dependabot-bundler 0.124.7 → 0.125.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4d15ee063593d04b7f298c043ca8a710cdb8573b8a7fb7daf88c959eda7c3aa
-  data.tar.gz: fc3ae6855cb63559940cc54cdb1a71242cb56d13b0209edb907c4d90bf037bbb
+  metadata.gz: 83152b291442fad26ff65f29c1357211aa955fc95b204155f86b963e99e489e1
+  data.tar.gz: 00dddfab3bd6c04bc970a4bceb44cdaa7ae9fb16a9b333568800acb05da093cc
 SHA512:
-  metadata.gz: 547c622f6f08fd277eb951134b94b64c0b7e550330eb466382baa0bbfd20148fedd1d303faab81a8ed3b75d67c1ddaa54253bc336b3111cad089a83af032ba18
-  data.tar.gz: 5c45aacff60e26b8ae224ab03bd8c0eceaa2622ba159279d106f260e99a2c4fb3a7b1cb621bf9cbdb168134968b90a3a11442ea12cc84024fc4994bb32332f80
+  metadata.gz: b8f217c42f75084d95dfe83426476cb28f0b415e92ff3f45a72b453dedf523bed7c2b4bd2e4ca2aab81800c4669da9c53c1bfbed5aee07b72ed25916cac57c27
+  data.tar.gz: c86d612ffd4eed616dab8538f9f984155e0c3ce9e826d6a6fe6e2d06f89bd8108de41d2e7f898e4a83bbaa71d8e5b13fc04459cd43b25e0cf49bdda362c23257

data/lib/dependabot/bundler/file_fetcher.rb

@@ -14,9 +14,7 @@ module Dependabot
       require "dependabot/bundler/file_fetcher/require_relative_finder"
 
       def self.required_files_in?(filenames)
-        if filenames.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
-          return true
-        end
+        return true if filenames.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
 
         filenames.include?("Gemfile") || filenames.include?("gems.rb")
       end
@@ -133,9 +131,7 @@ module Dependabot
           unfetchable_gems << path.basename.to_s
         end
 
-        if unfetchable_gems.any?
-          raise Dependabot::PathDependenciesNotReachable, unfetchable_gems
-        end
+        raise Dependabot::PathDependenciesNotReachable, unfetchable_gems if unfetchable_gems.any?
 
         gemspec_files.tap { |ar| ar.each { |f| f.support_file = true } }
       end

data/lib/dependabot/bundler/file_parser.rb

@@ -204,9 +204,7 @@ module Dependabot
 
         # If the source is Git we're better off knowing the SHA-1 than the
         # version.
-        if spec.source.instance_of?(::Bundler::Source::Git)
-          return spec.source.revision
-        end
+        return spec.source.revision if spec.source.instance_of?(::Bundler::Source::Git)
 
         spec.version
       end

data/lib/dependabot/bundler/file_updater.rb

@@ -94,9 +94,7 @@ module Dependabot
       def check_required_files
         file_names = dependency_files.map(&:name)
 
-        if lockfile && !gemfile
-          raise "A Gemfile must be provided if a lockfile is!"
-        end
+        raise "A Gemfile must be provided if a lockfile is!" if lockfile && !gemfile
 
         return if file_names.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
         return if gemfile

data/lib/dependabot/bundler/file_updater/gemfile_updater.rb

@@ -25,13 +25,9 @@ module Dependabot
               content
             )
 
-            if remove_git_source?(dependency)
-              content = remove_gemfile_git_source(dependency, content)
-            end
+            content = remove_gemfile_git_source(dependency, content) if remove_git_source?(dependency)
 
-            if update_git_pin?(dependency)
-              content = update_gemfile_git_pin(dependency, gemfile, content)
-            end
+            content = update_gemfile_git_pin(dependency, gemfile, content) if update_git_pin?(dependency)
           end
 
           content

data/lib/dependabot/bundler/file_updater/gemspec_sanitizer.rb

@@ -100,9 +100,7 @@ module Dependabot
           def replace_version_assignments(node)
             return unless node.is_a?(Parser::AST::Node)
 
-            if node_assigns_to_version_constant?(node)
-              return replace_constant(node)
-            end
+            return replace_constant(node) if node_assigns_to_version_constant?(node)
 
             node.children.each { |child| replace_version_assignments(child) }
           end
@@ -110,9 +108,7 @@ module Dependabot
           def replace_version_constant_references(node)
             return unless node.is_a?(Parser::AST::Node)
 
-            if node_is_version_constant?(node)
-              return replace(node.loc.expression, %("#{replacement_version}"))
-            end
+            return replace(node.loc.expression, %("#{replacement_version}")) if node_is_version_constant?(node)
 
             node.children.each do |child|
               replace_version_constant_references(child)
@@ -122,9 +118,7 @@ module Dependabot
           def replace_file_assignments(node)
             return unless node.is_a?(Parser::AST::Node)
 
-            if node_assigns_files_to_var?(node)
-              return replace_file_assignment(node)
-            end
+            return replace_file_assignment(node) if node_assigns_files_to_var?(node)
 
             node.children.each { |child| replace_file_assignments(child) }
           end
@@ -132,9 +126,7 @@ module Dependabot
           def replace_require_paths_assignments(node)
             return unless node.is_a?(Parser::AST::Node)
 
-            if node_assigns_require_paths?(node)
-              return replace_require_paths_assignment(node)
-            end
+            return replace_require_paths_assignment(node) if node_assigns_require_paths?(node)
 
             node.children.each do |child|
               replace_require_paths_assignments(child)

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -44,9 +44,7 @@ module Dependabot
             begin
               updated_content = build_updated_lockfile
 
-              if lockfile.content == updated_content
-                raise "Expected content to change!"
-              end
+              raise "Expected content to change!" if lockfile.content == updated_content
 
               updated_content
             end

data/lib/dependabot/bundler/file_updater/requirement_replacer.rb

@@ -64,9 +64,7 @@ module Dependabot
         end
 
         def length_change
-          unless previous_requirement.start_with?("=")
-            return updated_requirement.length - previous_requirement.length
-          end
+          return updated_requirement.length - previous_requirement.length unless previous_requirement.start_with?("=")
 
           updated_requirement.length -
             previous_requirement.gsub(/^=/, "").strip.length
@@ -205,9 +203,7 @@ module Dependabot
             # Gem::Requirement serializes exact matches as a string starting
             # with `=`. We may need to remove that equality operator if it
             # wasn't used originally.
-            unless use_equality_operator
-              tmp_req = tmp_req.gsub(/(?<![<>])=/, "")
-            end
+            tmp_req = tmp_req.gsub(/(?<![<>])=/, "") unless use_equality_operator
 
             tmp_req.strip
           end

data/lib/dependabot/bundler/metadata_finder.rb

@@ -120,9 +120,7 @@ module Dependabot
       # Note: This response MUST NOT be unmarshalled
       # (as calling Marshal.load is unsafe)
       def rubygems_marshalled_gemspec_response
-        if defined?(@rubygems_marshalled_gemspec_response)
-          return @rubygems_marshalled_gemspec_response
-        end
+        return @rubygems_marshalled_gemspec_response if defined?(@rubygems_marshalled_gemspec_response)
 
         gemspec_uri =
           "#{registry_url}quick/Marshal.4.8/"\
@@ -135,9 +133,7 @@ module Dependabot
             **SharedHelpers.excon_defaults(headers: registry_auth_headers)
           )
 
-        if response.status >= 400
-          return @rubygems_marshalled_gemspec_response = nil
-        end
+        return @rubygems_marshalled_gemspec_response = nil if response.status >= 400
 
         @rubygems_marshalled_gemspec_response =
           Zlib::Inflate.inflate(response.body)

data/lib/dependabot/bundler/update_checker.rb

@@ -13,6 +13,7 @@ module Dependabot
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/version_resolver"
       require_relative "update_checker/latest_version_finder"
+      require_relative "update_checker/conflicting_dependency_resolver"
 
       def latest_version
         return latest_version_for_git_dependency if git_dependency?
@@ -99,14 +100,23 @@ module Dependabot
 
       def requirements_update_strategy
         # If passed in as an option (in the base class) honour that option
-        if @requirements_update_strategy
-          return @requirements_update_strategy.to_sym
-        end
+        return @requirements_update_strategy.to_sym if @requirements_update_strategy
 
         # Otherwise, widen ranges for libraries and bump versions for apps
         dependency.version.nil? ? :bump_versions_if_necessary : :bump_versions
       end
 
+      def conflicting_dependencies
+        ConflictingDependencyResolver.new(
+          dependency_files: dependency_files,
+          repo_contents_path: repo_contents_path,
+          credentials: credentials
+        ).conflicting_dependencies(
+          dependency: dependency,
+          target_version: lowest_security_fix_version
+        )
+      end
+
       private
 
       def latest_version_resolvable_with_full_unlock?
@@ -130,9 +140,7 @@ module Dependabot
       end
 
       def preferred_resolvable_version_details
-        if vulnerable?
-          return { version: lowest_resolvable_security_fix_version }
-        end
+        return { version: lowest_resolvable_security_fix_version } if vulnerable?
 
         latest_resolvable_version_details
       end
@@ -208,9 +216,7 @@ module Dependabot
 
         # Otherwise, if the gem isn't pinned, the latest version is just the
         # latest commit for the specified branch.
-        unless git_commit_checker.pinned?
-          return git_commit_checker.head_commit_for_current_branch
-        end
+        return git_commit_checker.head_commit_for_current_branch unless git_commit_checker.pinned?
 
         # If the dependency is pinned to a tag that looks like a version then
         # we want to update that tag. The latest version will then be the SHA
@@ -234,9 +240,7 @@ module Dependabot
 
         # Otherwise, if the gem isn't pinned, the latest version is just the
         # latest commit for the specified branch.
-        unless git_commit_checker.pinned?
-          return latest_resolvable_commit_with_unchanged_git_source
-        end
+        return latest_resolvable_commit_with_unchanged_git_source unless git_commit_checker.pinned?
 
         # If the dependency is pinned to a tag that looks like a version then
         # we want to update that tag. The latest version will then be the SHA

data/lib/dependabot/bundler/update_checker/conflicting_dependency_resolver.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "dependabot/bundler/update_checker"
+require "dependabot/bundler/native_helpers"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Bundler
+    class UpdateChecker < UpdateCheckers::Base
+      class ConflictingDependencyResolver
+        require_relative "shared_bundler_helpers"
+        include SharedBundlerHelpers
+
+        def initialize(dependency_files:, repo_contents_path:, credentials:)
+          @dependency_files = dependency_files
+          @repo_contents_path = repo_contents_path
+          @credentials = credentials
+        end
+
+        # Finds any dependencies in the lockfile that have a subdependency on
+        # the given dependency that does not satisfly the target_version.
+        #
+        # @param dependency [Dependabot::Dependency] the dependency to check
+        # @param target_version [String] the version to check
+        # @return [Array<Hash{String => String}]
+        #   * name [String] the blocking dependencies name
+        #   * version [String] the version of the blocking dependency
+        #   * requirement [String] the requirement on the target_dependency
+        def conflicting_dependencies(dependency:, target_version:)
+          in_a_native_bundler_context(error_handling: false) do |tmp_dir|
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "conflicting_dependencies",
+              args: {
+                dir: tmp_dir,
+                dependency_name: dependency.name,
+                target_version: target_version,
+                credentials: relevant_credentials,
+                lockfile_name: lockfile.name,
+                using_bundler_2: using_bundler_2?
+              }
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/update_checker/file_preparer.rb

@@ -207,9 +207,7 @@ module Dependabot
           lower_bound_req = updated_version_req_lower_bound(filename)
 
           return lower_bound_req if latest_allowable_version.nil?
-          unless Gem::Version.correct?(latest_allowable_version)
-            return lower_bound_req
-          end
+          return lower_bound_req unless Gem::Version.correct?(latest_allowable_version)
 
           lower_bound_req + ", <= #{latest_allowable_version}"
         end

data/lib/dependabot/bundler/update_checker/latest_version_finder.rb

@@ -39,9 +39,7 @@ module Dependabot
                     :credentials, :ignored_versions, :security_advisories
 
         def fetch_latest_version_details
-          if dependency_source.git?
-            return dependency_source.latest_git_version_details
-          end
+          return dependency_source.latest_git_version_details if dependency_source.git?
 
           relevant_versions = dependency_source.versions
           relevant_versions = filter_prerelease_versions(relevant_versions)
@@ -71,9 +69,7 @@ module Dependabot
         def filter_ignored_versions(versions_array)
           filtered = versions_array.
                      reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
-          if @raise_on_ignored && filtered.empty? && versions_array.any?
-            raise AllVersionsIgnored
-          end
+          raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
 
           filtered
         end

data/lib/dependabot/bundler/update_checker/requirements_updater.rb

@@ -228,9 +228,7 @@ module Dependabot
           lb_segments = version.segments
           lb_segments.pop while lb_segments.any? && lb_segments.last.zero?
 
-          if lb_segments.none?
-            return [Gem::Requirement.new("< #{ub_segments.join('.')}")]
-          end
+          return [Gem::Requirement.new("< #{ub_segments.join('.')}")] if lb_segments.none?
 
           # Ensure versions have the same length as each other (cosmetic)
           length = [lb_segments.count, ub_segments.count].max
@@ -253,9 +251,7 @@ module Dependabot
         # Updates the version in a "<" or "<=" constraint to allow the given
         # version
         def update_greatest_version(requirement, version_to_be_permitted)
-          if version_to_be_permitted.is_a?(String)
-            version_to_be_permitted = Gem::Version.new(version_to_be_permitted)
-          end
+          version_to_be_permitted = Gem::Version.new(version_to_be_permitted) if version_to_be_permitted.is_a?(String)
           op, version = requirement.requirements.first
           version = version.release if version.prerelease?
 

data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb

@@ -55,9 +55,7 @@ module Dependabot
         rescue SharedHelpers::HelperSubprocessFailed => e
           retry_count ||= 0
           retry_count += 1
-          if retryable_error?(e) && retry_count <= 2
-            sleep(rand(1.0..5.0)) && retry
-          end
+          sleep(rand(1.0..5.0)) && retry if retryable_error?(e) && retry_count <= 2
 
           error_handling ? handle_bundler_errors(e) : raise
         end
@@ -70,9 +68,7 @@ module Dependabot
           return true if error.error_class == "JSON::ParserError"
           return true if RETRYABLE_ERRORS.include?(error.error_class)
 
-          unless RETRYABLE_PRIVATE_REGISTRY_ERRORS.include?(error.error_class)
-            return false
-          end
+          return false unless RETRYABLE_PRIVATE_REGISTRY_ERRORS.include?(error.error_class)
 
           private_registry_credentials.any?
         end

data/lib/dependabot/bundler/update_checker/version_resolver.rb

@@ -119,9 +119,7 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
 
         def circular_dependency_at_new_version?(error)
-          unless error.error_class.include?("CyclicDependencyError")
-            return false
-          end
+          return false unless error.error_class.include?("CyclicDependencyError")
 
           error.message.include?("'#{dependency.name}'")
         end
@@ -171,9 +169,7 @@ module Dependabot
 
         def ruby_version_incompatible?(details)
           # It's only the old index we have a problem with
-          unless details[:fetcher] == "Bundler::Fetcher::Dependency"
-            return false
-          end
+          return false unless details[:fetcher] == "Bundler::Fetcher::Dependency"
 
           # If no Ruby version is specified, we don't have a problem
           return false unless details[:ruby_version]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.124.7
+  version: 0.125.3
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-03 00:00:00.000000000 Z
+date: 2020-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.124.7
+        version: 0.125.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.124.7
+        version: 0.125.3
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 0.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -194,6 +194,7 @@ files:
 - lib/dependabot/bundler/native_helpers.rb
 - lib/dependabot/bundler/requirement.rb
 - lib/dependabot/bundler/update_checker.rb
+- lib/dependabot/bundler/update_checker/conflicting_dependency_resolver.rb
 - lib/dependabot/bundler/update_checker/file_preparer.rb
 - lib/dependabot/bundler/update_checker/force_updater.rb
 - lib/dependabot/bundler/update_checker/latest_version_finder.rb