dependabot-bundler 0.137.1 → 0.138.3

data/helpers/v2/monkey_patches/git_source_patch.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "bundler/source"
+
+module Bundler
+  class Source
+    class Git
+      class GitProxy
+        private
+
+        # Bundler allows ssh authentication when talking to GitHub but there's
+        # no way for Dependabot to do so (it doesn't have any ssh keys).
+        # Instead, we convert all `git@github.com:` URLs to use HTTPS.
+        def configured_uri_for(uri)
+          uri = uri.gsub(%r{git@(.*?):/?}, 'https://\1/')
+          if /https?:/ =~ uri
+            remote = Bundler::URI(uri)
+            config_auth = Bundler.settings[remote.to_s] || Bundler.settings[remote.host]
+            remote.userinfo ||= config_auth
+            remote.to_s
+          else
+            uri
+          end
+        end
+      end
+    end
+  end
+end
+
+module Bundler
+  class Source
+    class Git < Path
+      private
+
+      def serialize_gemspecs_in(destination)
+        original_load_paths = $LOAD_PATH.dup
+        reduced_load_paths = original_load_paths.
+                             reject { |p| p.include?("/gems/") }
+
+        $LOAD_PATH.shift until $LOAD_PATH.empty?
+        reduced_load_paths.each { |p| $LOAD_PATH << p }
+
+        if destination.relative?
+          destination = destination.expand_path(Bundler.root)
+        end
+        Dir["#{destination}/#{@glob}"].each do |spec_path|
+          # Evaluate gemspecs and cache the result. Gemspecs
+          # in git might require git or other dependencies.
+          # The gemspecs we cache should already be evaluated.
+          spec = Bundler.load_gemspec(spec_path)
+          next unless spec
+
+          Bundler.rubygems.set_installed_by_version(spec)
+          Bundler.rubygems.validate(spec)
+          File.open(spec_path, "wb") { |file| file.write(spec.to_ruby) }
+        end
+        $LOAD_PATH.shift until $LOAD_PATH.empty?
+        original_load_paths.each { |p| $LOAD_PATH << p }
+      end
+    end
+  end
+end

data/helpers/v2/run.rb

@@ -0,0 +1,44 @@
+require "bundler"
+require "json"
+
+$LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
+$LOAD_PATH.unshift(File.expand_path("../v1/monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+MIN_BUNDLER_VERSION = "2.0.0"
+
+def validate_bundler_version!
+  return true if correct_bundler_version?
+
+  raise StandardError, "Called with Bundler '#{Bundler::VERSION}', expected >= '#{MIN_BUNDLER_VERSION}'"
+end
+
+def correct_bundler_version?
+  Gem::Version.new(Bundler::VERSION) >= Gem::Version.new(MIN_BUNDLER_VERSION)
+end
+
+def output(obj)
+  print JSON.dump(obj)
+end
+
+begin
+  validate_bundler_version!
+
+  request = JSON.parse($stdin.read)
+
+  function = request["function"]
+  args = request["args"].transform_keys(&:to_sym)
+
+  output({ result: Functions.send(function, **args) })
+rescue => error
+  output(
+    { error: error.message, error_class: error.class, trace: error.backtrace }
+  )
+  exit(1)
+end

data/helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::ConflictingDependencyResolver do
+  include_context "in a temporary bundler directory"
+
+  let(:conflicting_dependency_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      target_version: target_version,
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "dummy-pkg-a" }
+  let(:target_version) { "2.0.0" }
+
+  let(:project_name) { "blocked_by_subdep" }
+
+  describe "#conflicting_dependencies" do
+    subject(:conflicting_dependencies) do
+      in_tmp_folder { conflicting_dependency_resolver.conflicting_dependencies }
+    end
+
+    it "returns a list of dependencies that block the update" do
+      expect(conflicting_dependencies).to eq(
+        [{
+          "explanation" => "dummy-pkg-b (1.0.0) requires dummy-pkg-a (< 2.0.0)",
+          "name" => "dummy-pkg-b",
+          "version" => "1.0.0",
+          "requirement" => "< 2.0.0"
+        }]
+      )
+    end
+
+    context "for nested transitive dependencies" do
+      let(:project_name) { "transitive_blocking" }
+      let(:dependency_name) { "activesupport" }
+      let(:target_version) { "6.0.0" }
+
+      it "returns a list of dependencies that block the update" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0)",
+              "name" => "rails",
+              "requirement" => "= 5.2.0",
+              "version" => "5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionpack (5.2.0)",
+              "name" => "actionpack",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionview (5.2.0)",
+              "name" => "actionview",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activejob (5.2.0)",
+              "name" => "activejob",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activemodel (5.2.0)",
+              "name" => "activemodel",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activerecord (5.2.0)",
+              "name" => "activerecord",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via railties (5.2.0)",
+              "name" => "railties",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "with multiple blocking dependencies" do
+      let(:dependency_name) { "activesupport" }
+      let(:current_version) { "5.0.0" }
+      let(:target_version) { "6.0.0" }
+      let(:project_name) { "multiple_blocking" }
+
+      it "returns all of the blocking dependencies" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via actionpack (5.0.0)",
+              "name" => "actionpack",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionview (5.0.0) requires activesupport (= 5.0.0)",
+              "name" => "actionview",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via activejob (5.0.0)",
+              "name" => "activejob",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "without any blocking dependencies" do
+      let(:target_version) { "1.0.0" }
+
+      it "returns an empty list" do
+        expect(conflicting_dependencies).to eq([])
+      end
+    end
+  end
+end

data/helpers/v2/spec/functions/file_parser_spec.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::FileParser do
+  include_context "in a temporary bundler directory"
+
+  let(:dependency_source) do
+    described_class.new(
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:project_name) { "gemfile" }
+
+  describe "#parsed_gemfile" do
+    subject(:parsed_gemfile) do
+      in_tmp_folder do
+        dependency_source.parsed_gemfile(gemfile_name: "Gemfile")
+      end
+    end
+
+    it "parses gemfile" do
+      parsed_gemfile = [
+        {
+          groups: [:default],
+          name: "business",
+          requirement: Gem::Requirement.new("~> 1.4.0"),
+          source: nil,
+          type: :runtime
+        },
+        {
+          groups: [:default],
+          name: "statesman",
+          requirement: Gem::Requirement.new("~> 1.2.0"),
+          source: nil,
+          type: :runtime
+        }
+      ]
+      is_expected.to eq(parsed_gemfile)
+    end
+
+    context "with a git source" do
+      let(:project_name) { "git_source" }
+
+      it "parses gemfile" do
+        parsed_gemfile = [
+          {
+            groups: [:default],
+            name: "business",
+            requirement: Gem::Requirement.new("~> 1.6.0"),
+            source: {
+              branch: "master",
+              ref: "a1b78a9",
+              type: "git",
+              url: "git@github.com:gocardless/business"
+            },
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "statesman",
+            requirement: Gem::Requirement.new("~> 1.2.0"),
+            source: nil,
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "prius",
+            requirement:  Gem::Requirement.new(">= 0"),
+            source: {
+              branch: "master",
+              ref: "master",
+              type: "git",
+              url: "https://github.com/gocardless/prius"
+            },
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "que",
+            requirement:  Gem::Requirement.new(">= 0"),
+            source: {
+              branch: "master",
+              ref: "v0.11.6",
+              type: "git",
+              url: "git@github.com:chanks/que"
+            },
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "uk_phone_numbers",
+            requirement:  Gem::Requirement.new(">= 0"),
+            source: {
+              branch: "master",
+              ref: "master",
+              type: "git",
+              url: "http://github.com/gocardless/uk_phone_numbers"
+            },
+            type: :runtime
+          }
+        ]
+        is_expected.to eq(parsed_gemfile)
+      end
+    end
+  end
+
+  describe "#parsed_gemspec" do
+    let!(:gemspec_fixture) do
+      fixture("ruby", "gemspecs", "exact")
+    end
+
+    subject(:parsed_gemspec) do
+      in_tmp_folder do |tmp_path|
+        File.write(File.join(tmp_path, "test.gemspec"), gemspec_fixture)
+        dependency_source.parsed_gemspec(gemspec_name: "test.gemspec")
+      end
+    end
+
+    it "parses gemspec" do
+      parsed_gemspec = [
+        {
+          groups: nil,
+          name: "business",
+          requirement: Gem::Requirement.new("= 1.0.0"),
+          source: nil,
+          type: :runtime
+        },
+        {
+          groups: nil,
+          name: "statesman",
+          requirement: Gem::Requirement.new("= 1.0.0"),
+          source: nil,
+          type: :runtime
+        }
+      ]
+      is_expected.to eq(parsed_gemspec)
+    end
+  end
+end

data/helpers/v2/spec/functions_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+
+RSpec.describe Functions do
+  # Verify v1 method signatures are exist, but raise as NYI
+  {
+    vendor_cache_dir: [ :dir ],
+    update_lockfile: [ :dir, :gemfile_name, :lockfile_name, :using_bundler2, :credentials, :dependencies ],
+    force_update: [ :dir, :dependency_name, :target_version, :gemfile_name, :lockfile_name, :using_bundler2,
+                    :credentials, :update_multiple_dependencies ],
+    dependency_source_type: [ :gemfile_name, :dependency_name, :dir, :credentials ],
+    depencency_source_latest_git_version: [ :gemfile_name, :dependency_name, :dir, :credentials, :dependency_source_url,
+                                            :dependency_source_branch  ],
+    private_registry_versions: [:gemfile_name, :dependency_name, :dir, :credentials ],
+    resolve_version: [:dependency_name, :dependency_requirements, :gemfile_name, :lockfile_name, :using_bundler2,
+                      :dir, :credentials],
+    jfrog_source: [:dir, :gemfile_name, :credentials, :using_bundler2],
+    git_specs: [:dir, :gemfile_name, :credentials, :using_bundler2],
+  }.each do |function, kwargs|
+    describe "::#{function}" do
+      let(:args) do
+        kwargs.inject({}) do |args, keyword|
+          args.merge({ keyword => anything })
+        end
+      end
+
+      it "raises a NYI" do
+        expect { Functions.send(function, **args) }.to raise_error(Functions::NotImplementedError)
+      end
+    end
+  end
+end

data/helpers/v2/spec/native_spec_helper.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "rspec/its"
+require "webmock/rspec"
+require "byebug"
+
+$LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
+$LOAD_PATH.unshift(File.expand_path("../monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+RSpec.configure do |config|
+  config.color = true
+  config.order = :rand
+  config.mock_with(:rspec) { |mocks| mocks.verify_partial_doubles = true }
+  config.raise_errors_for_deprecations!
+end
+
+# Duplicated in lib/dependabot/bundler/file_updater/lockfile_updater.rb
+# TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+LOCKFILE_ENDING = /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
+
+def project_dependency_files(project)
+  project_path = File.expand_path(File.join("../../spec/fixtures/projects/bundler1", project))
+  Dir.chdir(project_path) do
+    # NOTE: Include dotfiles (e.g. .npmrc)
+    files = Dir.glob("**/*", File::FNM_DOTMATCH)
+    files = files.select { |f| File.file?(f) }
+    files.map do |filename|
+      content = File.read(filename)
+      if filename == "Gemfile.lock"
+        content = content.gsub(LOCKFILE_ENDING, "")
+      end
+      {
+        name: filename,
+        content: content
+      }
+    end
+  end
+end
+
+def fixture(*name)
+  File.read(File.join("../../spec/fixtures", File.join(*name)))
+end