dependabot-bundler 0.138.2 → 0.138.7

data/helpers/v2/lib/functions/lockfile_updater.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+
+module Functions
+  class LockfileUpdater
+    RETRYABLE_ERRORS = [Bundler::HTTPError].freeze
+    GEM_NOT_FOUND_ERROR_REGEX =
+      /
+        locked\sto\s(?<name>[^\s]+)\s\(|
+        not\sfind\s(?<name>[^\s]+)-\d|
+        has\s(?<name>[^\s]+)\slocked\sat
+      /x.freeze
+
+    def initialize(gemfile_name:, lockfile_name:, dependencies:)
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+      @dependencies = dependencies
+    end
+
+    def run
+      generate_lockfile
+    end
+
+    private
+
+    attr_reader :gemfile_name, :lockfile_name, :dependencies
+
+    def generate_lockfile
+      dependencies_to_unlock = dependencies.map { |d| d.fetch("name") }
+
+      begin
+        definition = build_definition(dependencies_to_unlock)
+
+        old_reqs = lock_deps_being_updated_to_exact_versions(definition)
+
+        definition.resolve_remotely!
+
+        old_reqs.each do |dep_name, old_req|
+          d_dep = definition.dependencies.find { |d| d.name == dep_name }
+          if old_req == :none then definition.dependencies.delete(d_dep)
+          else
+            d_dep.instance_variable_set(:@requirement, old_req)
+          end
+        end
+
+        cache_vendored_gems(definition) if Bundler.app_cache.exist?
+
+        definition.to_lock
+      rescue Bundler::GemNotFound => e
+        unlock_yanked_gem(dependencies_to_unlock, e) && retry
+      rescue Bundler::VersionConflict => e
+        unlock_blocking_subdeps(dependencies_to_unlock, e) && retry
+      rescue *RETRYABLE_ERRORS
+        raise if @retrying
+
+        @retrying = true
+        sleep(rand(1.0..5.0))
+        retry
+      end
+    end
+
+    def cache_vendored_gems(definition)
+      # Dependencies that have been unlocked for the update (including
+      # sub-dependencies)
+      unlocked_gems = definition.instance_variable_get(:@unlock).
+                      fetch(:gems).reject { |gem| __keep_on_prune?(gem) }
+      bundler_opts = {
+        cache_all: true,
+        cache_all_platforms: true,
+        no_prune: true
+      }
+
+      Bundler.settings.temporary(**bundler_opts) do
+        # Fetch and cache gems on all platforms without pruning
+        Bundler::Runtime.new(nil, definition).cache
+
+        # Only prune unlocked gems (the original implementation is in
+        # Bundler::Runtime)
+        cache_path = Bundler.app_cache
+        resolve = definition.resolve
+        prune_gem_cache(resolve, cache_path, unlocked_gems)
+        prune_git_and_path_cache(resolve, cache_path)
+      end
+    end
+
+    # This is not officially supported and may be removed without notice.
+    def __keep_on_prune?(spec_name)
+      unless (specs = Bundler.settings[:persistent_gems_after_clean])
+        return false
+      end
+
+      specs.include?(spec_name)
+    end
+
+    # Copied from Bundler::Runtime: Modified to only prune gems that have
+    # been unlocked
+    def prune_gem_cache(resolve, cache_path, unlocked_gems)
+      cached_gems = Dir["#{cache_path}/*.gem"]
+
+      outdated_gems = cached_gems.reject do |path|
+        spec = Bundler.rubygems.spec_from_gem path
+
+        !unlocked_gems.include?(spec.name) || resolve.any? do |s|
+          s.name == spec.name && s.version == spec.version &&
+            !s.source.is_a?(Bundler::Source::Git)
+        end
+      end
+
+      return unless outdated_gems.any?
+
+      outdated_gems.each do |path|
+        File.delete(path)
+      end
+    end
+
+    # Copied from Bundler::Runtime
+    def prune_git_and_path_cache(resolve, cache_path)
+      cached_git_and_path = Dir["#{cache_path}/*/.bundlecache"]
+
+      outdated_git_and_path = cached_git_and_path.reject do |path|
+        name = File.basename(File.dirname(path))
+
+        resolve.any? do |s|
+          s.source.respond_to?(:app_cache_dirname) &&
+            s.source.app_cache_dirname == name
+        end
+      end
+
+      return unless outdated_git_and_path.any?
+
+      outdated_git_and_path.each do |path|
+        path = File.dirname(path)
+        FileUtils.rm_rf(path)
+      end
+    end
+
+    def unlock_yanked_gem(dependencies_to_unlock, error)
+      raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+      gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                 named_captures["name"]
+      raise if dependencies_to_unlock.include?(gem_name)
+
+      dependencies_to_unlock << gem_name
+    end
+
+    # rubocop:disable Metrics/PerceivedComplexity
+    def unlock_blocking_subdeps(dependencies_to_unlock, error)
+      all_deps =  Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s)
+      top_level = build_definition([]).dependencies.
+                  map(&:name).map(&:to_s)
+      allowed_new_unlocks = all_deps - top_level - dependencies_to_unlock
+
+      raise if allowed_new_unlocks.none?
+
+      # Unlock any sub-dependencies that Bundler reports caused the
+      # conflict
+      potentials_deps =
+        error.cause.conflicts.values.
+        flat_map(&:requirement_trees).
+        map do |tree|
+          tree.find { |req| allowed_new_unlocks.include?(req.name) }
+        end.compact.map(&:name)
+
+      # If there are specific dependencies we can unlock, unlock them
+      return dependencies_to_unlock.append(*potentials_deps) if potentials_deps.any?
+
+      # Fall back to unlocking *all* sub-dependencies. This is required
+      # because Bundler's VersionConflict objects don't include enough
+      # information to chart the full path through all conflicts unwound
+      dependencies_to_unlock.append(*allowed_new_unlocks)
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def build_definition(dependencies_to_unlock)
+      defn = Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: dependencies_to_unlock
+      )
+
+      # Bundler unlocks the sub-dependencies of gems it is passed even
+      # if those sub-deps are top-level dependencies. We only want true
+      # subdeps unlocked, like they were in the UpdateChecker, so we
+      # mutate the unlocked gems array.
+      unlocked = defn.instance_variable_get(:@unlock).fetch(:gems)
+      must_not_unlock = defn.dependencies.map(&:name).map(&:to_s) -
+                        dependencies_to_unlock
+      unlocked.reject! { |n| must_not_unlock.include?(n) }
+
+      defn
+    end
+
+    def lock_deps_being_updated_to_exact_versions(definition)
+      dependencies.each_with_object({}) do |dep, old_reqs|
+        defn_dep = definition.dependencies.find do |d|
+          d.name == dep.fetch("name")
+        end
+
+        if defn_dep.nil?
+          definition.dependencies <<
+            Bundler::Dependency.new(dep.fetch("name"), dep.fetch("version"))
+          old_reqs[dep.fetch("name")] = :none
+        elsif git_dependency?(dep) &&
+              defn_dep.source.is_a?(Bundler::Source::Git)
+          defn_dep.source.unlock!
+        elsif Gem::Version.correct?(dep.fetch("version"))
+          new_req = Gem::Requirement.create("= #{dep.fetch('version')}")
+          old_reqs[dep.fetch("name")] = defn_dep.requirement
+          defn_dep.instance_variable_set(:@requirement, new_req)
+        end
+      end
+    end
+
+    def git_dependency?(dep)
+      sources = dep.fetch("requirements").map { |r| r.fetch("source") }
+      sources.all? { |s| s&.fetch("type", nil) == "git" }
+    end
+
+    def lockfile
+      @lockfile ||= File.read(lockfile_name)
+    end
+  end
+end

data/helpers/v2/lib/functions/version_resolver.rb

@@ -0,0 +1,140 @@
+module Functions
+  class VersionResolver
+    GEM_NOT_FOUND_ERROR_REGEX = /locked to (?<name>[^\s]+) \(/.freeze
+
+    attr_reader :dependency_name, :dependency_requirements,
+                :gemfile_name, :lockfile_name
+
+    def initialize(dependency_name:, dependency_requirements:,
+                   gemfile_name:, lockfile_name:)
+      @dependency_name = dependency_name
+      @dependency_requirements = dependency_requirements
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+    end
+
+    def version_details
+      dep = dependency_from_definition
+
+      # If the dependency wasn't found in the definition, but *is*
+      # included in a gemspec, it's because the Gemfile didn't import
+      # the gemspec. This is unusual, but the correct behaviour if/when
+      # it happens is to behave as if the repo was gemspec-only.
+      if dep.nil? && dependency_requirements.any?
+        return "latest"
+      end
+
+      # Otherwise, if the dependency wasn't found it's because it is a
+      # subdependency that was removed when attempting to update it.
+      return nil if dep.nil?
+
+      # If the dependency is Bundler itself then we can't trust the
+      # version that has been returned (it's the version Dependabot is
+      # running on, rather than the true latest resolvable version).
+      return nil if dep.name == "bundler"
+
+      details = {
+        version: dep.version,
+        ruby_version: ruby_version,
+        fetcher: fetcher_class(dep)
+      }
+      if dep.source.instance_of?(::Bundler::Source::Git)
+        details[:commit_sha] = dep.source.revision
+      end
+      details
+    end
+
+    private
+
+    # rubocop:disable Metrics/PerceivedComplexity
+    def dependency_from_definition(unlock_subdependencies: true)
+      dependencies_to_unlock = [dependency_name]
+      dependencies_to_unlock += subdependencies if unlock_subdependencies
+      begin
+        definition = build_definition(dependencies_to_unlock)
+        definition.resolve_remotely!
+      rescue ::Bundler::GemNotFound => e
+        unlock_yanked_gem(dependencies_to_unlock, e) && retry
+      rescue ::Bundler::HTTPError => e
+        # Retry network errors
+        # Note: in_a_native_bundler_context will also retry `Bundler::HTTPError` errors
+        # up to three times meaning we'll end up retrying this error up to six times
+        # TODO: Could we get rid of this retry logic and only rely on
+        # SharedBundlerHelpers.in_a_native_bundler_context
+        attempt ||= 1
+        attempt += 1
+        raise if attempt > 3 || !e.message.include?("Network error")
+
+        retry
+      end
+
+      dep = definition.resolve.find { |d| d.name == dependency_name }
+      return dep if dep
+      return if dependency_requirements.any? || !unlock_subdependencies
+
+      # If no definition was found and we're updating a sub-dependency,
+      # try again but without unlocking any other sub-dependencies
+      dependency_from_definition(unlock_subdependencies: false)
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def subdependencies
+      # If there's no lockfile we don't need to worry about
+      # subdependencies
+      return [] unless lockfile
+
+      all_deps =  ::Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s).uniq
+      top_level = build_definition([]).dependencies.
+                  map(&:name).map(&:to_s)
+
+      all_deps - top_level
+    end
+
+    def build_definition(dependencies_to_unlock)
+      # Note: we lock shared dependencies to avoid any top-level
+      # dependencies getting unlocked (which would happen if they were
+      # also subdependencies of the dependency being unlocked)
+      ::Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: dependencies_to_unlock,
+        lock_shared_dependencies: true
+      )
+    end
+
+    def unlock_yanked_gem(dependencies_to_unlock, error)
+      raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+      gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                 named_captures["name"]
+      raise if dependencies_to_unlock.include?(gem_name)
+
+      dependencies_to_unlock << gem_name
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name
+          return unless File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def fetcher_class(dep)
+      return unless dep.source.is_a?(::Bundler::Source::Rubygems)
+
+      dep.source.fetchers.first.fetchers.first.class.to_s
+    end
+
+    def ruby_version
+      return nil unless gemfile_name
+
+      @ruby_version ||= build_definition([]).ruby_version&.gem_version
+    end
+  end
+end

data/helpers/v2/monkey_patches/definition_ruby_version_patch.rb

@@ -8,11 +8,11 @@ module BundlerDefinitionRubyVersionPatch
       if ruby_version
         requested_version = ruby_version.to_gem_version_with_patchlevel
         sources.metadata_source.specs <<
-          Gem::Specification.new("ruby\0", requested_version)
+          Gem::Specification.new("Ruby\0", requested_version)
       end
 
       sources.metadata_source.specs <<
-        Gem::Specification.new("ruby\0", "2.5.3p105")
+        Gem::Specification.new("Ruby\0", "2.5.3p105")
     end
   end
 end

data/helpers/v2/run.rb

@@ -2,7 +2,7 @@ require "bundler"
 require "json"
 
 $LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
-$LOAD_PATH.unshift(File.expand_path("../v1/monkey_patches", __dir__))
+$LOAD_PATH.unshift(File.expand_path("./monkey_patches", __dir__))
 
 # Bundler monkey patches
 require "definition_ruby_version_patch"
@@ -11,11 +11,25 @@ require "git_source_patch"
 
 require "functions"
 
+MIN_BUNDLER_VERSION = "2.0.0"
+
+def validate_bundler_version!
+  return true if correct_bundler_version?
+
+  raise StandardError, "Called with Bundler '#{Bundler::VERSION}', expected >= '#{MIN_BUNDLER_VERSION}'"
+end
+
+def correct_bundler_version?
+  Gem::Version.new(Bundler::VERSION) >= Gem::Version.new(MIN_BUNDLER_VERSION)
+end
+
 def output(obj)
   print JSON.dump(obj)
 end
 
 begin
+  validate_bundler_version!
+
   request = JSON.parse($stdin.read)
 
   function = request["function"]

data/helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::ConflictingDependencyResolver do
+  include_context "in a temporary bundler directory"
+
+  let(:conflicting_dependency_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      target_version: target_version,
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "dummy-pkg-a" }
+  let(:target_version) { "2.0.0" }
+
+  let(:project_name) { "blocked_by_subdep" }
+
+  describe "#conflicting_dependencies" do
+    subject(:conflicting_dependencies) do
+      in_tmp_folder { conflicting_dependency_resolver.conflicting_dependencies }
+    end
+
+    it "returns a list of dependencies that block the update" do
+      expect(conflicting_dependencies).to eq(
+        [{
+          "explanation" => "dummy-pkg-b (1.0.0) requires dummy-pkg-a (< 2.0.0)",
+          "name" => "dummy-pkg-b",
+          "version" => "1.0.0",
+          "requirement" => "< 2.0.0"
+        }]
+      )
+    end
+
+    context "for nested transitive dependencies" do
+      let(:project_name) { "transitive_blocking" }
+      let(:dependency_name) { "activesupport" }
+      let(:target_version) { "6.0.0" }
+
+      it "returns a list of dependencies that block the update" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0)",
+              "name" => "rails",
+              "requirement" => "= 5.2.0",
+              "version" => "5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionpack (5.2.0)",
+              "name" => "actionpack",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionview (5.2.0)",
+              "name" => "actionview",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activejob (5.2.0)",
+              "name" => "activejob",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activemodel (5.2.0)",
+              "name" => "activemodel",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activerecord (5.2.0)",
+              "name" => "activerecord",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            },
+            {
+              "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via railties (5.2.0)",
+              "name" => "railties",
+              "version" => "5.2.0",
+              "requirement" => "= 5.2.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "with multiple blocking dependencies" do
+      let(:dependency_name) { "activesupport" }
+      let(:current_version) { "5.0.0" }
+      let(:target_version) { "6.0.0" }
+      let(:project_name) { "multiple_blocking" }
+
+      it "returns all of the blocking dependencies" do
+        expect(conflicting_dependencies).to match_array(
+          [
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via actionpack (5.0.0)",
+              "name" => "actionpack",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionview (5.0.0) requires activesupport (= 5.0.0)",
+              "name" => "actionview",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            },
+            {
+              "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via activejob (5.0.0)",
+              "name" => "activejob",
+              "version" => "5.0.0",
+              "requirement" => "= 5.0.0"
+            }
+          ]
+        )
+      end
+    end
+
+    context "without any blocking dependencies" do
+      let(:target_version) { "1.0.0" }
+
+      it "returns an empty list" do
+        expect(conflicting_dependencies).to eq([])
+      end
+    end
+  end
+end