dependabot-bundler 0.137.2 → 0.138.4

data/helpers/v2/lib/functions/version_resolver.rb

@@ -0,0 +1,140 @@
+module Functions
+  class VersionResolver
+    GEM_NOT_FOUND_ERROR_REGEX = /locked to (?<name>[^\s]+) \(/.freeze
+
+    attr_reader :dependency_name, :dependency_requirements,
+                :gemfile_name, :lockfile_name
+
+    def initialize(dependency_name:, dependency_requirements:,
+                   gemfile_name:, lockfile_name:)
+      @dependency_name = dependency_name
+      @dependency_requirements = dependency_requirements
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+    end
+
+    def version_details
+      dep = dependency_from_definition
+
+      # If the dependency wasn't found in the definition, but *is*
+      # included in a gemspec, it's because the Gemfile didn't import
+      # the gemspec. This is unusual, but the correct behaviour if/when
+      # it happens is to behave as if the repo was gemspec-only.
+      if dep.nil? && dependency_requirements.any?
+        return "latest"
+      end
+
+      # Otherwise, if the dependency wasn't found it's because it is a
+      # subdependency that was removed when attempting to update it.
+      return nil if dep.nil?
+
+      # If the dependency is Bundler itself then we can't trust the
+      # version that has been returned (it's the version Dependabot is
+      # running on, rather than the true latest resolvable version).
+      return nil if dep.name == "bundler"
+
+      details = {
+        version: dep.version,
+        ruby_version: ruby_version,
+        fetcher: fetcher_class(dep)
+      }
+      if dep.source.instance_of?(::Bundler::Source::Git)
+        details[:commit_sha] = dep.source.revision
+      end
+      details
+    end
+
+    private
+
+    # rubocop:disable Metrics/PerceivedComplexity
+    def dependency_from_definition(unlock_subdependencies: true)
+      dependencies_to_unlock = [dependency_name]
+      dependencies_to_unlock += subdependencies if unlock_subdependencies
+      begin
+        definition = build_definition(dependencies_to_unlock)
+        definition.resolve_remotely!
+      rescue ::Bundler::GemNotFound => e
+        unlock_yanked_gem(dependencies_to_unlock, e) && retry
+      rescue ::Bundler::HTTPError => e
+        # Retry network errors
+        # Note: in_a_native_bundler_context will also retry `Bundler::HTTPError` errors
+        # up to three times meaning we'll end up retrying this error up to six times
+        # TODO: Could we get rid of this retry logic and only rely on
+        # SharedBundlerHelpers.in_a_native_bundler_context
+        attempt ||= 1
+        attempt += 1
+        raise if attempt > 3 || !e.message.include?("Network error")
+
+        retry
+      end
+
+      dep = definition.resolve.find { |d| d.name == dependency_name }
+      return dep if dep
+      return if dependency_requirements.any? || !unlock_subdependencies
+
+      # If no definition was found and we're updating a sub-dependency,
+      # try again but without unlocking any other sub-dependencies
+      dependency_from_definition(unlock_subdependencies: false)
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def subdependencies
+      # If there's no lockfile we don't need to worry about
+      # subdependencies
+      return [] unless lockfile
+
+      all_deps =  ::Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s).uniq
+      top_level = build_definition([]).dependencies.
+                  map(&:name).map(&:to_s)
+
+      all_deps - top_level
+    end
+
+    def build_definition(dependencies_to_unlock)
+      # Note: we lock shared dependencies to avoid any top-level
+      # dependencies getting unlocked (which would happen if they were
+      # also subdependencies of the dependency being unlocked)
+      ::Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: dependencies_to_unlock,
+        lock_shared_dependencies: true
+      )
+    end
+
+    def unlock_yanked_gem(dependencies_to_unlock, error)
+      raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+      gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                 named_captures["name"]
+      raise if dependencies_to_unlock.include?(gem_name)
+
+      dependencies_to_unlock << gem_name
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name
+          return unless File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def fetcher_class(dep)
+      return unless dep.source.is_a?(::Bundler::Source::Rubygems)
+
+      dep.source.fetchers.first.fetchers.first.class.to_s
+    end
+
+    def ruby_version
+      return nil unless gemfile_name
+
+      @ruby_version ||= build_definition([]).ruby_version&.gem_version
+    end
+  end
+end

data/helpers/v2/monkey_patches/definition_bundler_version_patch.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "bundler/definition"
+
+# Ignore the Bundler version specified in the Gemfile (since the only Bundler
+# version available to us is the one we're using).
+module BundlerDefinitionBundlerVersionPatch
+  def expanded_dependencies
+    @expanded_dependencies ||=
+      expand_dependencies(dependencies + metadata_dependencies, @remote).
+      reject { |d| d.name == "bundler" }
+  end
+end
+
+Bundler::Definition.prepend(BundlerDefinitionBundlerVersionPatch)

data/helpers/v2/monkey_patches/definition_ruby_version_patch.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "bundler/definition"
+
+module BundlerDefinitionRubyVersionPatch
+  def index
+    @index ||= super.tap do
+      if ruby_version
+        requested_version = ruby_version.to_gem_version_with_patchlevel
+        sources.metadata_source.specs <<
+          Gem::Specification.new("Ruby\0", requested_version)
+      end
+
+      sources.metadata_source.specs <<
+        Gem::Specification.new("Ruby\0", "2.5.3p105")
+    end
+  end
+end
+
+Bundler::Definition.prepend(BundlerDefinitionRubyVersionPatch)

data/helpers/v2/monkey_patches/git_source_patch.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "bundler/source"
+
+module Bundler
+  class Source
+    class Git
+      class GitProxy
+        private
+
+        # Bundler allows ssh authentication when talking to GitHub but there's
+        # no way for Dependabot to do so (it doesn't have any ssh keys).
+        # Instead, we convert all `git@github.com:` URLs to use HTTPS.
+        def configured_uri_for(uri)
+          uri = uri.gsub(%r{git@(.*?):/?}, 'https://\1/')
+          if /https?:/ =~ uri
+            remote = Bundler::URI(uri)
+            config_auth = Bundler.settings[remote.to_s] || Bundler.settings[remote.host]
+            remote.userinfo ||= config_auth
+            remote.to_s
+          else
+            uri
+          end
+        end
+      end
+    end
+  end
+end
+
+module Bundler
+  class Source
+    class Git < Path
+      private
+
+      def serialize_gemspecs_in(destination)
+        original_load_paths = $LOAD_PATH.dup
+        reduced_load_paths = original_load_paths.
+                             reject { |p| p.include?("/gems/") }
+
+        $LOAD_PATH.shift until $LOAD_PATH.empty?
+        reduced_load_paths.each { |p| $LOAD_PATH << p }
+
+        if destination.relative?
+          destination = destination.expand_path(Bundler.root)
+        end
+        Dir["#{destination}/#{@glob}"].each do |spec_path|
+          # Evaluate gemspecs and cache the result. Gemspecs
+          # in git might require git or other dependencies.
+          # The gemspecs we cache should already be evaluated.
+          spec = Bundler.load_gemspec(spec_path)
+          next unless spec
+
+          Bundler.rubygems.set_installed_by_version(spec)
+          Bundler.rubygems.validate(spec)
+          File.open(spec_path, "wb") { |file| file.write(spec.to_ruby) }
+        end
+        $LOAD_PATH.shift until $LOAD_PATH.empty?
+        original_load_paths.each { |p| $LOAD_PATH << p }
+      end
+    end
+  end
+end

data/helpers/v2/run.rb

@@ -0,0 +1,44 @@
+require "bundler"
+require "json"
+
+$LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
+$LOAD_PATH.unshift(File.expand_path("./monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+MIN_BUNDLER_VERSION = "2.0.0"
+
+def validate_bundler_version!
+  return true if correct_bundler_version?
+
+  raise StandardError, "Called with Bundler '#{Bundler::VERSION}', expected >= '#{MIN_BUNDLER_VERSION}'"
+end
+
+def correct_bundler_version?
+  Gem::Version.new(Bundler::VERSION) >= Gem::Version.new(MIN_BUNDLER_VERSION)
+end
+
+def output(obj)
+  print JSON.dump(obj)
+end
+
+begin
+  validate_bundler_version!
+
+  request = JSON.parse($stdin.read)
+
+  function = request["function"]
+  args = request["args"].transform_keys(&:to_sym)
+
+  output({ result: Functions.send(function, **args) })
+rescue => error
+  output(
+    { error: error.message, error_class: error.class, trace: error.backtrace }
+  )
+  exit(1)
+end

data/helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::ConflictingDependencyResolver do
+  include_context "in a temporary bundler directory"
+
+  let(:conflicting_dependency_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      target_version: target_version,
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "dummy-pkg-a" }
+  let(:target_version) { "2.0.0" }
+
+  let(:project_name) { "blocked_by_subdep" }
+
+  describe "#conflicting_dependencies" do
+    subject(:conflicting_dependencies) do
+      in_tmp_folder { conflicting_dependency_resolver.conflicting_dependencies }
+    end
+
+    it "returns a list of dependencies that block the update" do
+      expect(conflicting_dependencies).to eq(
+        [{
+          "explanation" => "dummy-pkg-b (1.0.0) requires dummy-pkg-a (< 2.0.0)",
+          "name" => "dummy-pkg-b",
+          "version" => "1.0.0",
+          "requirement" => "< 2.0.0"
+        }]
+      )
+    end
+
+    context "for nested transitive dependencies" do
+      let(:project_name) { "transitive_blocking" }
+      let(:dependency_name) { "activesupport" }
+      let(:target_version) { "6.0.0" }
+
+      it "returns a list of dependencies that block the update" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0)",
+              "name" => "rails",
+              "requirement" => "= 5.2.0",
+              "version" => "5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionpack (5.2.0)",
+              "name" => "actionpack",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionview (5.2.0)",
+              "name" => "actionview",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activejob (5.2.0)",
+              "name" => "activejob",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activemodel (5.2.0)",
+              "name" => "activemodel",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activerecord (5.2.0)",
+              "name" => "activerecord",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via railties (5.2.0)",
+              "name" => "railties",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "with multiple blocking dependencies" do
+      let(:dependency_name) { "activesupport" }
+      let(:current_version) { "5.0.0" }
+      let(:target_version) { "6.0.0" }
+      let(:project_name) { "multiple_blocking" }
+
+      it "returns all of the blocking dependencies" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via actionpack (5.0.0)",
+              "name" => "actionpack",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionview (5.0.0) requires activesupport (= 5.0.0)",
+              "name" => "actionview",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via activejob (5.0.0)",
+              "name" => "activejob",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "without any blocking dependencies" do
+      let(:target_version) { "1.0.0" }
+
+      it "returns an empty list" do
+        expect(conflicting_dependencies).to eq([])
+      end
+    end
+  end
+end

data/helpers/v2/spec/functions/dependency_source_spec.rb

@@ -0,0 +1,185 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::DependencySource do
+  include_context "in a temporary bundler directory"
+
+  let(:dependency_source) do
+    described_class.new(
+      gemfile_name: "Gemfile",
+      dependency_name: dependency_name
+    )
+  end
+
+  let(:dependency_name) { "business" }
+
+  let(:project_name) { "specified_source_no_lockfile" }
+  let(:registry_url) { "https://repo.fury.io/greysteil/" }
+  let(:gemfury_business_url) do
+    "https://repo.fury.io/greysteil/api/v1/dependencies?gems=business"
+  end
+
+  before do
+    stub_request(:get, registry_url + "versions").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 404)
+    stub_request(:get, registry_url + "api/v1/dependencies").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200)
+    stub_request(:get, gemfury_business_url).
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+  end
+
+  describe "#private_registry_versions" do
+    subject(:private_registry_versions) do
+      in_tmp_folder { dependency_source.private_registry_versions }
+    end
+
+    it "returns all versions from the private source" do
+      is_expected.to eq([
+                          Gem::Version.new("1.5.0"),
+                          Gem::Version.new("1.9.0"),
+                          Gem::Version.new("1.10.0.beta")
+                        ])
+    end
+
+    context "specified as the default source" do
+      let(:project_name) { "specified_default_source_no_lockfile" }
+
+      it "returns all versions from the private source" do
+        is_expected.to eq([
+                            Gem::Version.new("1.5.0"),
+                            Gem::Version.new("1.9.0"),
+                            Gem::Version.new("1.10.0.beta")
+                          ])
+      end
+    end
+
+    context "that we don't have authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::BadAuthenticationError
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).to include("Bad username or password for")
+          end
+      end
+    end
+
+    context "that we have bad authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::BadAuthenticationError
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).to include("Bad username or password for")
+          end
+      end
+    end
+
+    context "that bad-requested, but was a private repo" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+      end
+
+      it "blows up with a useful error" do
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(Bundler::HTTPError)
+            expect(error.message).
+              to include("Could not fetch specs from")
+          end
+      end
+    end
+
+    context "that doesn't have details of the gem" do
+      before do
+        stub_request(:get, gemfury_business_url).
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 404)
+
+        # Stub indexes to return details of other gems (but not this one)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it { is_expected.to be_empty }
+    end
+
+    context "that only implements the old Bundler index format..." do
+      let(:project_name) { "sidekiq_pro" }
+      let(:dependency_name) { "sidekiq-pro" }
+      let(:registry_url) { "https://gems.contribsys.com/" }
+
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it "returns all versions from the private source" do
+        expect(private_registry_versions.length).to eql(70)
+        expect(private_registry_versions.min).to eql(Gem::Version.new("1.0.0"))
+        expect(private_registry_versions.max).to eql(Gem::Version.new("3.5.2"))
+      end
+    end
+  end
+end