dependabot-bundler 0.136.0 → 0.138.1

data/helpers/v1/spec/native_spec_helper.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "rspec/its"
+require "webmock/rspec"
+require "byebug"
+
+$LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
+$LOAD_PATH.unshift(File.expand_path("../monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+RSpec.configure do |config|
+  config.color = true
+  config.order = :rand
+  config.mock_with(:rspec) { |mocks| mocks.verify_partial_doubles = true }
+  config.raise_errors_for_deprecations!
+end
+
+# Duplicated in lib/dependabot/bundler/file_updater/lockfile_updater.rb
+# TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+LOCKFILE_ENDING = /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
+
+def project_dependency_files(project)
+  project_path = File.expand_path(File.join("../../spec/fixtures/projects/bundler1", project))
+  Dir.chdir(project_path) do
+    # NOTE: Include dotfiles (e.g. .npmrc)
+    files = Dir.glob("**/*", File::FNM_DOTMATCH)
+    files = files.select { |f| File.file?(f) }
+    files.map do |filename|
+      content = File.read(filename)
+      if filename == "Gemfile.lock"
+        content = content.gsub(LOCKFILE_ENDING, "")
+      end
+      {
+        name: filename,
+        content: content
+      }
+    end
+  end
+end
+
+def fixture(*name)
+  File.read(File.join("../../spec/fixtures", File.join(*name)))
+end

data/helpers/v1/spec/shared_contexts.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "bundler/compact_index_client"
+require "bundler/compact_index_client/updater"
+
+TMP_DIR_PATH = File.expand_path("../tmp", __dir__)
+
+RSpec.shared_context "in a temporary bundler directory" do
+  let(:project_name) { "gemfile" }
+
+  let(:tmp_path) do
+    Dir.mkdir(TMP_DIR_PATH) unless Dir.exist?(TMP_DIR_PATH)
+    dir = Dir.mktmpdir("native_helper_spec_", TMP_DIR_PATH)
+    Pathname.new(dir).expand_path
+  end
+
+  before do
+    project_dependency_files(project_name).each do |file|
+      File.write(File.join(tmp_path, file[:name]), file[:content])
+    end
+  end
+
+  def in_tmp_folder(&block)
+    Dir.chdir(tmp_path, &block)
+  end
+end
+
+RSpec.shared_context "without caching rubygems" do
+  before do
+    # Stub Bundler to stop it using a cached versions of Rubygems
+    allow_any_instance_of(Bundler::CompactIndexClient::Updater).
+      to receive(:etag_for).and_return("")
+  end
+end
+
+RSpec.shared_context "stub rubygems compact index" do
+  include_context "without caching rubygems"
+
+  before do
+    # Stub the Rubygems index
+    stub_request(:get, "https://index.rubygems.org/versions").
+      to_return(
+        status: 200,
+        body: fixture("ruby", "rubygems_responses", "index")
+      )
+
+    # Stub the Rubygems response for each dependency we have a fixture for
+    fixtures =
+      Dir[File.join("../../spec", "fixtures", "ruby", "rubygems_responses", "info-*")]
+    fixtures.each do |path|
+      dep_name = path.split("/").last.gsub("info-", "")
+      stub_request(:get, "https://index.rubygems.org/info/#{dep_name}").
+        to_return(
+          status: 200,
+          body: fixture("ruby", "rubygems_responses", "info-#{dep_name}")
+        )
+    end
+  end
+end

data/helpers/v2/.bundle/config

@@ -0,0 +1,2 @@
+---
+BUNDLE_PATH: ".bundle"

data/helpers/v2/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/*
+!/.bundle/config
+/.env
+/tmp
+/dependabot-*.gem
+Gemfile.lock
+spec/fixtures/projects/*/.bundle/
+!spec/fixtures/projects/**/Gemfile.lock
+!spec/fixtures/projects/**/vendor

data/helpers/v2/Gemfile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# NOTE: Used to run native helper specs
+group :test do
+  gem "byebug", "11.1.3"
+  gem "rspec", "3.10.0"
+  gem "rspec-its", "1.3.0"
+  gem "vcr", "6.0.0"
+  gem "webmock", "3.12.1"
+end

data/helpers/v2/build

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+install_dir=$1
+if [ -z "$install_dir" ]; then
+  echo "usage: $0 INSTALL_DIR"
+  exit 1
+fi
+
+helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
+cp -r \
+  "$helpers_dir/.bundle" \
+  "$helpers_dir/lib" \
+  "$helpers_dir/run.rb" \
+  "$helpers_dir/Gemfile" \
+  "$install_dir"
+
+cd "$install_dir"
+
+# NOTE: Sets `BUNDLED WITH` to match the installed v1 version in Gemfile.lock
+# forcing specs and native helpers to run with the same version
+BUNDLER_VERSION=2 bundle install

data/helpers/v2/lib/functions.rb

@@ -0,0 +1,67 @@
+module Functions
+  class NotImplementedError < StandardError; end
+
+  def self.parsed_gemfile(lockfile_name:, gemfile_name:, dir:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.parsed_gemspec(lockfile_name:, gemspec_name:, dir:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.vendor_cache_dir(dir:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.update_lockfile(dir:, gemfile_name:, lockfile_name:, using_bundler2:,
+                           credentials:, dependencies:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.force_update(dir:, dependency_name:, target_version:, gemfile_name:,
+                        lockfile_name:, using_bundler2:, credentials:,
+                        update_multiple_dependencies:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.dependency_source_type(gemfile_name:, dependency_name:, dir:,
+                                  credentials:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.depencency_source_latest_git_version(gemfile_name:, dependency_name:,
+                                                dir:, credentials:,
+                                                dependency_source_url:,
+                                                dependency_source_branch:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.private_registry_versions(gemfile_name:, dependency_name:, dir:,
+                                     credentials:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.resolve_version(dependency_name:, dependency_requirements:,
+                           gemfile_name:, lockfile_name:, using_bundler2:,
+                           dir:, credentials:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.jfrog_source(dir:, gemfile_name:, credentials:, using_bundler2:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.git_specs(dir:, gemfile_name:, credentials:, using_bundler2:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.set_bundler_flags_and_credentials(dir:, credentials:,
+                                             using_bundler2:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+
+  def self.conflicting_dependencies(dir:, dependency_name:, target_version:,
+                                    lockfile_name:, using_bundler2:, credentials:)
+    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+  end
+end

data/helpers/v2/run.rb

@@ -0,0 +1,30 @@
+require "bundler"
+require "json"
+
+$LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
+$LOAD_PATH.unshift(File.expand_path("../v1/monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+def output(obj)
+  print JSON.dump(obj)
+end
+
+begin
+  request = JSON.parse($stdin.read)
+
+  function = request["function"]
+  args = request["args"].transform_keys(&:to_sym)
+
+  output({ result: Functions.send(function, **args) })
+rescue => error
+  output(
+    { error: error.message, error_class: error.class, trace: error.backtrace }
+  )
+  exit(1)
+end

data/helpers/v2/spec/functions_spec.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+
+RSpec.describe Functions do
+  # Verify v1 method signatures are exist, but raise as NYI
+  {
+    parsed_gemfile: [ :lockfile_name, :gemfile_name, :dir ],
+    parsed_gemspec: [ :lockfile_name, :gemspec_name, :dir ],
+    vendor_cache_dir: [ :dir ],
+    update_lockfile: [ :dir, :gemfile_name, :lockfile_name, :using_bundler2, :credentials, :dependencies ],
+    force_update: [ :dir, :dependency_name, :target_version, :gemfile_name, :lockfile_name, :using_bundler2,
+                    :credentials, :update_multiple_dependencies ],
+    dependency_source_type: [ :gemfile_name, :dependency_name, :dir, :credentials ],
+    depencency_source_latest_git_version: [ :gemfile_name, :dependency_name, :dir, :credentials, :dependency_source_url,
+                                            :dependency_source_branch  ],
+    private_registry_versions: [:gemfile_name, :dependency_name, :dir, :credentials ],
+    resolve_version: [:dependency_name, :dependency_requirements, :gemfile_name, :lockfile_name, :using_bundler2,
+                      :dir, :credentials],
+    jfrog_source: [:dir, :gemfile_name, :credentials, :using_bundler2],
+    git_specs: [:dir, :gemfile_name, :credentials, :using_bundler2],
+    set_bundler_flags_and_credentials: [:dir, :credentials, :using_bundler2],
+    conflicting_dependencies: [:dir, :dependency_name, :target_version, :lockfile_name, :using_bundler2, :credentials]
+  }.each do |function, kwargs|
+    describe "::#{function}" do
+      let(:args) do
+        kwargs.inject({}) do |args, keyword|
+          args.merge({ keyword => anything })
+        end
+      end
+
+      it "raises a NYI" do
+        expect { Functions.send(function, **args) }.to raise_error(Functions::NotImplementedError)
+      end
+    end
+  end
+end

data/helpers/v2/spec/native_spec_helper.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "rspec/its"
+require "webmock/rspec"
+require "byebug"
+
+$LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
+# TODO: Fork `v1/monkey_patches` into `v2/monkey_patches` ?
+$LOAD_PATH.unshift(File.expand_path("../../v1/monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+RSpec.configure do |config|
+  config.color = true
+  config.order = :rand
+  config.mock_with(:rspec) { |mocks| mocks.verify_partial_doubles = true }
+  config.raise_errors_for_deprecations!
+end
+
+# Duplicated in lib/dependabot/bundler/file_updater/lockfile_updater.rb
+# TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+LOCKFILE_ENDING = /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
+
+def project_dependency_files(project)
+  project_path = File.expand_path(File.join("../../spec/fixtures/projects/bundler1", project))
+  Dir.chdir(project_path) do
+    # NOTE: Include dotfiles (e.g. .npmrc)
+    files = Dir.glob("**/*", File::FNM_DOTMATCH)
+    files = files.select { |f| File.file?(f) }
+    files.map do |filename|
+      content = File.read(filename)
+      if filename == "Gemfile.lock"
+        content = content.gsub(LOCKFILE_ENDING, "")
+      end
+      {
+        name: filename,
+        content: content
+      }
+    end
+  end
+end
+
+def fixture(*name)
+  File.read(File.join("../../spec/fixtures", File.join(*name)))
+end

data/lib/dependabot/bundler/file_parser.rb

@@ -23,6 +23,7 @@ module Dependabot
         dependency_set += gemspec_dependencies
         dependency_set += lockfile_dependencies
         check_external_code(dependency_set.dependencies)
+        instrument_package_manager_version
         dependency_set.dependencies
       end
 
@@ -42,6 +43,17 @@ module Dependabot
         end
       end
 
+      def instrument_package_manager_version
+        version = Helpers.detected_bundler_version(lockfile)
+        Dependabot.instrument(
+          Notifications::FILE_PARSER_PACKAGE_MANAGER_VERSION_PARSED,
+          ecosystem: "bundler",
+          package_managers: {
+            "bundler" => version
+          }
+        )
+      end
+
       def gemfile_dependencies
         dependencies = DependencySet.new
 
@@ -301,7 +313,7 @@ module Dependabot
       end
 
       def bundler_version
-        @bundler_version ||= Helpers.bundler_version(lockfile)
+        @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
       end
     end
   end

data/lib/dependabot/bundler/file_updater.rb

@@ -151,7 +151,8 @@ module Dependabot
             dependencies: dependencies,
             dependency_files: dependency_files,
             repo_contents_path: repo_contents_path,
-            credentials: credentials
+            credentials: credentials,
+            options: options
           ).updated_lockfile_content
       end
 
@@ -162,7 +163,7 @@ module Dependabot
       end
 
       def bundler_version
-        @bundler_version ||= Helpers.bundler_version(lockfile)
+        @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
       end
     end
   end

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -33,11 +33,12 @@ module Dependabot
         end
 
         def initialize(dependencies:, dependency_files:,
-                       repo_contents_path: nil, credentials:)
+                       repo_contents_path: nil, credentials:, options:)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @repo_contents_path = repo_contents_path
           @credentials = credentials
+          @options = options
         end
 
         def updated_lockfile_content
@@ -54,7 +55,7 @@ module Dependabot
         private
 
         attr_reader :dependencies, :dependency_files, :repo_contents_path,
-                    :credentials
+                    :credentials, :options
 
         def build_updated_lockfile
           base_dir = dependency_files.first.directory
@@ -304,7 +305,7 @@ module Dependabot
         end
 
         def bundler_version
-          @bundler_version ||= Helpers.bundler_version(lockfile)
+          @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
         end
       end
     end

data/lib/dependabot/bundler/helpers.rb

@@ -6,9 +6,21 @@ module Dependabot
       V1 = "1"
       V2 = "2"
 
-      # TODO: Add support for bundler v2
-      # return "v2" if lockfile.content.match?(/BUNDLED WITH\s+2/m)
-      def self.bundler_version(_lockfile)
+      # NOTE: options is a manditory argument to ensure we pass it from all calling classes
+      def self.bundler_version(_lockfile, options:)
+        # For now, force V2 if bundler_2_available
+        return V2 if options[:bundler_2_available]
+
+        # TODO: Add support for bundler v2 based on lockfile
+        # return V2 if lockfile.content.match?(/BUNDLED WITH\s+2/m)
+
+        V1
+      end
+
+      def self.detected_bundler_version(lockfile)
+        return "unknown" unless lockfile
+        return V2 if lockfile.content.match?(/BUNDLED WITH\s+2/m)
+
         V1
       end
     end