dependabot-bundler 0.138.2 → 0.138.7

data/helpers/v2/spec/functions/dependency_source_spec.rb

@@ -0,0 +1,185 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::DependencySource do
+  include_context "in a temporary bundler directory"
+
+  let(:dependency_source) do
+    described_class.new(
+      gemfile_name: "Gemfile",
+      dependency_name: dependency_name
+    )
+  end
+
+  let(:dependency_name) { "business" }
+
+  let(:project_name) { "specified_source_no_lockfile" }
+  let(:registry_url) { "https://repo.fury.io/greysteil/" }
+  let(:gemfury_business_url) do
+    "https://repo.fury.io/greysteil/api/v1/dependencies?gems=business"
+  end
+
+  before do
+    stub_request(:get, registry_url + "versions").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 404)
+    stub_request(:get, registry_url + "api/v1/dependencies").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200)
+    stub_request(:get, gemfury_business_url).
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+  end
+
+  describe "#private_registry_versions" do
+    subject(:private_registry_versions) do
+      in_tmp_folder { dependency_source.private_registry_versions }
+    end
+
+    it "returns all versions from the private source" do
+      is_expected.to eq([
+                          Gem::Version.new("1.5.0"),
+                          Gem::Version.new("1.9.0"),
+                          Gem::Version.new("1.10.0.beta")
+                        ])
+    end
+
+    context "specified as the default source" do
+      let(:project_name) { "specified_default_source_no_lockfile" }
+
+      it "returns all versions from the private source" do
+        is_expected.to eq([
+                            Gem::Version.new("1.5.0"),
+                            Gem::Version.new("1.9.0"),
+                            Gem::Version.new("1.10.0.beta")
+                          ])
+      end
+    end
+
+    context "that we don't have authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::BadAuthenticationError
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).to include("Bad username or password for")
+          end
+      end
+    end
+
+    context "that we have bad authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::BadAuthenticationError
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).to include("Bad username or password for")
+          end
+      end
+    end
+
+    context "that bad-requested, but was a private repo" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+      end
+
+      it "blows up with a useful error" do
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(Bundler::HTTPError)
+            expect(error.message).
+              to include("Could not fetch specs from")
+          end
+      end
+    end
+
+    context "that doesn't have details of the gem" do
+      before do
+        stub_request(:get, gemfury_business_url).
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 404)
+
+        # Stub indexes to return details of other gems (but not this one)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it { is_expected.to be_empty }
+    end
+
+    context "that only implements the old Bundler index format..." do
+      let(:project_name) { "sidekiq_pro" }
+      let(:dependency_name) { "sidekiq-pro" }
+      let(:registry_url) { "https://gems.contribsys.com/" }
+
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it "returns all versions from the private source" do
+        expect(private_registry_versions.length).to eql(70)
+        expect(private_registry_versions.min).to eql(Gem::Version.new("1.0.0"))
+        expect(private_registry_versions.max).to eql(Gem::Version.new("3.5.2"))
+      end
+    end
+  end
+end

data/helpers/v2/spec/functions/version_resolver_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::VersionResolver do
+  include_context "in a temporary bundler directory"
+  include_context "stub rubygems compact index"
+
+  let(:version_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      dependency_requirements: dependency_requirements,
+      gemfile_name: "Gemfile",
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "business" }
+  let(:dependency_requirements) do
+    [{
+      file: "Gemfile",
+      requirement: requirement_string,
+      groups: [],
+      source: source
+    }]
+  end
+  let(:source) { nil }
+
+  let(:rubygems_url) { "https://index.rubygems.org/api/v1/" }
+  let(:old_index_url) { rubygems_url + "dependencies" }
+
+  describe "#version_details" do
+    subject do
+      in_tmp_folder { version_resolver.version_details }
+    end
+
+    let(:project_name) { "gemfile" }
+    let(:requirement_string) { " >= 0" }
+
+    its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+    its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::CompactIndex") }
+
+    context "with a private gemserver source" do
+      include_context "stub rubygems compact index"
+
+      let(:project_name) { "specified_source" }
+      let(:requirement_string) { ">= 0" }
+
+      before do
+        gemfury_url = "https://repo.fury.io/greysteil/"
+        gemfury_deps_url = gemfury_url + "api/v1/dependencies"
+
+        stub_request(:get, gemfury_url + "versions").
+          to_return(status: 200, body: fixture("ruby", "gemfury-index"))
+        stub_request(:get, gemfury_url + "info/business").to_return(status: 404)
+        stub_request(:get, gemfury_deps_url).to_return(status: 200)
+        stub_request(:get, gemfury_deps_url + "?gems=business,statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=business").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.9.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+
+    context "with a git source" do
+      let(:project_name) { "git_source" }
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.6.0")) }
+      its([:fetcher]) { is_expected.to be_nil }
+    end
+
+    context "when Bundler's compact index is down" do
+      before do
+        stub_request(:get, "https://index.rubygems.org/versions").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, "https://index.rubygems.org/info/public_suffix").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, old_index_url).to_return(status: 200)
+        stub_request(:get, old_index_url + "?gems=business,statesman").
+          to_return(
+            status: 200,
+            body: fixture("ruby",
+                          "rubygems_responses",
+                          "dependencies-default-gemfile")
+          )
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+  end
+end

data/helpers/v2/spec/functions_spec.rb

@@ -1,33 +1,24 @@
 # frozen_string_literal: true
 
 require "native_spec_helper"
+require "shared_contexts"
 
 RSpec.describe Functions do
-  # Verify v1 method signatures are exist, but raise as NYI
-  {
-    vendor_cache_dir: [ :dir ],
-    update_lockfile: [ :dir, :gemfile_name, :lockfile_name, :using_bundler2, :credentials, :dependencies ],
-    force_update: [ :dir, :dependency_name, :target_version, :gemfile_name, :lockfile_name, :using_bundler2,
-                    :credentials, :update_multiple_dependencies ],
-    dependency_source_type: [ :gemfile_name, :dependency_name, :dir, :credentials ],
-    depencency_source_latest_git_version: [ :gemfile_name, :dependency_name, :dir, :credentials, :dependency_source_url,
-                                            :dependency_source_branch  ],
-    private_registry_versions: [:gemfile_name, :dependency_name, :dir, :credentials ],
-    resolve_version: [:dependency_name, :dependency_requirements, :gemfile_name, :lockfile_name, :using_bundler2,
-                      :dir, :credentials],
-    jfrog_source: [:dir, :gemfile_name, :credentials, :using_bundler2],
-    git_specs: [:dir, :gemfile_name, :credentials, :using_bundler2],
-    conflicting_dependencies: [:dir, :dependency_name, :target_version, :lockfile_name, :using_bundler2, :credentials]
-  }.each do |function, kwargs|
-    describe "::#{function}" do
-      let(:args) do
-        kwargs.inject({}) do |args, keyword|
-          args.merge({ keyword => anything })
-        end
-      end
+  include_context "in a temporary bundler directory"
+
+  describe "#jfrog_source" do
+    let(:project_name) { "jfrog_source" }
+
+    it "returns the jfrog source" do
+      in_tmp_folder do
+        jfrog_source = Functions.jfrog_source(
+          dir: tmp_path,
+          gemfile_name: "Gemfile",
+          credentials: {},
+          using_bundler2: true
+        )
 
-      it "raises a NYI" do
-        expect { Functions.send(function, **args) }.to raise_error(Functions::NotImplementedError)
+        expect(jfrog_source).to eq("test.jfrog.io")
       end
     end
   end

data/helpers/v2/spec/native_spec_helper.rb

@@ -26,7 +26,11 @@ end
 LOCKFILE_ENDING = /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
 
 def project_dependency_files(project)
+  # TODO: Retrieve files from bundler2 folder once it is fully up to date
   project_path = File.expand_path(File.join("../../spec/fixtures/projects/bundler1", project))
+
+  raise "Fixture does not exist for project: '#{project}'" unless Dir.exist?(project_path)
+
   Dir.chdir(project_path) do
     # NOTE: Include dotfiles (e.g. .npmrc)
     files = Dir.glob("**/*", File::FNM_DOTMATCH)

data/lib/dependabot/bundler/file_updater/requirement_replacer.rb

@@ -167,6 +167,8 @@ module Dependabot
             req_string.include?(" ")
           end
 
+          EQUALITY_OPERATOR = /(?<![<>!])=/.freeze
+
           def use_equality_operator?(requirement_nodes)
             return true if requirement_nodes.none?
 
@@ -178,7 +180,7 @@ module Dependabot
                 requirement_nodes.first.children.first.loc.expression.source
               end
 
-            req_string.match?(/(?<![<>])=/)
+            req_string.match?(EQUALITY_OPERATOR)
           end
 
           def new_requirement_string(quote_characters:,
@@ -203,7 +205,7 @@ module Dependabot
             # Gem::Requirement serializes exact matches as a string starting
             # with `=`. We may need to remove that equality operator if it
             # wasn't used originally.
-            tmp_req = tmp_req.gsub(/(?<![<>])=/, "") unless use_equality_operator
+            tmp_req = tmp_req.gsub(EQUALITY_OPERATOR, "") unless use_equality_operator
 
             tmp_req.strip
           end

data/lib/dependabot/bundler/update_checker.rb

@@ -359,20 +359,18 @@ module Dependabot
         @version_resolver ||= {}
         @version_resolver[remove_git_source] ||= {}
         @version_resolver[remove_git_source][unlock_requirement] ||=
-          begin
-            VersionResolver.new(
-              dependency: dependency,
-              unprepared_dependency_files: dependency_files,
-              repo_contents_path: repo_contents_path,
-              credentials: credentials,
-              ignored_versions: ignored_versions,
-              raise_on_ignored: raise_on_ignored,
-              remove_git_source: remove_git_source,
-              unlock_requirement: unlock_requirement,
-              latest_allowable_version: latest_version,
-              options: options
-            )
-          end
+          VersionResolver.new(
+            dependency: dependency,
+            unprepared_dependency_files: dependency_files,
+            repo_contents_path: repo_contents_path,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            raise_on_ignored: raise_on_ignored,
+            remove_git_source: remove_git_source,
+            unlock_requirement: unlock_requirement,
+            latest_allowable_version: latest_version,
+            options: options
+          )
       end
 
       def latest_version_finder(remove_git_source:)

data/lib/dependabot/bundler/update_checker/requirements_updater.rb

@@ -188,7 +188,7 @@ module Dependabot
               req
             end
           when "<", "<=" then [update_greatest_version(req, latest_version)]
-          when "~>" then convert_twidle_to_range(req, latest_version)
+          when "~>" then convert_twiddle_to_range(req, latest_version)
           when "!=" then []
           when ">", ">=" then raise UnfixableRequirement
           else raise "Unexpected operation for requirement: #{op}"
@@ -214,7 +214,7 @@ module Dependabot
           end
         end
 
-        def convert_twidle_to_range(requirement, version_to_be_permitted)
+        def convert_twiddle_to_range(requirement, version_to_be_permitted)
           version = requirement.requirements.first.last
           version = version.release if version.prerelease?
 

data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb

@@ -187,7 +187,9 @@ module Dependabot
         end
 
         def jfrog_source
-          in_a_native_bundler_context(error_handling: false) do |dir|
+          return @jfrog_source unless defined?(@jfrog_source)
+
+          @jfrog_source = in_a_native_bundler_context(error_handling: false) do |dir|
             NativeHelpers.run_bundler_subprocess(
               bundler_version: bundler_version,
               function: "jfrog_source",

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.138.2
+  version: 0.138.7
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-23 00:00:00.000000000 Z
+date: 2021-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.2
+        version: 0.138.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.2
+        version: 0.138.7
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.11.0
+        version: 1.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.11.0
+        version: 1.12.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -210,12 +210,20 @@ files:
 - helpers/v2/Gemfile
 - helpers/v2/build
 - helpers/v2/lib/functions.rb
+- helpers/v2/lib/functions/conflicting_dependency_resolver.rb
+- helpers/v2/lib/functions/dependency_source.rb
 - helpers/v2/lib/functions/file_parser.rb
+- helpers/v2/lib/functions/force_updater.rb
+- helpers/v2/lib/functions/lockfile_updater.rb
+- helpers/v2/lib/functions/version_resolver.rb
 - helpers/v2/monkey_patches/definition_bundler_version_patch.rb
 - helpers/v2/monkey_patches/definition_ruby_version_patch.rb
 - helpers/v2/monkey_patches/git_source_patch.rb
 - helpers/v2/run.rb
+- helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb
+- helpers/v2/spec/functions/dependency_source_spec.rb
 - helpers/v2/spec/functions/file_parser_spec.rb
+- helpers/v2/spec/functions/version_resolver_spec.rb
 - helpers/v2/spec/functions_spec.rb
 - helpers/v2/spec/native_spec_helper.rb
 - helpers/v2/spec/shared_contexts.rb