |dep| dep.source.is_a?(::Bundler::Source::Gemspec) }
-            end
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "parsed_gemfile",
+              args: {
+                gemfile_name: gemfile.name,
+                lockfile_name: lockfile&.name,
+                dir: Dir.pwd
+              }
+            )
           end
-      rescue SharedHelpers::ChildProcessFailed, ArgumentError => e
-        handle_marshall_error(e) if e.is_a?(ArgumentError)
+      rescue SharedHelpers::HelperSubprocessFailed => e
+        handle_eval_error(e) if e.error_class == "JSON::ParserError"
 
         msg = e.error_class + " with message: " +
-              e.error_message.force_encoding("UTF-8").encode
+              e.message.force_encoding("UTF-8").encode
         raise Dependabot::DependencyFileNotEvaluatable, msg
       end
 
-      def handle_marshall_error(err)
-        raise err unless err.message == "marshal data too short"
-
+      def handle_eval_error(err)
         msg = "Error evaluating your dependency files: #{err.message}"
         raise Dependabot::DependencyFileNotEvaluatable, msg
       end
@@ -153,19 +142,20 @@ module Dependabot
         @parsed_gemspecs[file.name] ||=
           SharedHelpers.in_a_temporary_repo_directory(base_directory,
                                                       repo_contents_path) do
-            [file, *imported_ruby_files].each do |f|
-              path = f.name
-              FileUtils.mkdir_p(Pathname.new(path).dirname)
-              File.write(path, f.content)
-            end
-
-            SharedHelpers.in_a_forked_process do
-              ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-              ::Bundler.load_gemspec_uncached(file.name)
-            end
+            write_temporary_dependency_files
+
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "parsed_gemspec",
+              args: {
+                gemspec_name: file.name,
+                lockfile_name: lockfile&.name,
+                dir: Dir.pwd
+              }
+            )
           end
-      rescue SharedHelpers::ChildProcessFailed => e
-        msg = e.error_class + " with message: " + e.error_message
+      rescue SharedHelpers::HelperSubprocessFailed => e
+        msg = e.error_class + " with message: " + e.message
         raise Dependabot::DependencyFileNotEvaluatable, msg
       end
 
@@ -185,6 +175,8 @@ module Dependabot
           FileUtils.mkdir_p(Pathname.new(path).dirname)
           File.write(path, file.content)
         end
+
+        File.write(lockfile.name, sanitized_lockfile_content) if lockfile
       end
 
       def check_required_files
@@ -199,42 +191,6 @@ module Dependabot
         raise "A gemspec or Gemfile must be provided!"
       end
 
-      def source_for(dependency)
-        source = dependency.source
-        if lockfile && default_rubygems?(source)
-          # If there's a lockfile and the Gemfile doesn't have anything
-          # interesting to say about the source, check that.
-          source = source_from_lockfile(dependency.name)
-        end
-        raise "Bad source: #{source}" unless sources.include?(source.class)
-
-        return nil if default_rubygems?(source)
-
-        details = { type: source.class.name.split("::").last.downcase }
-        if source.is_a?(::Bundler::Source::Git)
-          details.merge!(git_source_details(source))
-        end
-        if source.is_a?(::Bundler::Source::Rubygems)
-          details[:url] = source.remotes.first.to_s
-        end
-        details
-      end
-
-      def git_source_details(source)
-        {
-          url: source.uri,
-          branch: source.branch || "master",
-          ref: source.ref
-        }
-      end
-
-      def default_rubygems?(source)
-        return true if source.nil?
-        return false unless source.is_a?(::Bundler::Source::Rubygems)
-
-        source.remotes.any? { |r| r.to_s.include?("rubygems.org") }
-      end
-
       def dependency_version(dependency_name)
         return unless lockfile
 
@@ -255,10 +211,6 @@ module Dependabot
         spec.version
       end
 
-      def source_from_lockfile(dependency_name)
-        parsed_lockfile.specs.find { |s| s.name == dependency_name }&.source
-      end
-
       def gemfile
         @gemfile ||= get_original_file("Gemfile") ||
                      get_original_file("gems.rb")
@@ -315,6 +267,7 @@ module Dependabot
         groups.any? { |g| g.include?("prod") }
       end
 
+      # TODO: Stop sanitizing the lockfile once we have bundler 2 installed
       def sanitized_lockfile_content
         regex = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
         lockfile.content.gsub(regex, "")

data/lib/dependabot/bundler/file_parser/gemfile_declaration_finder.rb

@@ -20,7 +20,7 @@ module Dependabot
         def enhanced_req_string
           return unless gemfile_includes_dependency?
 
-          fallback_string = dependency.requirement.to_s
+          fallback_string = dependency.fetch("requirement")
           req_nodes = declaration_node.children[3..-1]
           req_nodes = req_nodes.reject { |child| child.type == :hash }
 
@@ -28,7 +28,9 @@ module Dependabot
           return fallback_string unless req_nodes.all? { |n| n.type == :str }
 
           original_req_string = req_nodes.map { |n| n.children.last }
-          if dependency.requirement == Gem::Requirement.new(original_req_string)
+          fallback_requirement =
+            Gem::Requirement.new(fallback_string.split(", "))
+          if fallback_requirement == Gem::Requirement.new(original_req_string)
             original_req_string.join(", ")
           else
             fallback_string
@@ -65,7 +67,7 @@ module Dependabot
           return false unless node.is_a?(Parser::AST::Node)
           return false unless node.children[1] == :gem
 
-          node.children[2].children.first == dependency.name
+          node.children[2].children.first == dependency.fetch("name")
         end
       end
     end

data/lib/dependabot/bundler/file_updater.rb

@@ -2,6 +2,7 @@
 
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
+require "dependabot/bundler/native_helpers"
 require "dependabot/file_updaters/vendor_updater"
 
 module Dependabot
@@ -74,11 +75,13 @@ module Dependabot
         return @vendor_cache_dir if defined?(@vendor_cache_dir)
 
         @vendor_cache_dir =
-          SharedHelpers.in_a_forked_process do
-            # Set the path for path gemspec correctly
-            ::Bundler.instance_variable_set(:@root, repo_contents_path)
-            ::Bundler.app_cache
-          end
+          SharedHelpers.run_helper_subprocess(
+            command: NativeHelpers.helper_path,
+            function: "vendor_cache_dir",
+            args: {
+              dir: repo_contents_path
+            }
+          )
       end
 
       def vendor_updater

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -2,18 +2,14 @@
 
 require "bundler"
 
-require "dependabot/monkey_patches/bundler/definition_ruby_version_patch"
-require "dependabot/monkey_patches/bundler/definition_bundler_version_patch"
-require "dependabot/monkey_patches/bundler/git_source_patch"
-
 require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/bundler/file_updater"
-require "dependabot/git_commit_checker"
+require "dependabot/bundler/native_helpers"
+
 module Dependabot
   module Bundler
     class FileUpdater
-      # rubocop:disable Metrics/ClassLength
       class LockfileUpdater
         require_relative "gemfile_updater"
         require_relative "gemspec_updater"
@@ -25,13 +21,6 @@ module Dependabot
           /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
         GIT_DEPENDENCIES_SECTION = /GIT\n.*?\n\n(?!GIT)/m.freeze
         GIT_DEPENDENCY_DETAILS = /GIT\n.*?\n\n/m.freeze
-        GEM_NOT_FOUND_ERROR_REGEX =
-          /
-            locked\sto\s(?<name>[^\s]+)\s\(|
-            not\sfind\s(?<name>[^\s]+)-\d|
-            has\s(?<name>[^\s]+)\slocked\sat
-          /x.freeze
-        RETRYABLE_ERRORS = [::Bundler::HTTPError].freeze
 
         # Can't be a constant because some of these don't exist in bundler
         # 1.15, which Heroku uses, which causes an exception on boot.
@@ -77,22 +66,21 @@ module Dependabot
             ) do |tmp_dir|
               write_temporary_dependency_files
 
-              SharedHelpers.in_a_forked_process do
-                # Set the path for path gemspec correctly
-                ::Bundler.instance_variable_set(:@root, tmp_dir)
-
-                # Remove installed gems from the default Rubygems index
-                ::Gem::Specification.all =
-                  ::Gem::Specification.send(:default_stubs, "*.gemspec")
-
-                # Set flags and credentials
-                set_bundler_flags_and_credentials
-
-                generate_lockfile
-              end
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "update_lockfile",
+                args: {
+                  gemfile_name: gemfile.name,
+                  lockfile_name: lockfile.name,
+                  using_bundler_2: using_bundler_2?,
+                  dir: tmp_dir,
+                  credentials: relevant_credentials,
+                  dependencies: dependencies.map(&:to_h)
+                }
+              )
             end
           post_process_lockfile(lockfile_body)
-        rescue SharedHelpers::ChildProcessFailed => e
+        rescue SharedHelpers::HelperSubprocessFailed => e
           raise unless ruby_lock_error?(e)
 
           @dont_lock_ruby_version = true
@@ -129,195 +117,6 @@ module Dependabot
           end
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
-        def generate_lockfile
-          dependencies_to_unlock = dependencies.map(&:name)
-
-          begin
-            definition = build_definition(dependencies_to_unlock)
-
-            old_reqs = lock_deps_being_updated_to_exact_versions(definition)
-
-            definition.resolve_remotely!
-
-            old_reqs.each do |dep_name, old_req|
-              d_dep = definition.dependencies.find { |d| d.name == dep_name }
-              if old_req == :none then definition.dependencies.delete(d_dep)
-              else d_dep.instance_variable_set(:@requirement, old_req)
-              end
-            end
-
-            cache_vendored_gems(definition) if ::Bundler.app_cache.exist?
-
-            definition.to_lock
-          rescue ::Bundler::GemNotFound => e
-            unlock_yanked_gem(dependencies_to_unlock, e) && retry
-          rescue ::Bundler::VersionConflict => e
-            unlock_blocking_subdeps(dependencies_to_unlock, e) && retry
-          rescue *RETRYABLE_ERRORS
-            raise if @retrying
-
-            @retrying = true
-            sleep(rand(1.0..5.0))
-            retry
-          end
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def cache_vendored_gems(definition)
-          # Dependencies that have been unlocked for the update (including
-          # sub-dependencies)
-          unlocked_gems = definition.instance_variable_get(:@unlock).
-                          fetch(:gems).reject { |gem| __keep_on_prune?(gem) }
-          bundler_opts = {
-            cache_all: true,
-            cache_all_platforms: true,
-            no_prune: true
-          }
-
-          ::Bundler.settings.temporary(**bundler_opts) do
-            # Fetch and cache gems on all platforms without pruning
-            ::Bundler::Runtime.new(nil, definition).cache
-
-            # Only prune unlocked gems (the original implementation is in
-            # Bundler::Runtime)
-            cache_path = ::Bundler.app_cache
-            resolve = definition.resolve
-            prune_gem_cache(resolve, cache_path, unlocked_gems)
-            prune_git_and_path_cache(resolve, cache_path)
-          end
-        end
-
-        # This is not officially supported and may be removed without notice.
-        def __keep_on_prune?(spec_name)
-          unless (specs = ::Bundler.settings[:persistent_gems_after_clean])
-            return false
-          end
-
-          specs.include?(spec_name)
-        end
-
-        # Copied from Bundler::Runtime: Modified to only prune gems that have
-        # been unlocked
-        def prune_gem_cache(resolve, cache_path, unlocked_gems)
-          cached_gems = Dir["#{cache_path}/*.gem"]
-
-          outdated_gems = cached_gems.reject do |path|
-            spec = ::Bundler.rubygems.spec_from_gem path
-
-            !unlocked_gems.include?(spec.name) || resolve.any? do |s|
-              s.name == spec.name && s.version == spec.version &&
-                !s.source.is_a?(::Bundler::Source::Git)
-            end
-          end
-
-          return unless outdated_gems.any?
-
-          outdated_gems.each do |path|
-            File.delete(path)
-          end
-        end
-
-        # Copied from Bundler::Runtime
-        def prune_git_and_path_cache(resolve, cache_path)
-          cached_git_and_path = Dir["#{cache_path}/*/.bundlecache"]
-
-          outdated_git_and_path = cached_git_and_path.reject do |path|
-            name = File.basename(File.dirname(path))
-
-            resolve.any? do |s|
-              s.source.respond_to?(:app_cache_dirname) &&
-                s.source.app_cache_dirname == name
-            end
-          end
-
-          return unless outdated_git_and_path.any?
-
-          outdated_git_and_path.each do |path|
-            path = File.dirname(path)
-            FileUtils.rm_rf(path)
-          end
-        end
-
-        def unlock_yanked_gem(dependencies_to_unlock, error)
-          raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
-
-          gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
-                     named_captures["name"]
-          raise if dependencies_to_unlock.include?(gem_name)
-
-          dependencies_to_unlock << gem_name
-        end
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        def unlock_blocking_subdeps(dependencies_to_unlock, error)
-          all_deps =  ::Bundler::LockfileParser.new(sanitized_lockfile_body).
-                      specs.map(&:name).map(&:to_s)
-          top_level = build_definition([]).dependencies.
-                      map(&:name).map(&:to_s)
-          allowed_new_unlocks = all_deps - top_level - dependencies_to_unlock
-
-          raise if allowed_new_unlocks.none?
-
-          # Unlock any sub-dependencies that Bundler reports caused the
-          # conflict
-          potentials_deps =
-            error.cause.conflicts.values.
-            flat_map(&:requirement_trees).
-            map do |tree|
-              tree.find { |req| allowed_new_unlocks.include?(req.name) }
-            end.compact.map(&:name)
-
-          # If there are specific dependencies we can unlock, unlock them
-          if potentials_deps.any?
-            return dependencies_to_unlock.append(*potentials_deps)
-          end
-
-          # Fall back to unlocking *all* sub-dependencies. This is required
-          # because Bundler's VersionConflict objects don't include enough
-          # information to chart the full path through all conflicts unwound
-          dependencies_to_unlock.append(*allowed_new_unlocks)
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def build_definition(dependencies_to_unlock)
-          defn = ::Bundler::Definition.build(
-            gemfile.name,
-            lockfile.name,
-            gems: dependencies_to_unlock
-          )
-
-          # Bundler unlocks the sub-dependencies of gems it is passed even
-          # if those sub-deps are top-level dependencies. We only want true
-          # subdeps unlocked, like they were in the UpdateChecker, so we
-          # mutate the unlocked gems array.
-          unlocked = defn.instance_variable_get(:@unlock).fetch(:gems)
-          must_not_unlock = defn.dependencies.map(&:name).map(&:to_s) -
-                            dependencies_to_unlock
-          unlocked.reject! { |n| must_not_unlock.include?(n) }
-
-          defn
-        end
-
-        def lock_deps_being_updated_to_exact_versions(definition)
-          dependencies.each_with_object({}) do |dep, old_reqs|
-            defn_dep = definition.dependencies.find { |d| d.name == dep.name }
-
-            if defn_dep.nil?
-              definition.dependencies <<
-                ::Bundler::Dependency.new(dep.name, dep.version)
-              old_reqs[dep.name] = :none
-            elsif git_dependency?(dep) &&
-                  defn_dep.source.is_a?(::Bundler::Source::Git)
-              defn_dep.source.unlock!
-            elsif Gem::Version.correct?(dep.version)
-              new_req = Gem::Requirement.create("= #{dep.version}")
-              old_reqs[dep.name] = defn_dep.requirement
-              defn_dep.instance_variable_set(:@requirement, new_req)
-            end
-          end
-        end
-
         def write_ruby_version_file
           return unless ruby_version_file
 
@@ -488,6 +287,7 @@ module Dependabot
             dependency_files.find { |f| f.name == "gems.locked" }
         end
 
+        # TODO: Stop sanitizing the lockfile once we have bundler 2 installed
         def sanitized_lockfile_body
           lockfile.content.gsub(LOCKFILE_ENDING, "")
         end
@@ -509,41 +309,12 @@ module Dependabot
           dependency_files.select { |f| f.name.end_with?(".specification") }
         end
 
-        def set_bundler_flags_and_credentials
-          # Set auth details
-          relevant_credentials.each do |cred|
-            token = cred["token"] ||
-                    "#{cred['username']}:#{cred['password']}"
-
-            ::Bundler.settings.set_command_option(
-              cred.fetch("host"),
-              token.gsub("@", "%40F").gsub("?", "%3F")
-            )
-          end
-
-          # Use HTTPS for GitHub if lockfile was generated by Bundler 2
-          set_bundler_2_flags if using_bundler_2?
-        end
-
-        def set_bundler_2_flags
-          ::Bundler.settings.set_command_option("forget_cli_options", "true")
-          ::Bundler.settings.set_command_option("github.https", "true")
-        end
-
-        def git_dependency?(dep)
-          GitCommitChecker.new(
-            dependency: dep,
-            credentials: credentials
-          ).git_dependency?
-        end
-
         def using_bundler_2?
           return unless lockfile
 
           lockfile.content.match?(/BUNDLED WITH\s+2/m)
         end
       end
-      # rubocop:enable Metrics/ClassLength
     end
   end
 end