dependabot-bundler 0.121.1 → 0.124.0

data/lib/dependabot/bundler/update_checker/version_resolver.rb

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
-require "dependabot/monkey_patches/bundler/definition_ruby_version_patch"
-require "dependabot/monkey_patches/bundler/definition_bundler_version_patch"
-require "dependabot/monkey_patches/bundler/git_source_patch"
-
 require "excon"
 
 require "dependabot/bundler/update_checker"
@@ -21,8 +17,6 @@ module Dependabot
         require_relative "shared_bundler_helpers"
         include SharedBundlerHelpers
 
-        GEM_NOT_FOUND_ERROR_REGEX = /locked to (?<name>[^\s]+) \(/.freeze
-
         def initialize(dependency:, unprepared_dependency_files:,
                        repo_contents_path: nil, credentials:, ignored_versions:,
                        raise_on_ignored: false,
@@ -77,42 +71,47 @@ module Dependabot
           return latest_version_details unless gemfile
 
           SharedHelpers.with_git_configured(credentials: credentials) do
-            in_a_temporary_bundler_context do
-              dep = dependency_from_definition
-
-              # If the dependency wasn't found in the definition, but *is*
-              # included in a gemspec, it's because the Gemfile didn't import
-              # the gemspec. This is unusual, but the correct behaviour if/when
-              # it happens is to behave as if the repo was gemspec-only.
-              if dep.nil? && dependency.requirements.any?
-                next latest_version_details
-              end
-
-              # Otherwise, if the dependency wasn't found it's because it is a
-              # subdependency that was removed when attempting to update it.
-              next nil if dep.nil?
-
-              # If the dependency is Bundler itself then we can't trust the
-              # version that has been returned (it's the version Dependabot is
-              # running on, rather than the true latest resolvable version).
-              next nil if dep.name == "bundler"
-
-              # If the old Gemfile index was used then it won't have checked
-              # Ruby compatibility. Fix that by doing the check manually (and
-              # saying no update is possible if the Ruby version is a mismatch)
-              next nil if ruby_version_incompatible?(dep)
-
-              details = { version: dep.version }
-              if dep.source.instance_of?(::Bundler::Source::Git)
-                details[:commit_sha] = dep.source.revision
+            # We do not want the helper to handle errors for us as there are
+            # some errors we want to handle specifically ourselves, including
+            # potentially retrying in the case of the Ruby version being locked
+            in_a_native_bundler_context(error_handling: false) do |tmp_dir|
+              details =  SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "resolve_version",
+                args: {
+                  dependency_name: dependency.name,
+                  dependency_requirements: dependency.requirements,
+                  gemfile_name: gemfile.name,
+                  lockfile_name: lockfile&.name,
+                  using_bundler_2: using_bundler_2?,
+                  dir: tmp_dir,
+                  credentials: credentials
+                }
+              )
+
+              return latest_version_details if details == "latest"
+
+              if details
+                details.transform_keys!(&:to_sym)
+
+                # If the old Gemfile index was used then it won't have checked
+                # Ruby compatibility. Fix that by doing the check manually and
+                # saying no update is possible if the Ruby version is a
+                # mismatch
+                return nil if ruby_version_incompatible?(details)
+
+                details[:version] = Gem::Version.new(details[:version])
               end
               details
             end
           end
-        rescue Dependabot::DependencyFileNotResolvable => e
+        rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
           return if error_due_to_restrictive_upper_bound?(e)
           return if circular_dependency_at_new_version?(e)
-          raise unless ruby_lock_error?(e)
+
+          # If we are unable to handle the error ourselves, pass it on to the
+          # general bundler error handling.
+          handle_bundler_errors(e) unless ruby_lock_error?(e)
 
           @gemspec_ruby_unlocked = true
           regenerate_dependency_files_without_ruby_lock && retry
@@ -120,7 +119,9 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
 
         def circular_dependency_at_new_version?(error)
-          return false unless error.message.include?("CyclicDependencyError")
+          unless error.error_class.include?("CyclicDependencyError")
+            return false
+          end
 
           error.message.include?("'#{dependency.name}'")
         end
@@ -155,71 +156,30 @@ module Dependabot
             ).prepared_dependency_files
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
-        def dependency_from_definition(unlock_subdependencies: true)
-          dependencies_to_unlock = [dependency.name]
-          dependencies_to_unlock += subdependencies if unlock_subdependencies
-          begin
-            definition = build_definition(dependencies_to_unlock)
-            definition.resolve_remotely!
-          rescue ::Bundler::GemNotFound => e
-            unlock_yanked_gem(dependencies_to_unlock, e) && retry
-          rescue ::Bundler::HTTPError => e
-            # Retry network errors
-            attempt ||= 1
-            attempt += 1
-            raise if attempt > 3 || !e.message.include?("Network error")
-
-            retry
-          end
-
-          dep = definition.resolve.find { |d| d.name == dependency.name }
-          return dep if dep
-          return if dependency.requirements.any? || !unlock_subdependencies
-
-          # If no definition was found and we're updating a sub-dependency,
-          # try again but without unlocking any other sub-dependencies
-          dependency_from_definition(unlock_subdependencies: false)
-        end
-
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def unlock_yanked_gem(dependencies_to_unlock, error)
-          raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
-
-          gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
-                     named_captures["name"]
-          raise if dependencies_to_unlock.include?(gem_name)
-
-          dependencies_to_unlock << gem_name
-        end
-
-        def subdependencies
-          # If there's no lockfile we don't need to worry about
-          # subdependencies
-          return [] unless lockfile
-
-          all_deps =  ::Bundler::LockfileParser.new(sanitized_lockfile_body).
-                      specs.map(&:name).map(&:to_s).uniq
-          top_level = build_definition([]).dependencies.
-                      map(&:name).map(&:to_s)
-
-          all_deps - top_level
+        def latest_version_details
+          @latest_version_details ||=
+            LatestVersionFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              repo_contents_path: repo_contents_path,
+              credentials: credentials,
+              ignored_versions: ignored_versions,
+              raise_on_ignored: @raise_on_ignored,
+              security_advisories: []
+            ).latest_version_details
         end
 
-        def ruby_version_incompatible?(dep)
-          return false unless dep.source.is_a?(::Bundler::Source::Rubygems)
-
-          fetcher = dep.source.fetchers.first.fetchers.first
-
+        def ruby_version_incompatible?(details)
           # It's only the old index we have a problem with
-          return false unless fetcher.is_a?(::Bundler::Fetcher::Dependency)
+          unless details[:fetcher] == "Bundler::Fetcher::Dependency"
+            return false
+          end
 
           # If no Ruby version is specified, we don't have a problem
-          return false unless ruby_version
+          return false unless details[:ruby_version]
 
           versions = Excon.get(
-            "#{fetcher.fetch_uri}api/v1/versions/#{dependency.name}.json",
+            "https://rubygems.org/api/v1/versions/#{dependency.name}.json",
             idempotent: true,
             **SharedHelpers.excon_defaults
           )
@@ -230,53 +190,23 @@ module Dependabot
 
           ruby_requirement =
             JSON.parse(versions.body).
-            find { |details| details["number"] == dep.version.to_s }&.
+            find { |version| version["number"] == details[:version] }&.
             fetch("ruby_version", nil)
 
           # Give the benefit of the doubt if we can't find the version's
           # required Ruby version.
           return false unless ruby_requirement
 
-          ruby_requirement = Requirement.new(ruby_requirement)
+          ruby_requirement = Gem::Requirement.new(ruby_requirement)
+          current_ruby_version = Gem::Version.new(details[:ruby_version])
 
-          !ruby_requirement.satisfied_by?(ruby_version)
+          !ruby_requirement.satisfied_by?(current_ruby_version)
         rescue JSON::ParserError, Excon::Error::Socket, Excon::Error::Timeout
           # Give the benefit of the doubt if something goes wrong fetching
           # version details (could be that it's a private index, etc.)
           false
         end
 
-        def build_definition(dependencies_to_unlock)
-          # Note: we lock shared dependencies to avoid any top-level
-          # dependencies getting unlocked (which would happen if they were
-          # also subdependencies of the dependency being unlocked)
-          ::Bundler::Definition.build(
-            gemfile.name,
-            lockfile&.name,
-            gems: dependencies_to_unlock,
-            lock_shared_dependencies: true
-          )
-        end
-
-        def ruby_version
-          return nil unless gemfile
-
-          @ruby_version ||= build_definition([]).ruby_version&.gem_version
-        end
-
-        def latest_version_details
-          @latest_version_details ||=
-            LatestVersionFinder.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              repo_contents_path: repo_contents_path,
-              credentials: credentials,
-              ignored_versions: ignored_versions,
-              raise_on_ignored: @raise_on_ignored,
-              security_advisories: []
-            ).latest_version_details
-        end
-
         def gemfile
           dependency_files.find { |f| f.name == "Gemfile" } ||
             dependency_files.find { |f| f.name == "gems.rb" }
@@ -287,9 +217,10 @@ module Dependabot
             dependency_files.find { |f| f.name == "gems.locked" }
         end
 
-        def sanitized_lockfile_body
-          re = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
-          lockfile.content.gsub(re, "")
+        def using_bundler_2?
+          return unless lockfile
+
+          lockfile.content.match?(/BUNDLED WITH\s+2/m)
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.121.1
+  version: 0.124.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-07 00:00:00.000000000 Z
+date: 2020-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.121.1
+        version: 0.124.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.121.1
+        version: 0.124.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.92.0
+        version: 0.93.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.92.0
+        version: 0.93.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.19.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.19.0
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.2
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -163,6 +191,7 @@ files:
 - lib/dependabot/bundler/file_updater/requirement_replacer.rb
 - lib/dependabot/bundler/file_updater/ruby_requirement_setter.rb
 - lib/dependabot/bundler/metadata_finder.rb
+- lib/dependabot/bundler/native_helpers.rb
 - lib/dependabot/bundler/requirement.rb
 - lib/dependabot/bundler/update_checker.rb
 - lib/dependabot/bundler/update_checker/file_preparer.rb
@@ -173,9 +202,6 @@ files:
 - lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb
 - lib/dependabot/bundler/update_checker/version_resolver.rb
 - lib/dependabot/bundler/version.rb
-- lib/dependabot/monkey_patches/bundler/definition_bundler_version_patch.rb
-- lib/dependabot/monkey_patches/bundler/definition_ruby_version_patch.rb
-- lib/dependabot/monkey_patches/bundler/git_source_patch.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard

data/lib/dependabot/monkey_patches/bundler/definition_bundler_version_patch.rb

@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-require "bundler/definition"
-
-# Ignore the Bundler version specified in the Gemfile (since the only Bundler
-# version available to us is the one we're using).
-module Bundler
-  class Definition
-    def expanded_dependencies
-      @expanded_dependencies ||=
-        expand_dependencies(dependencies + metadata_dependencies, @remote).
-        reject { |d| d.name == "bundler" }
-    end
-  end
-end

data/lib/dependabot/monkey_patches/bundler/definition_ruby_version_patch.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module BundlerDefinitionRubyVersionPatch
-  def index
-    @index ||= super.tap do
-      if ruby_version
-        requested_version = ruby_version.to_gem_version_with_patchlevel
-        sources.metadata_source.specs <<
-          Gem::Specification.new("ruby\0", requested_version)
-      end
-
-      sources.metadata_source.specs <<
-        Gem::Specification.new("ruby\0", "2.5.3p105")
-    end
-  end
-end
-Bundler::Definition.prepend(BundlerDefinitionRubyVersionPatch)

data/lib/dependabot/monkey_patches/bundler/git_source_patch.rb

@@ -1,61 +0,0 @@
-# frozen_string_literal: true
-
-module Bundler
-  class Source
-    class Git
-      class GitProxy
-        private
-
-        # Bundler allows ssh authentication when talking to GitHub but there's
-        # no way for Dependabot to do so (it doesn't have any ssh keys).
-        # Instead, we convert all `git@github.com:` URLs to use HTTPS.
-        def configured_uri_for(uri)
-          uri = uri.gsub(%r{git@(.*?):/?}, 'https://\1/')
-          if uri.match?(/https?:/)
-            remote = URI(uri)
-            config_auth =
-              Bundler.settings[remote.to_s] || Bundler.settings[remote.host]
-            remote.userinfo ||= config_auth
-            remote.to_s
-          else
-            uri
-          end
-        end
-      end
-    end
-  end
-end
-
-module Bundler
-  class Source
-    class Git < Path
-      private
-
-      def serialize_gemspecs_in(destination)
-        original_load_paths = $LOAD_PATH.dup
-        reduced_load_paths = original_load_paths.
-                             reject { |p| p.include?("/gems/") }
-
-        $LOAD_PATH.shift until $LOAD_PATH.empty?
-        reduced_load_paths.each { |p| $LOAD_PATH << p }
-
-        if destination.relative?
-          destination = destination.expand_path(Bundler.root)
-        end
-        Dir["#{destination}/#{@glob}"].each do |spec_path|
-          # Evaluate gemspecs and cache the result. Gemspecs
-          # in git might require git or other dependencies.
-          # The gemspecs we cache should already be evaluated.
-          spec = Bundler.load_gemspec(spec_path)
-          next unless spec
-
-          Bundler.rubygems.set_installed_by_version(spec)
-          Bundler.rubygems.validate(spec)
-          File.open(spec_path, "wb") { |file| file.write(spec.to_ruby) }
-        end
-        $LOAD_PATH.shift until $LOAD_PATH.empty?
-        original_load_paths.each { |p| $LOAD_PATH << p }
-      end
-    end
-  end
-end