dependabot-bundler 0.137.1 → 0.138.3

data/helpers/v2/spec/shared_contexts.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "tmpdir"
+require "bundler/compact_index_client"
+require "bundler/compact_index_client/updater"
+
+TMP_DIR_PATH = File.expand_path("../tmp", __dir__)
+
+RSpec.shared_context "in a temporary bundler directory" do
+  let(:project_name) { "gemfile" }
+
+  let(:tmp_path) do
+    Dir.mkdir(TMP_DIR_PATH) unless Dir.exist?(TMP_DIR_PATH)
+    dir = Dir.mktmpdir("native_helper_spec_", TMP_DIR_PATH)
+    Pathname.new(dir).expand_path
+  end
+
+  before do
+    project_dependency_files(project_name).each do |file|
+      File.write(File.join(tmp_path, file[:name]), file[:content])
+    end
+  end
+
+  def in_tmp_folder(&block)
+    Dir.chdir(tmp_path, &block)
+  end
+end
+
+RSpec.shared_context "without caching rubygems" do
+  before do
+    # Stub Bundler to stop it using a cached versions of Rubygems
+    allow_any_instance_of(Bundler::CompactIndexClient::Updater).
+      to receive(:etag_for).and_return("")
+  end
+end
+
+RSpec.shared_context "stub rubygems compact index" do
+  include_context "without caching rubygems"
+
+  before do
+    # Stub the Rubygems index
+    stub_request(:get, "https://index.rubygems.org/versions").
+      to_return(
+        status: 200,
+        body: fixture("ruby", "rubygems_responses", "index")
+      )
+
+    # Stub the Rubygems response for each dependency we have a fixture for
+    fixtures =
+      Dir[File.join("../../spec", "fixtures", "ruby", "rubygems_responses", "info-*")]
+    fixtures.each do |path|
+      dep_name = path.split("/").last.gsub("info-", "")
+      stub_request(:get, "https://index.rubygems.org/info/#{dep_name}").
+        to_return(
+          status: 200,
+          body: fixture("ruby", "rubygems_responses", "info-#{dep_name}")
+        )
+    end
+  end
+end

data/lib/dependabot/bundler/file_parser.rb

@@ -23,6 +23,7 @@ module Dependabot
         dependency_set += gemspec_dependencies
         dependency_set += lockfile_dependencies
         check_external_code(dependency_set.dependencies)
+        instrument_package_manager_version
         dependency_set.dependencies
       end
 
@@ -42,6 +43,17 @@ module Dependabot
         end
       end
 
+      def instrument_package_manager_version
+        version = Helpers.detected_bundler_version(lockfile)
+        Dependabot.instrument(
+          Notifications::FILE_PARSER_PACKAGE_MANAGER_VERSION_PARSED,
+          ecosystem: "bundler",
+          package_managers: {
+            "bundler" => version
+          }
+        )
+      end
+
       def gemfile_dependencies
         dependencies = DependencySet.new
 
@@ -301,7 +313,7 @@ module Dependabot
       end
 
       def bundler_version
-        @bundler_version ||= Helpers.bundler_version(lockfile)
+        @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
       end
     end
   end

data/lib/dependabot/bundler/file_updater.rb

@@ -151,7 +151,8 @@ module Dependabot
             dependencies: dependencies,
             dependency_files: dependency_files,
             repo_contents_path: repo_contents_path,
-            credentials: credentials
+            credentials: credentials,
+            options: options
           ).updated_lockfile_content
       end
 
@@ -162,7 +163,7 @@ module Dependabot
       end
 
       def bundler_version
-        @bundler_version ||= Helpers.bundler_version(lockfile)
+        @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
       end
     end
   end

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -33,11 +33,12 @@ module Dependabot
         end
 
         def initialize(dependencies:, dependency_files:,
-                       repo_contents_path: nil, credentials:)
+                       repo_contents_path: nil, credentials:, options:)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @repo_contents_path = repo_contents_path
           @credentials = credentials
+          @options = options
         end
 
         def updated_lockfile_content
@@ -54,7 +55,7 @@ module Dependabot
         private
 
         attr_reader :dependencies, :dependency_files, :repo_contents_path,
-                    :credentials
+                    :credentials, :options
 
         def build_updated_lockfile
           base_dir = dependency_files.first.directory
@@ -304,7 +305,7 @@ module Dependabot
         end
 
         def bundler_version
-          @bundler_version ||= Helpers.bundler_version(lockfile)
+          @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
         end
       end
     end

data/lib/dependabot/bundler/helpers.rb

@@ -6,9 +6,21 @@ module Dependabot
       V1 = "1"
       V2 = "2"
 
-      # TODO: Add support for bundler v2
-      # return "v2" if lockfile.content.match?(/BUNDLED WITH\s+2/m)
-      def self.bundler_version(_lockfile)
+      # NOTE: options is a manditory argument to ensure we pass it from all calling classes
+      def self.bundler_version(_lockfile, options:)
+        # For now, force V2 if bundler_2_available
+        return V2 if options[:bundler_2_available]
+
+        # TODO: Add support for bundler v2 based on lockfile
+        # return V2 if lockfile.content.match?(/BUNDLED WITH\s+2/m)
+
+        V1
+      end
+
+      def self.detected_bundler_version(lockfile)
+        return "unknown" unless lockfile
+        return V2 if lockfile.content.match?(/BUNDLED WITH\s+2/m)
+
         V1
       end
     end

data/lib/dependabot/bundler/native_helpers.rb

@@ -17,9 +17,16 @@ module Dependabot
               # Bundler will pick the matching installed major version
               "BUNDLER_VERSION" => bundler_version,
               "BUNDLE_GEMFILE" => File.join(versioned_helper_path(bundler_version: bundler_version), "Gemfile"),
-              "BUNDLE_PATH" => File.join(versioned_helper_path(bundler_version: bundler_version), ".bundle")
+              "BUNDLE_PATH" => File.join(versioned_helper_path(bundler_version: bundler_version), ".bundle"),
+              # Prevent the GEM_HOME from being set to a folder owned by root
+              "GEM_HOME" => File.join(versioned_helper_path(bundler_version: bundler_version), ".bundle")
             }
           )
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          # TODO: Remove once we stop stubbing out the V2 native helper
+          raise Dependabot::NotImplemented, e.message if e.error_class == "Functions::NotImplementedError"
+
+          raise
         end
       end
 

data/lib/dependabot/bundler/update_checker.rb

@@ -110,7 +110,8 @@ module Dependabot
         ConflictingDependencyResolver.new(
           dependency_files: dependency_files,
           repo_contents_path: repo_contents_path,
-          credentials: credentials
+          credentials: credentials,
+          options: options
         ).conflicting_dependencies(
           dependency: dependency,
           target_version: lowest_security_fix_version
@@ -162,7 +163,8 @@ module Dependabot
               credentials: credentials,
               target_version: version,
               requirements_update_strategy: requirements_update_strategy,
-              update_multiple_dependencies: false
+              update_multiple_dependencies: false,
+              options: options
             ).updated_dependencies
             true
           rescue Dependabot::DependencyFileNotResolvable
@@ -183,7 +185,8 @@ module Dependabot
               credentials: credentials,
               ignored_versions: ignored_versions,
               raise_on_ignored: raise_on_ignored,
-              replacement_git_pin: tag
+              replacement_git_pin: tag,
+              options: options
             ).latest_resolvable_version_details
             true
           rescue Dependabot::DependencyFileNotResolvable
@@ -339,7 +342,8 @@ module Dependabot
             repo_contents_path: repo_contents_path,
             credentials: credentials,
             target_version: latest_version,
-            requirements_update_strategy: requirements_update_strategy
+            requirements_update_strategy: requirements_update_strategy,
+            options: options
           )
       end
 
@@ -365,7 +369,8 @@ module Dependabot
               raise_on_ignored: raise_on_ignored,
               remove_git_source: remove_git_source,
               unlock_requirement: unlock_requirement,
-              latest_allowable_version: latest_version
+              latest_allowable_version: latest_version,
+              options: options
             )
           end
       end
@@ -386,7 +391,8 @@ module Dependabot
               credentials: credentials,
               ignored_versions: ignored_versions,
               raise_on_ignored: raise_on_ignored,
-              security_advisories: security_advisories
+              security_advisories: security_advisories,
+              options: options
             )
           end
       end

data/lib/dependabot/bundler/update_checker/conflicting_dependency_resolver.rb

@@ -12,10 +12,13 @@ module Dependabot
         require_relative "shared_bundler_helpers"
         include SharedBundlerHelpers
 
-        def initialize(dependency_files:, repo_contents_path:, credentials:)
+        attr_reader :options
+
+        def initialize(dependency_files:, repo_contents_path:, credentials:, options:)
           @dependency_files = dependency_files
           @repo_contents_path = repo_contents_path
           @credentials = credentials
+          @options = options
         end
 
         # Finds any dependencies in the lockfile that have a subdependency on
@@ -47,7 +50,7 @@ module Dependabot
         private
 
         def bundler_version
-          @bundler_version ||= Helpers.bundler_version(lockfile)
+          @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
         end
       end
     end

data/lib/dependabot/bundler/update_checker/force_updater.rb

@@ -19,7 +19,8 @@ module Dependabot
         def initialize(dependency:, dependency_files:, repo_contents_path: nil,
                        credentials:, target_version:,
                        requirements_update_strategy:,
-                       update_multiple_dependencies: true)
+                       update_multiple_dependencies: true,
+                       options:)
           @dependency                   = dependency
           @dependency_files             = dependency_files
           @repo_contents_path           = repo_contents_path
@@ -27,6 +28,7 @@ module Dependabot
           @target_version               = target_version
           @requirements_update_strategy = requirements_update_strategy
           @update_multiple_dependencies = update_multiple_dependencies
+          @options                      = options
         end
 
         def updated_dependencies
@@ -36,7 +38,8 @@ module Dependabot
         private
 
         attr_reader :dependency, :dependency_files, :repo_contents_path,
-                    :credentials, :target_version, :requirements_update_strategy
+                    :credentials, :target_version, :requirements_update_strategy,
+                    :options
 
         def update_multiple_dependencies?
           @update_multiple_dependencies
@@ -149,7 +152,7 @@ module Dependabot
         end
 
         def bundler_version
-          @bundler_version ||= Helpers.bundler_version(lockfile)
+          @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
         end
       end
     end

data/lib/dependabot/bundler/update_checker/latest_version_finder.rb

@@ -15,7 +15,7 @@ module Dependabot
       class LatestVersionFinder
         def initialize(dependency:, dependency_files:, repo_contents_path: nil,
                        credentials:, ignored_versions:, raise_on_ignored: false,
-                       security_advisories:)
+                       security_advisories:, options:)
           @dependency          = dependency
           @dependency_files    = dependency_files
           @repo_contents_path  = repo_contents_path
@@ -23,6 +23,7 @@ module Dependabot
           @ignored_versions    = ignored_versions
           @raise_on_ignored    = raise_on_ignored
           @security_advisories = security_advisories
+          @options             = options
         end
 
         def latest_version_details
@@ -36,7 +37,8 @@ module Dependabot
         private
 
         attr_reader :dependency, :dependency_files, :repo_contents_path,
-                    :credentials, :ignored_versions, :security_advisories
+                    :credentials, :ignored_versions, :security_advisories,
+                    :options
 
         def fetch_latest_version_details
           return dependency_source.latest_git_version_details if dependency_source.git?
@@ -103,7 +105,8 @@ module Dependabot
           @dependency_source ||= DependencySource.new(
             dependency: dependency,
             dependency_files: dependency_files,
-            credentials: credentials
+            credentials: credentials,
+            options: options
           )
         end
 

data/lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb

@@ -17,14 +17,16 @@ module Dependabot
           OTHER = "other"
 
           attr_reader :dependency, :dependency_files, :repo_contents_path,
-                      :credentials
+                      :credentials, :options
 
           def initialize(dependency:,
                          dependency_files:,
-                         credentials:)
+                         credentials:,
+                         options:)
             @dependency          = dependency
             @dependency_files    = dependency_files
             @credentials         = credentials
+            @options             = options
           end
 
           # The latest version details for the dependency from a registry
@@ -145,7 +147,7 @@ module Dependabot
           end
 
           def bundler_version
-            @bundler_version ||= Helpers.bundler_version(lockfile)
+            @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
           end
         end
       end

data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb

@@ -237,10 +237,6 @@ module Dependabot
 
           lockfile.content.match?(/BUNDLED WITH\s+2/m)
         end
-
-        def bundler_version
-          @bundler_version ||= Helpers.bundler_version(lockfile)
-        end
       end
     end
   end

data/lib/dependabot/bundler/update_checker/version_resolver.rb

@@ -23,7 +23,8 @@ module Dependabot
                        raise_on_ignored: false,
                        replacement_git_pin: nil, remove_git_source: false,
                        unlock_requirement: true,
-                       latest_allowable_version: nil)
+                       latest_allowable_version: nil,
+                       options:)
           @dependency                  = dependency
           @unprepared_dependency_files = unprepared_dependency_files
           @credentials                 = credentials
@@ -34,6 +35,7 @@ module Dependabot
           @remove_git_source           = remove_git_source
           @unlock_requirement          = unlock_requirement
           @latest_allowable_version    = latest_allowable_version
+          @options                     = options
         end
 
         def latest_resolvable_version_details
@@ -45,7 +47,8 @@ module Dependabot
 
         attr_reader :dependency, :unprepared_dependency_files,
                     :repo_contents_path, :credentials, :ignored_versions,
-                    :replacement_git_pin, :latest_allowable_version
+                    :replacement_git_pin, :latest_allowable_version,
+                    :options
 
         def remove_git_source?
           @remove_git_source
@@ -164,7 +167,8 @@ module Dependabot
               credentials: credentials,
               ignored_versions: ignored_versions,
               raise_on_ignored: @raise_on_ignored,
-              security_advisories: []
+              security_advisories: [],
+              options: options
             ).latest_version_details
         end
 
@@ -221,7 +225,7 @@ module Dependabot
         end
 
         def bundler_version
-          @bundler_version ||= Helpers.bundler_version(lockfile)
+          @bundler_version ||= Helpers.bundler_version(lockfile, options: options)
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.137.1
+  version: 0.138.3
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-15 00:00:00.000000000 Z
+date: 2021-03-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.137.1
+        version: 0.138.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.137.1
+        version: 0.138.3
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -206,6 +206,21 @@ files:
 - helpers/v1/spec/functions/version_resolver_spec.rb
 - helpers/v1/spec/native_spec_helper.rb
 - helpers/v1/spec/shared_contexts.rb
+- helpers/v2/.gitignore
+- helpers/v2/Gemfile
+- helpers/v2/build
+- helpers/v2/lib/functions.rb
+- helpers/v2/lib/functions/conflicting_dependency_resolver.rb
+- helpers/v2/lib/functions/file_parser.rb
+- helpers/v2/monkey_patches/definition_bundler_version_patch.rb
+- helpers/v2/monkey_patches/definition_ruby_version_patch.rb
+- helpers/v2/monkey_patches/git_source_patch.rb
+- helpers/v2/run.rb
+- helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb
+- helpers/v2/spec/functions/file_parser_spec.rb
+- helpers/v2/spec/functions_spec.rb
+- helpers/v2/spec/native_spec_helper.rb
+- helpers/v2/spec/shared_contexts.rb
 - lib/dependabot/bundler.rb
 - lib/dependabot/bundler/file_fetcher.rb
 - lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb