dependabot-bundler 0.138.0 → 0.138.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84aea554fac0f0cc19cce07782f3b587fd66f05927cec2f07a9b606dff33b041
-  data.tar.gz: 0cf54804f99668071287e08e212641d49a267a94ed19d5d8d65c5aff081c263d
+  metadata.gz: a9808afb0b3a963f82ac68b0668b0bf8df45111751f6aab0c7b1e1011e50a496
+  data.tar.gz: 8537cad525a3f8e95faa2977bebac06e5bcf1ca5a8e49b0813bee266fbe078df
 SHA512:
-  metadata.gz: 208fd556fed167b644db2fe337ba6ecb6ce2d0392f85b06f78100656253d60594d9bfeae8b7fdaa8cd0556ee1c24ab8f7c9797fdf437879358fc7e740148db9a
-  data.tar.gz: 3884bca4a97c32b25dd796423dd95dfbf0adf3f318900aff052a6af78c710360411e532eada5cab7b07c59a71d99e2cff81c9b376955d4bc0d6fe56f155a0189
+  metadata.gz: 8e6581d20513493201c9694a2f04e1c00a4f0002d97dfcab4877095a92fd61d4da0c0e7f19f38ea60df415b418e1589fe555adb298e989a2519ea11ce3c61d38
+  data.tar.gz: 1507fe54b6b138493cb9904d894e70989df8ef1cadf3fe69003bd9eb46b1bd2e4bcf56b7cd146bcb0944fec6d1a75de11b5e884cd9997c2e3c30a62d0059fcbe

data/helpers/v1/build

@@ -21,4 +21,5 @@ cd "$install_dir"
 
 # NOTE: Sets `BUNDLED WITH` to match the installed v1 version in Gemfile.lock
 # forcing native helpers to run with the same version
-BUNDLER_VERSION=1 bundle install --without test
+BUNDLER_VERSION=1 bundle config set --local without "test"
+BUNDLER_VERSION=1 bundle install

data/helpers/v1/run.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bundler"
 require "json"
 
@@ -11,11 +13,25 @@ require "git_source_patch"
 
 require "functions"
 
+MAX_BUNDLER_VERSION="2.0.0"
+
+def validate_bundler_version!
+  return true if correct_bundler_version?
+
+  raise StandardError, "Called with Bundler '#{Bundler::VERSION}', expected < '#{MAX_BUNDLER_VERSION}'"
+end
+
+def correct_bundler_version?
+  Gem::Version.new(Bundler::VERSION) < Gem::Version.new(MAX_BUNDLER_VERSION)
+end
+
 def output(obj)
   print JSON.dump(obj)
 end
 
 begin
+  validate_bundler_version!
+
   request = JSON.parse($stdin.read)
 
   function = request["function"]

data/helpers/v2/.gitignore

@@ -0,0 +1,8 @@
+/.bundle
+/.env
+/tmp
+/dependabot-*.gem
+Gemfile.lock
+spec/fixtures/projects/*/.bundle/
+!spec/fixtures/projects/**/Gemfile.lock
+!spec/fixtures/projects/**/vendor

data/helpers/v2/Gemfile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# NOTE: Used to run native helper specs
+group :test do
+  gem "byebug", "11.1.3"
+  gem "rspec", "3.10.0"
+  gem "rspec-its", "1.3.0"
+  gem "vcr", "6.0.0"
+  gem "webmock", "3.12.1"
+end

data/helpers/v2/build

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+install_dir=$1
+if [ -z "$install_dir" ]; then
+  echo "usage: $0 INSTALL_DIR"
+  exit 1
+fi
+
+helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
+cp -r \
+  "$helpers_dir/lib" \
+  "$helpers_dir/monkey_patches" \
+  "$helpers_dir/run.rb" \
+  "$helpers_dir/Gemfile" \
+  "$install_dir"
+
+cd "$install_dir"
+
+# NOTE: Sets `BUNDLED WITH` to match the installed v1 version in Gemfile.lock
+# forcing specs and native helpers to run with the same version
+BUNDLER_VERSION=2 bundle config set --local path ".bundle"
+BUNDLER_VERSION=2 bundle config set --local without "test"
+BUNDLER_VERSION=2 bundle install

data/helpers/v2/lib/functions.rb

@@ -0,0 +1,195 @@
+# frozen_string_literal: true
+
+require "functions/conflicting_dependency_resolver"
+require "functions/dependency_source"
+require "functions/file_parser"
+require "functions/force_updater"
+require "functions/lockfile_updater"
+require "functions/version_resolver"
+
+module Functions
+  class NotImplementedError < StandardError; end
+
+  def self.parsed_gemfile(lockfile_name:, gemfile_name:, dir:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: [],
+                                      using_bundler2: false)
+    FileParser.new(lockfile_name: lockfile_name).
+      parsed_gemfile(gemfile_name: gemfile_name)
+  end
+
+  def self.parsed_gemspec(lockfile_name:, gemspec_name:, dir:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: [],
+                                      using_bundler2: false)
+    FileParser.new(lockfile_name: lockfile_name).
+      parsed_gemspec(gemspec_name: gemspec_name)
+  end
+
+  def self.vendor_cache_dir(dir:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: [],
+                                      using_bundler2: false)
+    Bundler.app_cache
+  end
+
+  def self.update_lockfile(dir:, gemfile_name:, lockfile_name:, using_bundler2:,
+                           credentials:, dependencies:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: using_bundler2)
+    LockfileUpdater.new(
+      gemfile_name: gemfile_name,
+      lockfile_name: lockfile_name,
+      dependencies: dependencies
+    ).run
+  end
+
+  def self.force_update(dir:, dependency_name:, target_version:, gemfile_name:,
+                        lockfile_name:, using_bundler2:, credentials:,
+                        update_multiple_dependencies:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: using_bundler2)
+    ForceUpdater.new(
+      dependency_name: dependency_name,
+      target_version: target_version,
+      gemfile_name: gemfile_name,
+      lockfile_name: lockfile_name,
+      update_multiple_dependencies: update_multiple_dependencies
+    ).run
+  end
+
+  def self.dependency_source_type(gemfile_name:, dependency_name:, dir:,
+                                  credentials:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: false)
+
+    DependencySource.new(
+      gemfile_name: gemfile_name,
+      dependency_name: dependency_name
+    ).type
+  end
+
+  def self.depencency_source_latest_git_version(gemfile_name:, dependency_name:,
+                                                dir:, credentials:,
+                                                dependency_source_url:,
+                                                dependency_source_branch:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: false)
+    DependencySource.new(
+      gemfile_name: gemfile_name,
+      dependency_name: dependency_name
+    ).latest_git_version(
+      dependency_source_url: dependency_source_url,
+      dependency_source_branch: dependency_source_branch
+    )
+  end
+
+  def self.private_registry_versions(gemfile_name:, dependency_name:, dir:,
+                                     credentials:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: false)
+
+    DependencySource.new(
+      gemfile_name: gemfile_name,
+      dependency_name: dependency_name
+    ).private_registry_versions
+  end
+
+  def self.resolve_version(dependency_name:, dependency_requirements:,
+                           gemfile_name:, lockfile_name:, using_bundler2:,
+                           dir:, credentials:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials, using_bundler2: using_bundler2)
+    VersionResolver.new(
+      dependency_name: dependency_name,
+      dependency_requirements: dependency_requirements,
+      gemfile_name: gemfile_name,
+      lockfile_name: lockfile_name
+    ).version_details
+  end
+
+  def self.jfrog_source(dir:, gemfile_name:, credentials:, using_bundler2:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials, using_bundler2: using_bundler2)
+
+    Bundler::Definition.build(gemfile_name, nil, {}).
+      send(:sources).
+      rubygems_remotes.
+      find { |uri| uri.host.include?("jfrog") }&.
+      host
+  end
+
+  def self.git_specs(dir:, gemfile_name:, credentials:, using_bundler2:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: using_bundler2)
+
+    git_specs = Bundler::Definition.build(gemfile_name, nil, {}).dependencies.
+                select do |spec|
+      spec.source.is_a?(Bundler::Source::Git)
+    end
+    git_specs.map do |spec|
+      # Piggy-back off some private Bundler methods to configure the
+      # URI with auth details in the same way Bundler does.
+      git_proxy = spec.source.send(:git_proxy)
+      auth_uri = spec.source.uri.gsub("git://", "https://")
+      auth_uri = git_proxy.send(:configured_uri_for, auth_uri)
+      auth_uri += ".git" unless auth_uri.end_with?(".git")
+      auth_uri += "/info/refs?service=git-upload-pack"
+      {
+        uri: spec.source.uri,
+        auth_uri: auth_uri
+      }
+    end
+  end
+
+  def self.set_bundler_flags_and_credentials(dir:, credentials:,
+                                             using_bundler2:)
+    dir = dir ? Pathname.new(dir) : dir
+    Bundler.instance_variable_set(:@root, dir)
+
+    # Remove installed gems from the default Rubygems index
+    Gem::Specification.all =
+      Gem::Specification.send(:default_stubs, "*.gemspec")
+
+    # Set auth details
+    relevant_credentials(credentials).each do |cred|
+      token = cred["token"] ||
+              "#{cred['username']}:#{cred['password']}"
+
+      Bundler.settings.set_command_option(
+        cred.fetch("host"),
+        token.gsub("@", "%40F").gsub("?", "%3F")
+      )
+    end
+
+    # NOTE: Prevent bundler from printing resolution information
+    Bundler.ui = Bundler::UI::Silent.new
+
+    # Use HTTPS for GitHub if lockfile
+    Bundler.settings.set_command_option("forget_cli_options", "true")
+    Bundler.settings.set_command_option("github.https", "true")
+  end
+
+  def self.relevant_credentials(credentials)
+    [
+      *git_source_credentials(credentials),
+      *private_registry_credentials(credentials)
+    ].select { |cred| cred["password"] || cred["token"] }
+  end
+
+  def self.private_registry_credentials(credentials)
+    credentials.
+      select { |cred| cred["type"] == "rubygems_server" }
+  end
+
+  def self.git_source_credentials(credentials)
+    credentials.
+      select { |cred| cred["type"] == "git_source" }
+  end
+
+  def self.conflicting_dependencies(dir:, dependency_name:, target_version:,
+                                    lockfile_name:, using_bundler2:, credentials:)
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: using_bundler2)
+    ConflictingDependencyResolver.new(
+      dependency_name: dependency_name,
+      target_version: target_version,
+      lockfile_name: lockfile_name
+    ).conflicting_dependencies
+  end
+end

data/helpers/v2/lib/functions/conflicting_dependency_resolver.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module Functions
+  class ConflictingDependencyResolver
+    def initialize(dependency_name:, target_version:, lockfile_name:)
+      @dependency_name = dependency_name
+      @target_version = target_version
+      @lockfile_name = lockfile_name
+    end
+
+    # Finds any dependencies in the lockfile that have a subdependency on the
+    # given dependency that does not satisfly the target_version.
+    # @return [Array<Hash{String => String}]
+    #   * explanation [String] a sentence explaining the conflict
+    #   * name [String] the blocking dependencies name
+    #   * version [String] the version of the blocking dependency
+    #   * requirement [String] the requirement on the target_dependency
+    def conflicting_dependencies
+      Bundler.settings.set_command_option("only_update_to_newer_versions", true)
+
+      parent_specs.flat_map do |parent_spec|
+        top_level_specs_for(parent_spec).map do |top_level|
+          dependency = parent_spec.dependencies.find { |bd| bd.name == dependency_name }
+          {
+            "explanation" => explanation(parent_spec, dependency, top_level),
+            "name" => parent_spec.name,
+            "version" => parent_spec.version.to_s,
+            "requirement" => dependency.requirement.to_s
+          }
+        end
+      end
+    end
+
+    private
+
+    attr_reader :dependency_name, :target_version, :lockfile_name
+
+    def parent_specs
+      version = Gem::Version.new(target_version)
+      parsed_lockfile.specs.filter do |spec|
+        spec.dependencies.any? do |dep|
+          dep.name == dependency_name &&
+            !dep.requirement.satisfied_by?(version)
+        end
+      end
+    end
+
+    def top_level_specs_for(parent_spec)
+      return [parent_spec] if top_level?(parent_spec)
+
+      parsed_lockfile.specs.filter do |spec|
+        spec.dependencies.any? do |dep|
+          dep.name == parent_spec.name && top_level?(spec)
+        end
+      end
+    end
+
+    def top_level?(spec)
+      parsed_lockfile.dependencies.key?(spec.name)
+    end
+
+    def explanation(spec, dependency, top_level)
+      if spec.name == top_level.name
+        "#{spec.name} (#{spec.version}) requires #{dependency_name} (#{dependency.requirement})"
+      else
+        "#{top_level.name} (#{top_level.version}) requires #{dependency_name} "\
+          "(#{dependency.requirement}) via #{spec.name} (#{spec.version})"
+      end
+    end
+
+    def parsed_lockfile
+      @parsed_lockfile ||= Bundler::LockfileParser.new(lockfile)
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+  end
+end

data/helpers/v2/lib/functions/dependency_source.rb

@@ -0,0 +1,86 @@
+module Functions
+  class DependencySource
+    attr_reader :gemfile_name, :dependency_name
+
+    RUBYGEMS = "rubygems"
+    PRIVATE_REGISTRY = "private"
+    GIT = "git"
+    OTHER = "other"
+
+    def initialize(gemfile_name:, dependency_name:)
+      @gemfile_name = gemfile_name
+      @dependency_name = dependency_name
+    end
+
+    def type
+      bundler_source = specified_source || default_source
+      type_of(bundler_source)
+    end
+
+    def latest_git_version(dependency_source_url:, dependency_source_branch:)
+      source = Bundler::Source::Git.new(
+        "uri" => dependency_source_url,
+        "branch" => dependency_source_branch,
+        "name" => dependency_name,
+        "submodules" => true
+      )
+
+      # Tell Bundler we're fine with fetching the source remotely
+      source.instance_variable_set(:@allow_remote, true)
+
+      spec = source.specs.first
+      { version: spec.version, commit_sha: spec.source.revision }
+    end
+
+    def private_registry_versions
+      bundler_source = specified_source || default_source
+
+      bundler_source.
+        fetchers.flat_map do |fetcher|
+          fetcher.
+            specs_with_retry([dependency_name], bundler_source).
+            search_all(dependency_name)
+        end.
+        map(&:version)
+    end
+
+    private
+
+    def type_of(bundler_source)
+      case bundler_source
+      when Bundler::Source::Rubygems
+        remote = bundler_source.remotes.first
+        if remote.nil? || remote.to_s == "https://rubygems.org/"
+          RUBYGEMS
+        else
+          PRIVATE_REGISTRY
+        end
+      when Bundler::Source::Git
+        GIT
+      else
+        OTHER
+      end
+    end
+
+    def specified_source
+      return @specified_source if defined? @specified_source
+
+      @specified_source = definition.dependencies.
+        find { |dep| dep.name == dependency_name }&.source
+    end
+
+    def default_source
+      definition.send(:sources).default_source
+    end
+
+    def definition
+      @definition ||= Bundler::Definition.build(gemfile_name, nil, {})
+    end
+
+    def serialize_bundler_source(source)
+      {
+        type: source.class.to_s
+      }
+    end
+  end
+end