dependabot-bundler 0.138.1 → 0.138.6

data/helpers/v2/lib/functions/file_parser.rb

@@ -0,0 +1,106 @@
+module Functions
+  class FileParser
+    def initialize(lockfile_name:)
+      @lockfile_name = lockfile_name
+    end
+
+    attr_reader :lockfile_name
+
+    def parsed_gemfile(gemfile_name:)
+      Bundler::Definition.build(gemfile_name, nil, {}).
+        dependencies.select(&:current_platform?).
+        reject { |dep| dep.source.is_a?(Bundler::Source::Gemspec) }.
+        map(&method(:serialize_bundler_dependency))
+    end
+
+    def parsed_gemspec(gemspec_name:)
+      Bundler.load_gemspec_uncached(gemspec_name).
+        dependencies.
+        map(&method(:serialize_bundler_dependency))
+    end
+
+    private
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def parsed_lockfile
+      return unless lockfile
+
+      @parsed_lockfile ||= Bundler::LockfileParser.new(lockfile)
+    end
+
+    def source_from_lockfile(dependency_name)
+      parsed_lockfile&.specs.find { |s| s.name == dependency_name }&.source
+    end
+
+    def source_for(dependency)
+      source = dependency.source
+      if lockfile && default_rubygems?(source)
+        # If there's a lockfile and the Gemfile doesn't have anything
+        # interesting to say about the source, check that.
+        source = source_from_lockfile(dependency.name)
+      end
+      raise "Bad source: #{source}" unless sources.include?(source.class)
+
+      return nil if default_rubygems?(source)
+
+      details = { type: source.class.name.split("::").last.downcase }
+      if source.is_a?(Bundler::Source::Git)
+        details.merge!(git_source_details(source))
+      end
+      if source.is_a?(Bundler::Source::Rubygems)
+        details[:url] = source.remotes.first.to_s
+      end
+      details
+    end
+
+    # TODO: Remove default `master` branch
+    def git_source_details(source)
+      {
+        url: source.uri,
+        branch: source.branch || "master",
+        ref: source.ref || "master"
+      }
+    end
+
+    def default_rubygems?(source)
+      return true if source.nil?
+      return false unless source.is_a?(Bundler::Source::Rubygems)
+
+      source.remotes.any? { |r| r.to_s.include?("rubygems.org") }
+    end
+
+    def serialize_bundler_dependency(dependency)
+      {
+        name: dependency.name,
+        requirement: dependency.requirement,
+        groups: dependency.groups,
+        source: source_for(dependency),
+        type: dependency.type
+      }
+    end
+
+    # Can't be a constant because some of these don't exist in bundler
+    # 1.15, which used to cause issues on Heroku (causing exception on boot).
+    # TODO: Check if this will be an issue with multiple bundler versions
+    def sources
+      [
+        NilClass,
+        Bundler::Source::Rubygems,
+        Bundler::Source::Git,
+        Bundler::Source::Path,
+        Bundler::Source::Gemspec,
+        Bundler::Source::Metadata
+      ]
+    end
+  end
+end

data/helpers/v2/lib/functions/force_updater.rb

@@ -0,0 +1,167 @@
+module Functions
+  class ForceUpdater
+    class TransitiveDependencyError < StandardError; end
+
+    def initialize(dependency_name:, target_version:, gemfile_name:,
+                   lockfile_name:, update_multiple_dependencies:)
+      @dependency_name = dependency_name
+      @target_version = target_version
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+      @update_multiple_dependencies = update_multiple_dependencies
+    end
+
+    def run
+      # Only allow upgrades. Otherwise it's unlikely that this
+      # resolution will be found by the FileUpdater
+      Bundler.settings.set_command_option(
+        "only_update_to_newer_versions",
+        true
+      )
+
+      dependencies_to_unlock = []
+
+      begin
+        definition = build_definition(dependencies_to_unlock: dependencies_to_unlock)
+        definition.resolve_remotely!
+        specs = definition.resolve
+        updates = [{ name: dependency_name }] +
+                  dependencies_to_unlock.map { |dep| { name: dep.name } }
+        specs = specs.map do |dep|
+          {
+            name: dep.name,
+            version: dep.version
+          }
+        end
+        [updates, specs]
+      rescue Bundler::VersionConflict => e
+        raise unless update_multiple_dependencies?
+
+        # TODO: Not sure this won't unlock way too many things...
+        new_dependencies_to_unlock =
+          new_dependencies_to_unlock_from(
+            error: e,
+            already_unlocked: dependencies_to_unlock
+          )
+
+        raise if new_dependencies_to_unlock.none?
+
+        dependencies_to_unlock += new_dependencies_to_unlock
+        retry
+      end
+    end
+
+    private
+
+    attr_reader :dependency_name, :target_version, :gemfile_name,
+                :lockfile_name, :credentials,
+                :update_multiple_dependencies
+    alias update_multiple_dependencies? update_multiple_dependencies
+
+    def new_dependencies_to_unlock_from(error:, already_unlocked:)
+      potentials_deps =
+        relevant_conflicts(error, already_unlocked).
+        flat_map(&:requirement_trees).
+        reject do |tree|
+          # If the final requirement wasn't specific, it can't be binding
+          next true if tree.last.requirement == Gem::Requirement.new(">= 0")
+
+          # If the conflict wasn't for the dependency we're updating then
+          # we don't have enough info to reject it
+          next false unless tree.last.name == dependency_name
+
+          # If the final requirement *was* for the dependency we're updating
+          # then we can ignore the tree if it permits the target version
+          tree.last.requirement.satisfied_by?(
+            Gem::Version.new(target_version)
+          )
+        end.map(&:first)
+
+      potentials_deps.
+        reject { |dep| already_unlocked.map(&:name).include?(dep.name) }.
+        reject { |dep| [dependency_name, "ruby\0"].include?(dep.name) }.
+        uniq
+    end
+
+    def relevant_conflicts(error, dependencies_being_unlocked)
+      names = [*dependencies_being_unlocked.map(&:name), dependency_name]
+
+      # For a conflict to be relevant to the updates we're making it must be
+      # 1) caused by a new requirement introduced by our unlocking, or
+      # 2) caused by an old requirement that prohibits the update.
+      # Hence, we look at the beginning and end of the requirement trees
+      error.cause.conflicts.values.
+        select do |conflict|
+          conflict.requirement_trees.any? do |t|
+            names.include?(t.last.name) || names.include?(t.first.name)
+          end
+        end
+    end
+
+    def build_definition(dependencies_to_unlock:)
+      gems_to_unlock = dependencies_to_unlock.map(&:name) + [dependency_name]
+      definition = Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: gems_to_unlock + subdependencies,
+        lock_shared_dependencies: true
+      )
+
+      # Remove the Gemfile / gemspec requirements on the gems we're
+      # unlocking (i.e., completely unlock them)
+      gems_to_unlock.each do |gem_name|
+        unlock_gem(definition: definition, gem_name: gem_name)
+      end
+
+      dep = definition.dependencies.
+            find { |d| d.name == dependency_name }
+
+      # If the dependency is not found in the Gemfile it means this is a
+      # transitive dependency that we can't force update.
+      raise TransitiveDependencyError unless dep
+
+      # Set the requirement for the gem we're forcing an update of
+      new_req = Gem::Requirement.create("= #{target_version}")
+      dep.instance_variable_set(:@requirement, new_req)
+      dep.source = nil if dep.source.is_a?(Bundler::Source::Git)
+
+      definition
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def subdependencies
+      # If there's no lockfile we don't need to worry about
+      # subdependencies
+      return [] unless lockfile
+
+      all_deps =  Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s)
+      top_level = Bundler::Definition.
+                  build(gemfile_name, lockfile_name, {}).
+                  dependencies.map(&:name).map(&:to_s)
+
+      all_deps - top_level
+    end
+
+    def unlock_gem(definition:, gem_name:)
+      dep = definition.dependencies.find { |d| d.name == gem_name }
+      version = definition.locked_gems.specs.
+                find { |d| d.name == gem_name }.version
+
+      dep&.instance_variable_set(
+        :@requirement,
+        Gem::Requirement.create(">= #{version}")
+      )
+    end
+  end
+end

data/helpers/v2/lib/functions/lockfile_updater.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+
+module Functions
+  class LockfileUpdater
+    RETRYABLE_ERRORS = [Bundler::HTTPError].freeze
+    GEM_NOT_FOUND_ERROR_REGEX =
+      /
+        locked\sto\s(?<name>[^\s]+)\s\(|
+        not\sfind\s(?<name>[^\s]+)-\d|
+        has\s(?<name>[^\s]+)\slocked\sat
+      /x.freeze
+
+    def initialize(gemfile_name:, lockfile_name:, dependencies:)
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+      @dependencies = dependencies
+    end
+
+    def run
+      generate_lockfile
+    end
+
+    private
+
+    attr_reader :gemfile_name, :lockfile_name, :dependencies
+
+    def generate_lockfile
+      dependencies_to_unlock = dependencies.map { |d| d.fetch("name") }
+
+      begin
+        definition = build_definition(dependencies_to_unlock)
+
+        old_reqs = lock_deps_being_updated_to_exact_versions(definition)
+
+        definition.resolve_remotely!
+
+        old_reqs.each do |dep_name, old_req|
+          d_dep = definition.dependencies.find { |d| d.name == dep_name }
+          if old_req == :none then definition.dependencies.delete(d_dep)
+          else
+            d_dep.instance_variable_set(:@requirement, old_req)
+          end
+        end
+
+        cache_vendored_gems(definition) if Bundler.app_cache.exist?
+
+        definition.to_lock
+      rescue Bundler::GemNotFound => e
+        unlock_yanked_gem(dependencies_to_unlock, e) && retry
+      rescue Bundler::VersionConflict => e
+        unlock_blocking_subdeps(dependencies_to_unlock, e) && retry
+      rescue *RETRYABLE_ERRORS
+        raise if @retrying
+
+        @retrying = true
+        sleep(rand(1.0..5.0))
+        retry
+      end
+    end
+
+    def cache_vendored_gems(definition)
+      # Dependencies that have been unlocked for the update (including
+      # sub-dependencies)
+      unlocked_gems = definition.instance_variable_get(:@unlock).
+                      fetch(:gems).reject { |gem| __keep_on_prune?(gem) }
+      bundler_opts = {
+        cache_all: true,
+        cache_all_platforms: true,
+        no_prune: true
+      }
+
+      Bundler.settings.temporary(**bundler_opts) do
+        # Fetch and cache gems on all platforms without pruning
+        Bundler::Runtime.new(nil, definition).cache
+
+        # Only prune unlocked gems (the original implementation is in
+        # Bundler::Runtime)
+        cache_path = Bundler.app_cache
+        resolve = definition.resolve
+        prune_gem_cache(resolve, cache_path, unlocked_gems)
+        prune_git_and_path_cache(resolve, cache_path)
+      end
+    end
+
+    # This is not officially supported and may be removed without notice.
+    def __keep_on_prune?(spec_name)
+      unless (specs = Bundler.settings[:persistent_gems_after_clean])
+        return false
+      end
+
+      specs.include?(spec_name)
+    end
+
+    # Copied from Bundler::Runtime: Modified to only prune gems that have
+    # been unlocked
+    def prune_gem_cache(resolve, cache_path, unlocked_gems)
+      cached_gems = Dir["#{cache_path}/*.gem"]
+
+      outdated_gems = cached_gems.reject do |path|
+        spec = Bundler.rubygems.spec_from_gem path
+
+        !unlocked_gems.include?(spec.name) || resolve.any? do |s|
+          s.name == spec.name && s.version == spec.version &&
+            !s.source.is_a?(Bundler::Source::Git)
+        end
+      end
+
+      return unless outdated_gems.any?
+
+      outdated_gems.each do |path|
+        File.delete(path)
+      end
+    end
+
+    # Copied from Bundler::Runtime
+    def prune_git_and_path_cache(resolve, cache_path)
+      cached_git_and_path = Dir["#{cache_path}/*/.bundlecache"]
+
+      outdated_git_and_path = cached_git_and_path.reject do |path|
+        name = File.basename(File.dirname(path))
+
+        resolve.any? do |s|
+          s.source.respond_to?(:app_cache_dirname) &&
+            s.source.app_cache_dirname == name
+        end
+      end
+
+      return unless outdated_git_and_path.any?
+
+      outdated_git_and_path.each do |path|
+        path = File.dirname(path)
+        FileUtils.rm_rf(path)
+      end
+    end
+
+    def unlock_yanked_gem(dependencies_to_unlock, error)
+      raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+      gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                 named_captures["name"]
+      raise if dependencies_to_unlock.include?(gem_name)
+
+      dependencies_to_unlock << gem_name
+    end
+
+    # rubocop:disable Metrics/PerceivedComplexity
+    def unlock_blocking_subdeps(dependencies_to_unlock, error)
+      all_deps =  Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s)
+      top_level = build_definition([]).dependencies.
+                  map(&:name).map(&:to_s)
+      allowed_new_unlocks = all_deps - top_level - dependencies_to_unlock
+
+      raise if allowed_new_unlocks.none?
+
+      # Unlock any sub-dependencies that Bundler reports caused the
+      # conflict
+      potentials_deps =
+        error.cause.conflicts.values.
+        flat_map(&:requirement_trees).
+        map do |tree|
+          tree.find { |req| allowed_new_unlocks.include?(req.name) }
+        end.compact.map(&:name)
+
+      # If there are specific dependencies we can unlock, unlock them
+      return dependencies_to_unlock.append(*potentials_deps) if potentials_deps.any?
+
+      # Fall back to unlocking *all* sub-dependencies. This is required
+      # because Bundler's VersionConflict objects don't include enough
+      # information to chart the full path through all conflicts unwound
+      dependencies_to_unlock.append(*allowed_new_unlocks)
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def build_definition(dependencies_to_unlock)
+      defn = Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: dependencies_to_unlock
+      )
+
+      # Bundler unlocks the sub-dependencies of gems it is passed even
+      # if those sub-deps are top-level dependencies. We only want true
+      # subdeps unlocked, like they were in the UpdateChecker, so we
+      # mutate the unlocked gems array.
+      unlocked = defn.instance_variable_get(:@unlock).fetch(:gems)
+      must_not_unlock = defn.dependencies.map(&:name).map(&:to_s) -
+                        dependencies_to_unlock
+      unlocked.reject! { |n| must_not_unlock.include?(n) }
+
+      defn
+    end
+
+    def lock_deps_being_updated_to_exact_versions(definition)
+      dependencies.each_with_object({}) do |dep, old_reqs|
+        defn_dep = definition.dependencies.find do |d|
+          d.name == dep.fetch("name")
+        end
+
+        if defn_dep.nil?
+          definition.dependencies <<
+            Bundler::Dependency.new(dep.fetch("name"), dep.fetch("version"))
+          old_reqs[dep.fetch("name")] = :none
+        elsif git_dependency?(dep) &&
+              defn_dep.source.is_a?(Bundler::Source::Git)
+          defn_dep.source.unlock!
+        elsif Gem::Version.correct?(dep.fetch("version"))
+          new_req = Gem::Requirement.create("= #{dep.fetch('version')}")
+          old_reqs[dep.fetch("name")] = defn_dep.requirement
+          defn_dep.instance_variable_set(:@requirement, new_req)
+        end
+      end
+    end
+
+    def git_dependency?(dep)
+      sources = dep.fetch("requirements").map { |r| r.fetch("source") }
+      sources.all? { |s| s&.fetch("type", nil) == "git" }
+    end
+
+    def lockfile
+      @lockfile ||= File.read(lockfile_name)
+    end
+  end
+end