dependabot-bundler 0.134.2 → 0.137.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2bcdbe551e6ff3f077707ac6d98f1ac1790ecc7cd9d1b2b022fece85020c518e
-  data.tar.gz: 7ca334b4843d2aabe419e39c688bd28d12f9af009a2741fc9fce3feffb98be45
+  metadata.gz: c9cc00087eb45c279ce7a3a14c6a0cf396ae9d5db7ee214fe84b2314b70f24d3
+  data.tar.gz: b154b98688fdf142897fde05073d54f75b0a79f104708c19d6cff676fb165dbb
 SHA512:
-  metadata.gz: d5c0a9ca7e54167e4fcadbf3b1a71fab53ce2eca2278fd51d02b6fba4d4c9251106f3a0ae50c6e7857b08779c7e304df95e31bef3afb6469a4f1da5e7968796e
-  data.tar.gz: 1cc1bc4e2877a324e2b5993dc2b4e4af17380fdf1112b464a73467377335a5de1e329142bef92e7b61cd8de7743c49513d0d3e9e5114eb7888b931a164b9e9b3
+  metadata.gz: 59481320584df892ecf01fce822b4eb40d87b3a30f1ee6845cf82ac18d90f2958ddcdd9edd4e80ab69d7a001a4cdfa1993eaf43875c90d129db56a722df5ef94
+  data.tar.gz: f48ddfad24172a7233fcf02a98cd488a1a2620006942c9662d2cb553de7519a31a4dc2e9d6ab0c376420dc5001d738ebee78ece40a76b5654cfb616a2bb2d618

data/helpers/v1/.bundle/config

@@ -0,0 +1,2 @@
+---
+BUNDLE_PATH: ".bundle"

data/helpers/v1/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/*
+!/.bundle/config
+/.env
+/tmp
+/dependabot-*.gem
+Gemfile.lock
+spec/fixtures/projects/*/.bundle/
+!spec/fixtures/projects/**/Gemfile.lock
+!spec/fixtures/projects/**/vendor

data/helpers/v1/Gemfile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# NOTE: Used to run native helper specs
+group :test do
+  gem "byebug", "11.1.3"
+  gem "rspec", "3.10.0"
+  gem "rspec-its", "1.3.0"
+  gem "vcr", "6.0.0"
+  gem "webmock", "3.12.1"
+end

data/helpers/{build → v1/build}

@@ -10,9 +10,15 @@ fi
 
 helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
 cp -r \
+  "$helpers_dir/.bundle" \
   "$helpers_dir/lib" \
   "$helpers_dir/monkey_patches" \
   "$helpers_dir/run.rb" \
+  "$helpers_dir/Gemfile" \
   "$install_dir"
 
 cd "$install_dir"
+
+# NOTE: Sets `BUNDLED WITH` to match the installed v1 version in Gemfile.lock
+# forcing native helpers to run with the same version
+BUNDLER_VERSION=1 bundle install --without test

data/helpers/v1/spec/functions/conflicting_dependency_resolver_spec.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::ConflictingDependencyResolver do
+  include_context "in a temporary bundler directory"
+
+  let(:conflicting_dependency_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      target_version: target_version,
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "dummy-pkg-a" }
+  let(:target_version) { "2.0.0" }
+
+  let(:project_name) { "blocked_by_subdep" }
+
+  describe "#conflicting_dependencies" do
+    subject(:conflicting_dependencies) do
+      in_tmp_folder { conflicting_dependency_resolver.conflicting_dependencies }
+    end
+
+    it "returns a list of dependencies that block the update" do
+      expect(conflicting_dependencies).to eq(
+        [{
+          "explanation" => "dummy-pkg-b (1.0.0) requires dummy-pkg-a (< 2.0.0)",
+          "name" => "dummy-pkg-b",
+          "version" => "1.0.0",
+          "requirement" => "< 2.0.0"
+        }]
+      )
+    end
+
+    context "for nested transitive dependencies" do
+      let(:project_name) { "transitive_blocking" }
+      let(:dependency_name) { "activesupport" }
+      let(:target_version) { "6.0.0" }
+
+      it "returns a list of dependencies that block the update" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0)",
+              "name" => "rails",
+              "requirement" => "= 5.2.0",
+              "version" => "5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionpack (5.2.0)",
+              "name" => "actionpack",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionview (5.2.0)",
+              "name" => "actionview",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activejob (5.2.0)",
+              "name" => "activejob",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activemodel (5.2.0)",
+              "name" => "activemodel",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activerecord (5.2.0)",
+              "name" => "activerecord",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via railties (5.2.0)",
+              "name" => "railties",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "with multiple blocking dependencies" do
+      let(:dependency_name) { "activesupport" }
+      let(:current_version) { "5.0.0" }
+      let(:target_version) { "6.0.0" }
+      let(:project_name) { "multiple_blocking" }
+
+      it "returns all of the blocking dependencies" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via actionpack (5.0.0)",
+              "name" => "actionpack",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionview (5.0.0) requires activesupport (= 5.0.0)",
+              "name" => "actionview",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via activejob (5.0.0)",
+              "name" => "activejob",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "without any blocking dependencies" do
+      let(:target_version) { "1.0.0" }
+
+      it "returns an empty list" do
+        expect(conflicting_dependencies).to eq([])
+      end
+    end
+  end
+end

data/helpers/v1/spec/functions/dependency_source_spec.rb

@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::DependencySource do
+  include_context "in a temporary bundler directory"
+
+  let(:dependency_source) do
+    described_class.new(
+      gemfile_name: "Gemfile",
+      dependency_name: dependency_name
+    )
+  end
+
+  let(:dependency_name) { "business" }
+
+  let(:project_name) { "specified_source_no_lockfile" }
+  let(:registry_url) { "https://repo.fury.io/greysteil/" }
+  let(:gemfury_business_url) do
+    "https://repo.fury.io/greysteil/api/v1/dependencies?gems=business"
+  end
+
+  before do
+    stub_request(:get, registry_url + "versions").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 404)
+    stub_request(:get, registry_url + "api/v1/dependencies").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200)
+    stub_request(:get, gemfury_business_url).
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+  end
+
+  describe "#private_registry_versions" do
+    subject(:private_registry_versions) do
+      in_tmp_folder { dependency_source.private_registry_versions }
+    end
+
+    it "returns all versions from the private source" do
+      is_expected.to eq([
+                          Gem::Version.new("1.5.0"),
+                          Gem::Version.new("1.9.0"),
+                          Gem::Version.new("1.10.0.beta")
+                        ])
+    end
+
+    context "specified as the default source" do
+      let(:project_name) { "specified_default_source_no_lockfile" }
+
+      it "returns all versions from the private source" do
+        is_expected.to eq([
+                            Gem::Version.new("1.5.0"),
+                            Gem::Version.new("1.9.0"),
+                            Gem::Version.new("1.10.0.beta")
+                          ])
+      end
+    end
+
+    context "that we don't have authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::AuthenticationRequiredError
+        error_message = "Authentication is required for repo.fury.io"
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).to include(error_message)
+          end
+      end
+    end
+
+    context "that we have bad authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::BadAuthenticationError
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).
+              to include("Bad username or password for")
+          end
+      end
+    end
+
+    context "that bad-requested, but was a private repo" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+      end
+
+      it "blows up with a useful error" do
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(Bundler::HTTPError)
+            expect(error.message).
+              to include("Could not fetch specs from")
+          end
+      end
+    end
+
+    context "that doesn't have details of the gem" do
+      before do
+        stub_request(:get, gemfury_business_url).
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 404)
+
+        # Stub indexes to return details of other gems (but not this one)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it { is_expected.to be_empty }
+    end
+
+    context "that only implements the old Bundler index format..." do
+      let(:project_name) { "sidekiq_pro" }
+      let(:dependency_name) { "sidekiq-pro" }
+      let(:registry_url) { "https://gems.contribsys.com/" }
+
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it "returns all versions from the private source" do
+        expect(private_registry_versions.length).to eql(70)
+        expect(private_registry_versions.min).to eql(Gem::Version.new("1.0.0"))
+        expect(private_registry_versions.max).to eql(Gem::Version.new("3.5.2"))
+      end
+    end
+  end
+end

data/helpers/v1/spec/functions/file_parser_spec.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::FileParser do
+  include_context "in a temporary bundler directory"
+
+  let(:dependency_source) do
+    described_class.new(
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:project_name) { "gemfile" }
+
+  describe "#parsed_gemfile" do
+    subject(:parsed_gemfile) do
+      in_tmp_folder do
+        dependency_source.parsed_gemfile(gemfile_name: "Gemfile")
+      end
+    end
+
+    it "parses gemfile" do
+      parsed_gemfile = [
+        {
+          groups: [:default],
+          name: "business",
+          requirement: Gem::Requirement.new("~> 1.4.0"),
+          source: nil,
+          type: :runtime
+        },
+        {
+          groups: [:default],
+          name: "statesman",
+          requirement: Gem::Requirement.new("~> 1.2.0"),
+          source: nil,
+          type: :runtime
+        }
+      ]
+      is_expected.to eq(parsed_gemfile)
+    end
+  end
+
+  describe "#parsed_gemspec" do
+    let!(:gemspec_fixture) do
+      fixture("ruby", "gemspecs", "exact")
+    end
+
+    subject(:parsed_gemspec) do
+      in_tmp_folder do |tmp_path|
+        File.write(File.join(tmp_path, "test.gemspec"), gemspec_fixture)
+        dependency_source.parsed_gemspec(gemspec_name: "test.gemspec")
+      end
+    end
+
+    it "parses gemspec" do
+      parsed_gemspec = [
+        {
+          groups: nil,
+          name: "business",
+          requirement: Gem::Requirement.new("= 1.0.0"),
+          source: nil,
+          type: :runtime
+        },
+        {
+          groups: nil,
+          name: "statesman",
+          requirement: Gem::Requirement.new("= 1.0.0"),
+          source: nil,
+          type: :runtime
+        }
+      ]
+      is_expected.to eq(parsed_gemspec)
+    end
+  end
+end

data/helpers/v1/spec/functions/version_resolver_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::VersionResolver do
+  include_context "in a temporary bundler directory"
+  include_context "stub rubygems compact index"
+
+  let(:version_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      dependency_requirements: dependency_requirements,
+      gemfile_name: "Gemfile",
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "business" }
+  let(:dependency_requirements) do
+    [{
+      file: "Gemfile",
+      requirement: requirement_string,
+      groups: [],
+      source: source
+    }]
+  end
+  let(:source) { nil }
+
+  let(:rubygems_url) { "https://index.rubygems.org/api/v1/" }
+  let(:old_index_url) { rubygems_url + "dependencies" }
+
+  describe "#version_details" do
+    subject do
+      in_tmp_folder { version_resolver.version_details }
+    end
+
+    let(:project_name) { "gemfile" }
+    let(:requirement_string) { " >= 0" }
+
+    its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+    its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::CompactIndex") }
+
+    context "with a private gemserver source" do
+      include_context "stub rubygems compact index"
+
+      let(:project_name) { "specified_source" }
+      let(:requirement_string) { ">= 0" }
+
+      before do
+        gemfury_url = "https://repo.fury.io/greysteil/"
+        gemfury_deps_url = gemfury_url + "api/v1/dependencies"
+
+        stub_request(:get, gemfury_url + "versions").
+          to_return(status: 200, body: fixture("ruby", "gemfury-index"))
+        stub_request(:get, gemfury_url + "info/business").to_return(status: 404)
+        stub_request(:get, gemfury_deps_url).to_return(status: 200)
+        stub_request(:get, gemfury_deps_url + "?gems=business,statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=business").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.9.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+
+    context "with a git source" do
+      let(:project_name) { "git_source" }
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.6.0")) }
+      its([:fetcher]) { is_expected.to be_nil }
+    end
+
+    context "when Bundler's compact index is down" do
+      before do
+        stub_request(:get, "https://index.rubygems.org/versions").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, "https://index.rubygems.org/info/public_suffix").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, old_index_url).to_return(status: 200)
+        stub_request(:get, old_index_url + "?gems=business,statesman").
+          to_return(
+            status: 200,
+            body: fixture("ruby",
+                          "rubygems_responses",
+                          "dependencies-default-gemfile")
+          )
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+  end
+end

data/helpers/v1/spec/native_spec_helper.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "rspec/its"
+require "webmock/rspec"
+require "byebug"
+
+$LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
+$LOAD_PATH.unshift(File.expand_path("../monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+RSpec.configure do |config|
+  config.color = true
+  config.order = :rand
+  config.mock_with(:rspec) { |mocks| mocks.verify_partial_doubles = true }
+  config.raise_errors_for_deprecations!
+end
+
+# Duplicated in lib/dependabot/bundler/file_updater/lockfile_updater.rb
+# TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+LOCKFILE_ENDING = /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
+
+def project_dependency_files(project)
+  project_path = File.expand_path(File.join("../../spec/fixtures/projects/bundler1", project))
+  Dir.chdir(project_path) do
+    # NOTE: Include dotfiles (e.g. .npmrc)
+    files = Dir.glob("**/*", File::FNM_DOTMATCH)
+    files = files.select { |f| File.file?(f) }
+    files.map do |filename|
+      content = File.read(filename)
+      if filename == "Gemfile.lock"
+        content = content.gsub(LOCKFILE_ENDING, "")
+      end
+      {
+        name: filename,
+        content: content
+      }
+    end
+  end
+end
+
+def fixture(*name)
+  File.read(File.join("../../spec/fixtures", File.join(*name)))
+end

data/helpers/v1/spec/shared_contexts.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "bundler/compact_index_client"
+require "bundler/compact_index_client/updater"
+
+TMP_DIR_PATH = File.expand_path("../tmp", __dir__)
+
+RSpec.shared_context "in a temporary bundler directory" do
+  let(:project_name) { "gemfile" }
+
+  let(:tmp_path) do
+    Dir.mkdir(TMP_DIR_PATH) unless Dir.exist?(TMP_DIR_PATH)
+    dir = Dir.mktmpdir("native_helper_spec_", TMP_DIR_PATH)
+    Pathname.new(dir).expand_path
+  end
+
+  before do
+    project_dependency_files(project_name).each do |file|
+      File.write(File.join(tmp_path, file[:name]), file[:content])
+    end
+  end
+
+  def in_tmp_folder(&block)
+    Dir.chdir(tmp_path, &block)
+  end
+end
+
+RSpec.shared_context "without caching rubygems" do
+  before do
+    # Stub Bundler to stop it using a cached versions of Rubygems
+    allow_any_instance_of(Bundler::CompactIndexClient::Updater).
+      to receive(:etag_for).and_return("")
+  end
+end
+
+RSpec.shared_context "stub rubygems compact index" do
+  include_context "without caching rubygems"
+
+  before do
+    # Stub the Rubygems index
+    stub_request(:get, "https://index.rubygems.org/versions").
+      to_return(
+        status: 200,
+        body: fixture("ruby", "rubygems_responses", "index")
+      )
+
+    # Stub the Rubygems response for each dependency we have a fixture for
+    fixtures =
+      Dir[File.join("../../spec", "fixtures", "ruby", "rubygems_responses", "info-*")]
+    fixtures.each do |path|
+      dep_name = path.split("/").last.gsub("info-", "")
+      stub_request(:get, "https://index.rubygems.org/info/#{dep_name}").
+        to_return(
+          status: 200,
+          body: fixture("ruby", "rubygems_responses", "info-#{dep_name}")
+        )
+    end
+  end
+end

data/lib/dependabot/bundler/file_parser.rb

@@ -5,6 +5,7 @@ require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
 require "dependabot/bundler/file_updater/lockfile_updater"
 require "dependabot/bundler/native_helpers"
+require "dependabot/bundler/helpers"
 require "dependabot/bundler/version"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
@@ -129,8 +130,8 @@ module Dependabot
                                                       repo_contents_path) do
             write_temporary_dependency_files
 
-            SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
+            NativeHelpers.run_bundler_subprocess(
+              bundler_version: bundler_version,
               function: "parsed_gemfile",
               args: {
                 gemfile_name: gemfile.name,
@@ -159,8 +160,8 @@ module Dependabot
                                                       repo_contents_path) do
             write_temporary_dependency_files
 
-            SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
+            NativeHelpers.run_bundler_subprocess(
+              bundler_version: bundler_version,
               function: "parsed_gemspec",
               args: {
                 gemspec_name: file.name,
@@ -298,6 +299,10 @@ module Dependabot
           select { |f| f.name.end_with?(".rb") }.
           reject { |f| f.name == "gems.rb" }
       end
+
+      def bundler_version
+        @bundler_version ||= Helpers.bundler_version(lockfile)
+      end
     end
   end
 end

data/lib/dependabot/bundler/file_updater.rb

@@ -3,6 +3,7 @@
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/bundler/native_helpers"
+require "dependabot/bundler/helpers"
 require "dependabot/file_updaters/vendor_updater"
 
 module Dependabot
@@ -75,8 +76,8 @@ module Dependabot
         return @vendor_cache_dir if defined?(@vendor_cache_dir)
 
         @vendor_cache_dir =
-          SharedHelpers.run_helper_subprocess(
-            command: NativeHelpers.helper_path,
+          NativeHelpers.run_bundler_subprocess(
+            bundler_version: bundler_version,
             function: "vendor_cache_dir",
             args: {
               dir: repo_contents_path
@@ -159,6 +160,10 @@ module Dependabot
           select { |file| file.name.end_with?(".gemspec") }.
           reject(&:support_file?)
       end
+
+      def bundler_version
+        @bundler_version ||= Helpers.bundler_version(lockfile)
+      end
     end
   end
 end

data/lib/dependabot/bundler/file_updater/gemspec_sanitizer.rb

@@ -234,11 +234,8 @@ module Dependabot
           def remove_unnecessary_assignments(node)
             return unless node.is_a?(Parser::AST::Node)
 
-            if unnecessary_assignment?(node) &&
-               node.children.last&.location.respond_to?(:heredoc_end)
-              range_to_remove = node.loc.expression.join(
-                node.children.last.location.heredoc_end
-              )
+            if unnecessary_assignment?(node) && node_includes_heredoc?(node)
+              range_to_remove = node.loc.expression.join(find_heredoc_end_range(node))
               return replace(range_to_remove, '"sanitized"')
             elsif unnecessary_assignment?(node)
               return replace(node.loc.expression, '"sanitized"')
@@ -249,6 +246,30 @@ module Dependabot
             end
           end
 
+          def node_includes_heredoc?(node)
+            find_heredoc_end_range(node)
+          end
+
+          # Performs a depth-first search for the first heredoc in the given
+          # Parser::AST::Node.
+          #
+          # Returns a Parser::Source::Range identifying the location of the end
+          #   of the heredoc, or nil if no heredoc was found.
+          def find_heredoc_end_range(node)
+            return unless node.is_a?(Parser::AST::Node)
+
+            node.children.each do |child|
+              next unless child.is_a?(Parser::AST::Node)
+
+              return child.location.heredoc_end if child.location.respond_to?(:heredoc_end)
+
+              range = find_heredoc_end_range(child)
+              return range if range
+            end
+
+            nil
+          end
+
           def unnecessary_assignment?(node)
             return false unless node.is_a?(Parser::AST::Node)
             return false unless node.children.first.is_a?(Parser::AST::Node)

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -6,6 +6,7 @@ require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/bundler/file_updater"
 require "dependabot/bundler/native_helpers"
+require "dependabot/bundler/helpers"
 
 module Dependabot
   module Bundler
@@ -64,8 +65,8 @@ module Dependabot
             ) do |tmp_dir|
               write_temporary_dependency_files
 
-              SharedHelpers.run_helper_subprocess(
-                command: NativeHelpers.helper_path,
+              NativeHelpers.run_bundler_subprocess(
+                bundler_version: bundler_version,
                 function: "update_lockfile",
                 args: {
                   gemfile_name: gemfile.name,
@@ -301,6 +302,10 @@ module Dependabot
 
           lockfile.content.match?(/BUNDLED WITH\s+2/m)
         end
+
+        def bundler_version
+          @bundler_version ||= Helpers.bundler_version(lockfile)
+        end
       end
     end
   end

data/lib/dependabot/bundler/helpers.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Bundler
+    module Helpers
+      V1 = "1"
+      V2 = "2"
+
+      # TODO: Add support for bundler v2
+      # return "v2" if lockfile.content.match?(/BUNDLED WITH\s+2/m)
+      def self.bundler_version(_lockfile)
+        V1
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/native_helpers.rb

@@ -1,10 +1,37 @@
 # frozen_string_literal: true
 
+require "bundler"
+require "dependabot/shared_helpers"
+
 module Dependabot
   module Bundler
     module NativeHelpers
-      def self.helper_path
-        "bundle exec ruby #{File.join(native_helpers_root, 'run.rb')}"
+      def self.run_bundler_subprocess(function:, args:, bundler_version:)
+        # Run helper suprocess with all bundler-related ENV variables removed
+        ::Bundler.with_original_env do
+          SharedHelpers.run_helper_subprocess(
+            command: helper_path(bundler_version: bundler_version),
+            function: function,
+            args: args,
+            env: {
+              # Bundler will pick the matching installed major version
+              "BUNDLER_VERSION" => bundler_version,
+              "BUNDLE_GEMFILE" => File.join(versioned_helper_path(bundler_version: bundler_version), "Gemfile"),
+              "BUNDLE_PATH" => File.join(versioned_helper_path(bundler_version: bundler_version), ".bundle"),
+              # Prevent the GEM_HOME from being set to a folder owned by root
+              "GEM_HOME" => File.join(versioned_helper_path(bundler_version: bundler_version), ".bundle")
+            }
+          )
+        end
+      end
+
+      def self.versioned_helper_path(bundler_version:)
+        native_helper_version = "v#{bundler_version}"
+        File.join(native_helpers_root, native_helper_version)
+      end
+
+      def self.helper_path(bundler_version:)
+        "ruby #{File.join(versioned_helper_path(bundler_version: bundler_version), 'run.rb')}"
       end
 
       def self.native_helpers_root

data/lib/dependabot/bundler/update_checker/conflicting_dependency_resolver.rb

@@ -2,6 +2,7 @@
 
 require "dependabot/bundler/update_checker"
 require "dependabot/bundler/native_helpers"
+require "dependabot/bundler/helpers"
 require "dependabot/shared_helpers"
 
 module Dependabot
@@ -28,8 +29,8 @@ module Dependabot
         #   * requirement [String] the requirement on the target_dependency
         def conflicting_dependencies(dependency:, target_version:)
           in_a_native_bundler_context(error_handling: false) do |tmp_dir|
-            SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
+            NativeHelpers.run_bundler_subprocess(
+              bundler_version: bundler_version,
               function: "conflicting_dependencies",
               args: {
                 dir: tmp_dir,
@@ -42,6 +43,12 @@ module Dependabot
             )
           end
         end
+
+        private
+
+        def bundler_version
+          @bundler_version ||= Helpers.bundler_version(lockfile)
+        end
       end
     end
   end

data/lib/dependabot/bundler/update_checker/force_updater.rb

@@ -3,6 +3,7 @@
 require "dependabot/bundler/file_parser"
 require "dependabot/bundler/file_updater/lockfile_updater"
 require "dependabot/bundler/native_helpers"
+require "dependabot/bundler/helpers"
 require "dependabot/bundler/update_checker"
 require "dependabot/bundler/update_checker/requirements_updater"
 require "dependabot/errors"
@@ -43,8 +44,8 @@ module Dependabot
 
         def force_update
           in_a_native_bundler_context(error_handling: false) do |tmp_dir|
-            updated_deps, specs = SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
+            updated_deps, specs = NativeHelpers.run_bundler_subprocess(
+              bundler_version: bundler_version,
               function: "force_update",
               args: {
                 dir: tmp_dir,
@@ -146,6 +147,10 @@ module Dependabot
 
           lockfile.content.match?(/BUNDLED WITH\s+2/m)
         end
+
+        def bundler_version
+          @bundler_version ||= Helpers.bundler_version(lockfile)
+        end
       end
     end
   end

data/lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "dependabot/bundler/native_helpers"
+require "dependabot/bundler/helpers"
+
 module Dependabot
   module Bundler
     class UpdateChecker
@@ -53,8 +56,8 @@ module Dependabot
 
             SharedHelpers.with_git_configured(credentials: credentials) do
               in_a_native_bundler_context do |tmp_dir|
-                SharedHelpers.run_helper_subprocess(
-                  command: NativeHelpers.helper_path,
+                NativeHelpers.run_bundler_subprocess(
+                  bundler_version: bundler_version,
                   function: "depencency_source_latest_git_version",
                   args: {
                     dir: tmp_dir,
@@ -98,8 +101,8 @@ module Dependabot
           def private_registry_versions
             @private_registry_versions ||=
               in_a_native_bundler_context do |tmp_dir|
-                SharedHelpers.run_helper_subprocess(
-                  command: NativeHelpers.helper_path,
+                NativeHelpers.run_bundler_subprocess(
+                  bundler_version: bundler_version,
                   function: "private_registry_versions",
                   args: {
                     dir: tmp_dir,
@@ -118,8 +121,8 @@ module Dependabot
             return @source_type = RUBYGEMS unless gemfile
 
             @source_type = in_a_native_bundler_context do |tmp_dir|
-              SharedHelpers.run_helper_subprocess(
-                command: NativeHelpers.helper_path,
+              NativeHelpers.run_bundler_subprocess(
+                bundler_version: bundler_version,
                 function: "dependency_source_type",
                 args: {
                   dir: tmp_dir,
@@ -135,6 +138,15 @@ module Dependabot
             dependency_files.find { |f| f.name == "Gemfile" } ||
               dependency_files.find { |f| f.name == "gems.rb" }
           end
+
+          def lockfile
+            dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+              dependency_files.find { |f| f.name == "gems.locked" }
+          end
+
+          def bundler_version
+            @bundler_version ||= Helpers.bundler_version(lockfile)
+          end
         end
       end
     end

data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb

@@ -4,6 +4,7 @@ require "excon"
 
 require "dependabot/bundler/update_checker"
 require "dependabot/bundler/native_helpers"
+require "dependabot/bundler/helpers"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
 
@@ -163,8 +164,8 @@ module Dependabot
 
         def inaccessible_git_dependencies
           in_a_native_bundler_context(error_handling: false) do |tmp_dir|
-            git_specs = SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
+            git_specs = NativeHelpers.run_bundler_subprocess(
+              bundler_version: bundler_version,
               function: "git_specs",
               args: {
                 dir: tmp_dir,
@@ -187,8 +188,8 @@ module Dependabot
 
         def jfrog_source
           in_a_native_bundler_context(error_handling: false) do |dir|
-            SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
+            NativeHelpers.run_bundler_subprocess(
+              bundler_version: bundler_version,
               function: "jfrog_source",
               args: {
                 dir: dir,
@@ -236,6 +237,10 @@ module Dependabot
 
           lockfile.content.match?(/BUNDLED WITH\s+2/m)
         end
+
+        def bundler_version
+          @bundler_version ||= Helpers.bundler_version(lockfile)
+        end
       end
     end
   end

data/lib/dependabot/bundler/update_checker/version_resolver.rb

@@ -2,6 +2,7 @@
 
 require "excon"
 
+require "dependabot/bundler/helpers"
 require "dependabot/bundler/update_checker"
 require "dependabot/bundler/file_updater/lockfile_updater"
 require "dependabot/bundler/requirement"
@@ -75,8 +76,8 @@ module Dependabot
             # some errors we want to handle specifically ourselves, including
             # potentially retrying in the case of the Ruby version being locked
             in_a_native_bundler_context(error_handling: false) do |tmp_dir|
-              details =  SharedHelpers.run_helper_subprocess(
-                command: NativeHelpers.helper_path,
+              details = NativeHelpers.run_bundler_subprocess(
+                bundler_version: bundler_version,
                 function: "resolve_version",
                 args: {
                   dependency_name: dependency.name,
@@ -218,6 +219,10 @@ module Dependabot
 
           lockfile.content.match?(/BUNDLED WITH\s+2/m)
         end
+
+        def bundler_version
+          @bundler_version ||= Helpers.bundler_version(lockfile)
+        end
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.134.2
+  version: 0.137.2
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-03 00:00:00.000000000 Z
+date: 2021-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.134.2
+        version: 0.137.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.134.2
+        version: 0.137.2
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -185,18 +185,27 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- helpers/build
-- helpers/lib/functions.rb
-- helpers/lib/functions/conflicting_dependency_resolver.rb
-- helpers/lib/functions/dependency_source.rb
-- helpers/lib/functions/file_parser.rb
-- helpers/lib/functions/force_updater.rb
-- helpers/lib/functions/lockfile_updater.rb
-- helpers/lib/functions/version_resolver.rb
-- helpers/monkey_patches/definition_bundler_version_patch.rb
-- helpers/monkey_patches/definition_ruby_version_patch.rb
-- helpers/monkey_patches/git_source_patch.rb
-- helpers/run.rb
+- helpers/v1/.bundle/config
+- helpers/v1/.gitignore
+- helpers/v1/Gemfile
+- helpers/v1/build
+- helpers/v1/lib/functions.rb
+- helpers/v1/lib/functions/conflicting_dependency_resolver.rb
+- helpers/v1/lib/functions/dependency_source.rb
+- helpers/v1/lib/functions/file_parser.rb
+- helpers/v1/lib/functions/force_updater.rb
+- helpers/v1/lib/functions/lockfile_updater.rb
+- helpers/v1/lib/functions/version_resolver.rb
+- helpers/v1/monkey_patches/definition_bundler_version_patch.rb
+- helpers/v1/monkey_patches/definition_ruby_version_patch.rb
+- helpers/v1/monkey_patches/git_source_patch.rb
+- helpers/v1/run.rb
+- helpers/v1/spec/functions/conflicting_dependency_resolver_spec.rb
+- helpers/v1/spec/functions/dependency_source_spec.rb
+- helpers/v1/spec/functions/file_parser_spec.rb
+- helpers/v1/spec/functions/version_resolver_spec.rb
+- helpers/v1/spec/native_spec_helper.rb
+- helpers/v1/spec/shared_contexts.rb
 - lib/dependabot/bundler.rb
 - lib/dependabot/bundler/file_fetcher.rb
 - lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb
@@ -216,6 +225,7 @@ files:
 - lib/dependabot/bundler/file_updater/lockfile_updater.rb
 - lib/dependabot/bundler/file_updater/requirement_replacer.rb
 - lib/dependabot/bundler/file_updater/ruby_requirement_setter.rb
+- lib/dependabot/bundler/helpers.rb
 - lib/dependabot/bundler/metadata_finder.rb
 - lib/dependabot/bundler/native_helpers.rb
 - lib/dependabot/bundler/requirement.rb