dependabot-bundler 0.215.0 → 0.216.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (31) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/v1/build +15 -9
  3. data/helpers/v1/lib/functions/file_parser.rb +9 -3
  4. data/helpers/v1/run.rb +1 -1
  5. data/helpers/v2/build +0 -9
  6. data/helpers/v2/lib/functions/conflicting_dependency_resolver.rb +0 -2
  7. data/helpers/v2/lib/functions/file_parser.rb +9 -3
  8. data/helpers/v2/lib/functions/force_updater.rb +19 -48
  9. data/helpers/v2/lib/functions/lockfile_updater.rb +15 -11
  10. data/helpers/v2/monkey_patches/definition_ruby_version_patch.rb +1 -1
  11. data/helpers/v2/monkey_patches/git_source_patch.rb +6 -0
  12. data/helpers/v2/run.rb +1 -1
  13. data/helpers/v2/spec/functions/force_updater_spec.rb +1 -1
  14. data/lib/dependabot/bundler/file_fetcher.rb +10 -1
  15. data/lib/dependabot/bundler/file_parser/file_preparer.rb +2 -2
  16. data/lib/dependabot/bundler/file_parser/gemfile_declaration_finder.rb +2 -2
  17. data/lib/dependabot/bundler/file_parser/gemspec_declaration_finder.rb +2 -1
  18. data/lib/dependabot/bundler/file_parser.rb +1 -14
  19. data/lib/dependabot/bundler/file_updater/lockfile_updater.rb +11 -17
  20. data/lib/dependabot/bundler/file_updater/ruby_requirement_setter.rb +1 -1
  21. data/lib/dependabot/bundler/file_updater.rb +1 -2
  22. data/lib/dependabot/bundler/metadata_finder.rb +3 -1
  23. data/lib/dependabot/bundler/native_helpers.rb +0 -1
  24. data/lib/dependabot/bundler/update_checker/file_preparer.rb +1 -2
  25. data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb +2 -1
  26. data/lib/dependabot/bundler/update_checker/version_resolver.rb +9 -2
  27. data/lib/dependabot/bundler/update_checker.rb +2 -29
  28. data/lib/dependabot/bundler/version.rb +2 -1
  29. metadata +35 -34
  30. data/helpers/v1/Gemfile +0 -11
  31. data/helpers/v2/Gemfile +0 -12
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0b2a5932ecc497e8d807922680efc95126f022b55860e3e270f3ff905bafb958
4
- data.tar.gz: f54e71c5c027e3ca7455ec0265a1b9d160a019709b9d7739d4582b0f5202168e
3
+ metadata.gz: 0131aa08a04131b4b53141d847592072a75f02ad7aa2e8561f1cebba421a518b
4
+ data.tar.gz: 27685ff6d09394763cd4d11e13e165e30aeb67749a25764888f4421da70516de
5
5
  SHA512:
6
- metadata.gz: 8f42c1615b336fdae9490acfce61098228d29a7016ff3d2c0d236239750b207522cdcc47193eefa5b3b680215992e4f7630d73c9572d162d0fc4257bf1ec9e73
7
- data.tar.gz: 37c4ee937da2a029f96e916ba8e3040cf8e1d32354dec01c7d4c7dd9c196a6bf7f8240ec36ef292872347b3f83fd40b1dd7b549d0b3ccfa139740ea97c12aa94
6
+ metadata.gz: c38423ddc8dae44e4d5c2c0886fc8add448d1d43ab17d3c0e399f8144b4d0732e89c49983d4d7a9d29badb68d4c26afc7056d2821f62bbc29e3010153deacabc
7
+ data.tar.gz: 903621e164f0362d34894926abf09c67549de9caefa86587c59b388d612a646e782912bf9507aa4908ad37109ebca6957afbc74d9bdf2960914b068e8426a0fb
data/helpers/v1/build CHANGED
@@ -14,7 +14,6 @@ else
14
14
  "$helpers_dir/lib" \
15
15
  "$helpers_dir/monkey_patches" \
16
16
  "$helpers_dir/run.rb" \
17
- "$helpers_dir/Gemfile" \
18
17
  "$install_dir"
19
18
  fi
20
19
 
@@ -24,12 +23,19 @@ export GEM_HOME=$install_dir/.bundle
24
23
 
25
24
  gem install bundler -v 1.17.3 --no-document
26
25
 
27
- BUNDLER_VERSION=1.17.3 bundle config --local path.system true
28
-
29
- if [ -n "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
30
- BUNDLER_VERSION=1.17.3 bundle config --local without "test"
26
+ if [ -z "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
27
+ # NOTE: For native helper specs, Bundler 2 happily reuses test gems installed
28
+ # by the main spec suite, because Bundler automatically searches for Gemfiles
29
+ # in parent directories, so we don't need any extra install for native helper
30
+ # specs.
31
+ #
32
+ # However, Bundler 1 installs gems to a slightly different folder structure by
33
+ # default, so we need to make sure to explicit install test gems with Bundler
34
+ # 1 so that they can be found by Bundler 1. In addition to that, Bundler 1 is
35
+ # very picky about the `BUNDLED WITH` section in the lockfile, which has been
36
+ # generated with Bundler 2 for the main spec suite. So we also need to delete
37
+ # the previously generated lockfile first, so that it has the format Bundler 1
38
+ # likes.
39
+ rm -f ../../Gemfile.lock
40
+ BUNDLER_VERSION=1.17.3 bundle install
31
41
  fi
32
-
33
- # NOTE: Sets `BUNDLED WITH` to match the installed v1 version in Gemfile.lock
34
- # forcing native helpers to run with the same version
35
- BUNDLER_VERSION=1.17.3 bundle install
@@ -13,7 +13,7 @@ module Functions
13
13
  def parsed_gemfile(gemfile_name:)
14
14
  Bundler::Definition.build(gemfile_name, nil, {}).
15
15
  dependencies.select(&:current_platform?).
16
- reject { |dep| dep.source.is_a?(Bundler::Source::Gemspec) }.
16
+ reject { |dep| local_sources.include?(dep.source.class) }.
17
17
  map { |dep| serialize_bundler_dependency(dep) }
18
18
  end
19
19
 
@@ -103,10 +103,16 @@ module Functions
103
103
  NilClass,
104
104
  Bundler::Source::Rubygems,
105
105
  Bundler::Source::Git,
106
- Bundler::Source::Path,
107
- Bundler::Source::Gemspec,
106
+ *local_sources,
108
107
  Bundler::Source::Metadata
109
108
  ]
110
109
  end
110
+
111
+ def local_sources
112
+ [
113
+ Bundler::Source::Path,
114
+ Bundler::Source::Gemspec
115
+ ]
116
+ end
111
117
  end
112
118
  end
data/helpers/v1/run.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  gem "bundler", "~> 1.17"
4
- require "bundler/setup"
4
+ require "bundler"
5
5
  require "json"
6
6
 
7
7
  $LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
data/helpers/v2/build CHANGED
@@ -14,7 +14,6 @@ else
14
14
  "$helpers_dir/lib" \
15
15
  "$helpers_dir/monkey_patches" \
16
16
  "$helpers_dir/run.rb" \
17
- "$helpers_dir/Gemfile" \
18
17
  "$install_dir"
19
18
  fi
20
19
 
@@ -25,11 +24,3 @@ default_version=$(ruby -rbundler -e'print Bundler::VERSION')
25
24
  export GEM_HOME=$install_dir/.bundle
26
25
 
27
26
  gem install bundler -v "$default_version" --no-document
28
-
29
- bundle config --local path.system true
30
-
31
- if [ -n "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
32
- bundle config --local without "test"
33
- fi
34
-
35
- bundle install
@@ -16,8 +16,6 @@ module Functions
16
16
  # * version [String] the version of the blocking dependency
17
17
  # * requirement [String] the requirement on the target_dependency
18
18
  def conflicting_dependencies
19
- Bundler.settings.set_command_option("only_update_to_newer_versions", true)
20
-
21
19
  parent_specs.flat_map do |parent_spec|
22
20
  top_level_specs_for(parent_spec).map do |top_level|
23
21
  dependency = parent_spec.dependencies.find { |bd| bd.name == dependency_name }
@@ -13,7 +13,7 @@ module Functions
13
13
  def parsed_gemfile(gemfile_name:)
14
14
  Bundler::Definition.build(gemfile_name, nil, {}).
15
15
  dependencies.select(&:current_platform?).
16
- reject { |dep| dep.source.is_a?(Bundler::Source::Gemspec) }.
16
+ reject { |dep| local_sources.include?(dep.source.class) }.
17
17
  map { |dep| serialize_bundler_dependency(dep) }
18
18
  end
19
19
 
@@ -103,10 +103,16 @@ module Functions
103
103
  NilClass,
104
104
  Bundler::Source::Rubygems,
105
105
  Bundler::Source::Git,
106
- Bundler::Source::Path,
107
- Bundler::Source::Gemspec,
106
+ *local_sources,
108
107
  Bundler::Source::Metadata
109
108
  ]
110
109
  end
110
+
111
+ def local_sources
112
+ [
113
+ Bundler::Source::Path,
114
+ Bundler::Source::Gemspec
115
+ ]
116
+ end
111
117
  end
112
118
  end
@@ -14,21 +14,13 @@ module Functions
14
14
  end
15
15
 
16
16
  def run
17
- # Only allow upgrades. Otherwise it's unlikely that this
18
- # resolution will be found by the FileUpdater
19
- Bundler.settings.set_command_option(
20
- "only_update_to_newer_versions",
21
- true
22
- )
23
-
24
17
  dependencies_to_unlock = []
25
18
 
26
19
  begin
27
20
  definition = build_definition(dependencies_to_unlock: dependencies_to_unlock)
28
21
  definition.resolve_remotely!
29
22
  specs = definition.resolve
30
- updates = [{ name: dependency_name }] +
31
- dependencies_to_unlock.map { |dep| { name: dep.name } }
23
+ updates = ([dependency_name, *dependencies_to_unlock] - subdependencies).uniq.map { |name| { name: name } }
32
24
  specs = specs.map do |dep|
33
25
  {
34
26
  name: dep.name,
@@ -36,7 +28,7 @@ module Functions
36
28
  }
37
29
  end
38
30
  [updates, specs]
39
- rescue Bundler::VersionConflict => e
31
+ rescue Bundler::SolveFailure => e
40
32
  raise unless update_multiple_dependencies?
41
33
 
42
34
  # TODO: Not sure this won't unlock way too many things...
@@ -48,7 +40,7 @@ module Functions
48
40
 
49
41
  raise if new_dependencies_to_unlock.none?
50
42
 
51
- dependencies_to_unlock += new_dependencies_to_unlock
43
+ dependencies_to_unlock |= new_dependencies_to_unlock
52
44
  retry
53
45
  end
54
46
  end
@@ -61,47 +53,26 @@ module Functions
61
53
  alias update_multiple_dependencies? update_multiple_dependencies
62
54
 
63
55
  def new_dependencies_to_unlock_from(error:, already_unlocked:)
64
- potentials_deps =
65
- relevant_conflicts(error, already_unlocked).
66
- flat_map(&:requirement_trees).
67
- reject do |tree|
68
- # If the final requirement wasn't specific, it can't be binding
69
- next true if tree.last.requirement == Gem::Requirement.new(">= 0")
70
-
71
- # If the conflict wasn't for the dependency we're updating then
72
- # we don't have enough info to reject it
73
- next false unless tree.last.name == dependency_name
74
-
75
- # If the final requirement *was* for the dependency we're updating
76
- # then we can ignore the tree if it permits the target version
77
- tree.last.requirement.satisfied_by?(
78
- Gem::Version.new(target_version)
79
- )
80
- end.map(&:first)
56
+ names = [*already_unlocked, dependency_name]
57
+ extra_names_to_unlock = []
81
58
 
82
- potentials_deps.
83
- reject { |dep| already_unlocked.map(&:name).include?(dep.name) }.
84
- reject { |dep| [dependency_name, "ruby\0"].include?(dep.name) }.
85
- uniq
86
- end
59
+ incompatibility = error.cause.incompatibility
87
60
 
88
- def relevant_conflicts(error, dependencies_being_unlocked)
89
- names = [*dependencies_being_unlocked.map(&:name), dependency_name]
90
-
91
- # For a conflict to be relevant to the updates we're making it must be
92
- # 1) caused by a new requirement introduced by our unlocking, or
93
- # 2) caused by an old requirement that prohibits the update.
94
- # Hence, we look at the beginning and end of the requirement trees
95
- error.cause.conflicts.values.
96
- select do |conflict|
97
- conflict.requirement_trees.any? do |t|
98
- names.include?(t.last.name) || names.include?(t.first.name)
99
- end
61
+ while incompatibility.conflict?
62
+ cause = incompatibility.cause
63
+ incompatibility = cause.incompatibility
64
+
65
+ incompatibility.terms.each do |term|
66
+ name = term.package.name
67
+ extra_names_to_unlock << name unless names.include?(name)
100
68
  end
69
+ end
70
+
71
+ extra_names_to_unlock
101
72
  end
102
73
 
103
74
  def build_definition(dependencies_to_unlock:)
104
- gems_to_unlock = dependencies_to_unlock.map(&:name) + [dependency_name]
75
+ gems_to_unlock = dependencies_to_unlock + [dependency_name]
105
76
  definition = Bundler::Definition.build(
106
77
  gemfile_name,
107
78
  lockfile_name,
@@ -147,10 +118,10 @@ module Functions
147
118
  return [] unless lockfile
148
119
 
149
120
  all_deps = Bundler::LockfileParser.new(lockfile).
150
- specs.map(&:name).map(&:to_s)
121
+ specs.map(&:name)
151
122
  top_level = Bundler::Definition.
152
123
  build(gemfile_name, lockfile_name, {}).
153
- dependencies.map(&:name).map(&:to_s)
124
+ dependencies.map(&:name)
154
125
 
155
126
  all_deps - top_level
156
127
  end
@@ -50,7 +50,7 @@ module Functions
50
50
  definition.to_lock
51
51
  rescue Bundler::GemNotFound => e
52
52
  unlock_yanked_gem(dependencies_to_unlock, e) && retry
53
- rescue Bundler::VersionConflict => e
53
+ rescue Bundler::SolveFailure => e
54
54
  unlock_blocking_subdeps(dependencies_to_unlock, e) && retry
55
55
  rescue *RETRYABLE_ERRORS
56
56
  raise if @retrying
@@ -146,7 +146,6 @@ module Functions
146
146
  dependencies_to_unlock << gem_name
147
147
  end
148
148
 
149
- # rubocop:disable Metrics/PerceivedComplexity
150
149
  def unlock_blocking_subdeps(dependencies_to_unlock, error)
151
150
  all_deps = Bundler::LockfileParser.new(lockfile).
152
151
  specs.map(&:name).map(&:to_s)
@@ -158,22 +157,27 @@ module Functions
158
157
 
159
158
  # Unlock any sub-dependencies that Bundler reports caused the
160
159
  # conflict
161
- potentials_deps =
162
- error.cause.conflicts.values.
163
- flat_map(&:requirement_trees).
164
- filter_map do |tree|
165
- tree.find { |req| allowed_new_unlocks.include?(req.name) }
166
- end.map(&:name)
160
+ incompatibility = error.cause.incompatibility
161
+ potential_deps = []
162
+
163
+ while incompatibility.conflict?
164
+ cause = incompatibility.cause
165
+ incompatibility = cause.incompatibility
166
+
167
+ incompatibility.terms.each do |term|
168
+ name = term.package.name
169
+ potential_deps << name if allowed_new_unlocks.include?(name)
170
+ end
171
+ end
167
172
 
168
173
  # If there are specific dependencies we can unlock, unlock them
169
- return dependencies_to_unlock.append(*potentials_deps) if potentials_deps.any?
174
+ return dependencies_to_unlock.append(*potential_deps) if potential_deps.any?
170
175
 
171
176
  # Fall back to unlocking *all* sub-dependencies. This is required
172
- # because Bundler's VersionConflict objects don't include enough
177
+ # because Bundler's SolveFailure objects don't include enough
173
178
  # information to chart the full path through all conflicts unwound
174
179
  dependencies_to_unlock.append(*allowed_new_unlocks)
175
180
  end
176
- # rubocop:enable Metrics/PerceivedComplexity
177
181
 
178
182
  def build_definition(dependencies_to_unlock)
179
183
  defn = Bundler::Definition.build(
@@ -10,7 +10,7 @@ module BundlerDefinitionRubyVersionPatch
10
10
  Gem::Specification.new("Ruby\0", requested_version)
11
11
  end
12
12
 
13
- %w(2.5.3 2.6.10 2.7.6 3.0.4).each do |version|
13
+ %w(2.5.3 2.6.10 2.7.7 3.0.5 3.2.1).each do |version|
14
14
  sources.metadata_source.specs << Gem::Specification.new("Ruby\0", version)
15
15
  end
16
16
 
@@ -11,6 +11,10 @@ module Bundler
11
11
  # Bundler allows ssh authentication when talking to GitHub but there's
12
12
  # no way for Dependabot to do so (it doesn't have any ssh keys).
13
13
  # Instead, we convert all `git@github.com:` URLs to use HTTPS.
14
+ def configured_uri
15
+ configured_uri_for(uri)
16
+ end
17
+
14
18
  def configured_uri_for(uri)
15
19
  uri = uri.gsub(%r{git@(.*?):/?}, 'https://\1/')
16
20
  if /https?:/.match?(uri)
@@ -18,6 +22,8 @@ module Bundler
18
22
  config_auth = Bundler.settings[remote.to_s] || Bundler.settings[remote.host]
19
23
  remote.userinfo ||= config_auth
20
24
  remote.to_s
25
+ elsif File.exist?(uri)
26
+ "file://#{uri}"
21
27
  else
22
28
  uri
23
29
  end
data/helpers/v2/run.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  gem "bundler", "~> 2.3"
4
- require "bundler/setup"
4
+ require "bundler"
5
5
  require "json"
6
6
 
7
7
  $LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
@@ -38,7 +38,7 @@ RSpec.describe Functions::ForceUpdater do
38
38
  context "when updating a single dependency" do
39
39
  let(:update_multiple_dependencies) { false }
40
40
 
41
- it { expect { force_update }.to raise_error(Bundler::VersionConflict) }
41
+ it { expect { force_update }.to raise_error(Bundler::SolveFailure) }
42
42
  end
43
43
  end
44
44
 
@@ -23,6 +23,15 @@ module Dependabot
23
23
  "Repo must contain either a Gemfile, a gemspec, or a gems.rb."
24
24
  end
25
25
 
26
+ def package_manager_version
27
+ {
28
+ ecosystem: "bundler",
29
+ package_managers: {
30
+ "bundler" => Helpers.detected_bundler_version(lockfile)
31
+ }
32
+ }
33
+ end
34
+
26
35
  private
27
36
 
28
37
  def fetch_files
@@ -133,7 +142,7 @@ module Dependabot
133
142
 
134
143
  raise Dependabot::PathDependenciesNotReachable, unfetchable_gems if unfetchable_gems.any?
135
144
 
136
- gemspec_files.tap { |ar| ar.each { |f| f.support_file = true } }
145
+ gemspec_files
137
146
  end
138
147
 
139
148
  def path_gemspec_paths
@@ -1,12 +1,12 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "dependabot/dependency_file"
4
- require "dependabot/bundler/file_parser"
4
+ require "dependabot/file_parsers/base"
5
5
  require "dependabot/bundler/file_updater/gemspec_sanitizer"
6
6
 
7
7
  module Dependabot
8
8
  module Bundler
9
- class FileParser
9
+ class FileParser < Dependabot::FileParsers::Base
10
10
  class FilePreparer
11
11
  def initialize(dependency_files:)
12
12
  @dependency_files = dependency_files
@@ -1,11 +1,11 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "parser/current"
4
- require "dependabot/bundler/file_parser"
4
+ require "dependabot/file_parsers/base"
5
5
 
6
6
  module Dependabot
7
7
  module Bundler
8
- class FileParser
8
+ class FileParser < Dependabot::FileParsers::Base
9
9
  # Checks whether a dependency is declared in a Gemfile
10
10
  class GemfileDeclarationFinder
11
11
  def initialize(gemfile:)
@@ -1,10 +1,11 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "parser/current"
4
+ require "dependabot/file_parsers/base"
4
5
 
5
6
  module Dependabot
6
7
  module Bundler
7
- class FileParser
8
+ class FileParser < Dependabot::FileParsers::Base
8
9
  # Checks whether a dependency is declared in a gemspec file
9
10
  class GemspecDeclarationFinder
10
11
  def initialize(gemspec:)
@@ -24,7 +24,6 @@ module Dependabot
24
24
  dependency_set += gemspec_dependencies
25
25
  dependency_set += lockfile_dependencies
26
26
  check_external_code(dependency_set.dependencies)
27
- instrument_package_manager_version
28
27
  dependency_set.dependencies
29
28
  end
30
29
 
@@ -44,17 +43,6 @@ module Dependabot
44
43
  end
45
44
  end
46
45
 
47
- def instrument_package_manager_version
48
- version = Helpers.detected_bundler_version(lockfile)
49
- Dependabot.instrument(
50
- Notifications::FILE_PARSER_PACKAGE_MANAGER_VERSION_PARSED,
51
- ecosystem: "bundler",
52
- package_managers: {
53
- "bundler" => version
54
- }
55
- )
56
- end
57
-
58
46
  def gemfile_dependencies
59
47
  dependencies = DependencySet.new
60
48
 
@@ -309,8 +297,7 @@ module Dependabot
309
297
  def gemspecs
310
298
  # Path gemspecs are excluded (they're supporting files)
311
299
  @gemspecs ||= prepared_dependency_files.
312
- select { |file| file.name.end_with?(".gemspec") }.
313
- reject(&:support_file?)
300
+ select { |file| file.name.end_with?(".gemspec") }
314
301
  end
315
302
 
316
303
  def imported_ruby_files
@@ -89,7 +89,7 @@ module Dependabot
89
89
  path = gemspec.name
90
90
  FileUtils.mkdir_p(Pathname.new(path).dirname)
91
91
  updated_content = updated_gemspec_content(gemspec)
92
- File.write(path, sanitized_gemspec_content(updated_content))
92
+ File.write(path, sanitized_gemspec_content(path, updated_content))
93
93
  end
94
94
 
95
95
  write_ruby_version_file
@@ -115,7 +115,7 @@ module Dependabot
115
115
  path_gemspecs.each do |file|
116
116
  path = file.name
117
117
  FileUtils.mkdir_p(Pathname.new(path).dirname)
118
- File.write(path, sanitized_gemspec_content(file.content))
118
+ File.write(path, sanitized_gemspec_content(path, file.content))
119
119
  end
120
120
 
121
121
  specification_files.each do |file|
@@ -146,8 +146,7 @@ module Dependabot
146
146
 
147
147
  def top_level_gemspecs
148
148
  dependency_files.
149
- select { |file| file.name.end_with?(".gemspec") }.
150
- reject(&:support_file?)
149
+ select { |file| file.name.end_with?(".gemspec") && Pathname.new(file.name).dirname.to_s == "." }
151
150
  end
152
151
 
153
152
  def ruby_version_file
@@ -195,32 +194,27 @@ module Dependabot
195
194
  )
196
195
  end
197
196
 
198
- def sanitized_gemspec_content(gemspec_content)
199
- new_version = replacement_version_for_gemspec(gemspec_content)
197
+ def sanitized_gemspec_content(path, gemspec_content)
198
+ new_version = replacement_version_for_gemspec(path, gemspec_content)
200
199
 
201
200
  GemspecSanitizer.
202
201
  new(replacement_version: new_version).
203
202
  rewrite(gemspec_content)
204
203
  end
205
204
 
206
- # rubocop:disable Metrics/PerceivedComplexity
207
- def replacement_version_for_gemspec(gemspec_content)
205
+ def replacement_version_for_gemspec(path, gemspec_content)
208
206
  return "0.0.1" unless lockfile
209
207
 
210
- gemspec_specs =
211
- ::Bundler::LockfileParser.new(sanitized_lockfile_body).specs.
212
- select { |s| gemspec_sources.include?(s.source.class) }
213
-
214
208
  gem_name =
215
209
  GemspecDependencyNameFinder.new(gemspec_content: gemspec_content).
216
- dependency_name
210
+ dependency_name || File.basename(path, ".gemspec")
217
211
 
218
- return gemspec_specs.first&.version || "0.0.1" unless gem_name
212
+ gemspec_specs =
213
+ ::Bundler::LockfileParser.new(sanitized_lockfile_body).specs.
214
+ select { |s| s.name == gem_name && gemspec_sources.include?(s.source.class) }
219
215
 
220
- spec = gemspec_specs.find { |s| s.name == gem_name }
221
- spec&.version || gemspec_specs.first&.version || "0.0.1"
216
+ gemspec_specs.first&.version || "0.0.1"
222
217
  end
223
- # rubocop:enable Metrics/PerceivedComplexity
224
218
 
225
219
  def prepared_gemfile_content(file)
226
220
  content = updated_gemfile_content(file)
@@ -11,7 +11,7 @@ module Dependabot
11
11
  class RubyVersionNotFound < StandardError; end
12
12
 
13
13
  RUBY_VERSIONS = %w(
14
- 1.8.7 1.9.3 2.0.0 2.1.10 2.2.10 2.3.8 2.4.10 2.5.9 2.6.7 2.7.3 3.0.1 3.1.1
14
+ 1.8.7 1.9.3 2.0.0 2.1.10 2.2.10 2.3.8 2.4.10 2.5.9 2.6.9 2.7.6 3.0.5 3.1.3 3.2.0
15
15
  ).freeze
16
16
 
17
17
  attr_reader :gemspec
@@ -159,8 +159,7 @@ module Dependabot
159
159
 
160
160
  def top_level_gemspecs
161
161
  dependency_files.
162
- select { |file| file.name.end_with?(".gemspec") }.
163
- reject(&:support_file?)
162
+ select { |file| file.name.end_with?(".gemspec") }
164
163
  end
165
164
 
166
165
  def bundler_version
@@ -215,10 +215,12 @@ module Dependabot
215
215
  def registry_auth_headers
216
216
  return {} unless new_source_type == "rubygems"
217
217
 
218
+ registry_host = URI(registry_url).host
219
+
218
220
  token =
219
221
  credentials.
220
222
  select { |cred| cred["type"] == "rubygems_server" }.
221
- find { |cred| registry_url.include?(cred["host"]) }&.
223
+ find { |cred| registry_host == cred["host"] }&.
222
224
  fetch("token", nil)
223
225
 
224
226
  return {} unless token
@@ -45,7 +45,6 @@ module Dependabot
45
45
  function: function,
46
46
  args: args,
47
47
  env: {
48
- "BUNDLE_GEMFILE" => File.join(helpers_path, "Gemfile"),
49
48
  # Prevent the GEM_HOME from being set to a folder owned by root
50
49
  "GEM_HOME" => File.join(helpers_path, ".bundle")
51
50
  }
@@ -143,8 +143,7 @@ module Dependabot
143
143
 
144
144
  def top_level_gemspecs
145
145
  dependency_files.
146
- select { |f| f.name.end_with?(".gemspec") }.
147
- reject(&:support_file?)
146
+ select { |f| f.name.end_with?(".gemspec") }
148
147
  end
149
148
 
150
149
  def ruby_version_file
@@ -119,7 +119,8 @@ module Dependabot
119
119
  # We don't have access to one of repos required
120
120
  raise Dependabot::GitDependenciesNotReachable, bad_uris.uniq
121
121
  when "Bundler::GemNotFound", "Gem::InvalidSpecificationException",
122
- "Bundler::VersionConflict", "Bundler::CyclicDependencyError"
122
+ "Bundler::VersionConflict", "Bundler::CyclicDependencyError",
123
+ "Bundler::SolveFailure"
123
124
  # Bundler threw an error during resolution. Any of:
124
125
  # - the gem doesn't exist in any of the specified sources
125
126
  # - the gem wasn't specified properly
@@ -140,13 +140,20 @@ module Dependabot
140
140
  end
141
141
 
142
142
  def ruby_lock_error?(error)
143
- return false unless error.message.include?(" for the Ruby\0 version") || # Bundler 2
144
- error.message.include?(" for gem \"ruby\0\"") # Bundler 1
143
+ return false unless conflict_on_ruby?(error)
145
144
  return false if @gemspec_ruby_unlocked
146
145
 
147
146
  dependency_files.any? { |f| f.name.end_with?(".gemspec") }
148
147
  end
149
148
 
149
+ def conflict_on_ruby?(error)
150
+ if bundler_version == "1"
151
+ error.message.include?(" for gem \"ruby\0\"")
152
+ else
153
+ error.message.include?(" depends on Ruby ") && error.message.include?(" current Ruby version is ")
154
+ end
155
+ end
156
+
150
157
  def regenerate_dependency_files_without_ruby_lock
151
158
  @dependency_files =
152
159
  FilePreparer.new(
@@ -60,19 +60,8 @@ module Dependabot
60
60
  end
61
61
 
62
62
  def updated_requirements
63
- latest_version_for_req_updater =
64
- if switching_source_from_git_to_rubygems?
65
- git_commit_checker.local_tag_for_latest_version.fetch(:version).to_s
66
- else
67
- latest_version_details&.fetch(:version)&.to_s
68
- end
69
-
70
- latest_resolvable_version_for_req_updater =
71
- if switching_source_from_git_to_rubygems?
72
- latest_version_for_req_updater
73
- else
74
- preferred_resolvable_version_details&.fetch(:version)&.to_s
75
- end
63
+ latest_version_for_req_updater = latest_version_details&.fetch(:version)&.to_s
64
+ latest_resolvable_version_for_req_updater = preferred_resolvable_version_details&.fetch(:version)&.to_s
76
65
 
77
66
  RequirementsUpdater.new(
78
67
  requirements: dependency.requirements,
@@ -298,9 +287,6 @@ module Dependabot
298
287
  # Never need to update source, unless a git_dependency
299
288
  return dependency_source_details unless git_dependency?
300
289
 
301
- # Source becomes `nil` if switching to default rubygems
302
- return nil if should_switch_source_from_git_to_rubygems?
303
-
304
290
  # Update the git tag if updating a pinned version
305
291
  if git_commit_checker.pinned_ref_looks_like_version? &&
306
292
  latest_git_tag_is_resolvable?
@@ -321,19 +307,6 @@ module Dependabot
321
307
  sources.first
322
308
  end
323
309
 
324
- def should_switch_source_from_git_to_rubygems?
325
- return false unless git_dependency?
326
- return false if latest_resolvable_version_for_git_dependency.nil?
327
-
328
- Gem::Version.correct?(latest_resolvable_version_for_git_dependency)
329
- end
330
-
331
- def switching_source_from_git_to_rubygems?
332
- return false unless updated_source&.fetch(:ref, nil)
333
-
334
- updated_source.fetch(:ref) != dependency_source_details.fetch(:ref)
335
- end
336
-
337
310
  def force_updater
338
311
  @force_updater ||=
339
312
  ForceUpdater.new(
@@ -1,10 +1,11 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "dependabot/version"
3
4
  require "dependabot/utils"
4
5
 
5
6
  module Dependabot
6
7
  module Bundler
7
- class Version < Gem::Version
8
+ class Version < Dependabot::Version
8
9
  end
9
10
  end
10
11
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-bundler
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.215.0
4
+ version: 0.216.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-12-07 00:00:00.000000000 Z
11
+ date: 2023-04-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.215.0
19
+ version: 0.216.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.215.0
26
+ version: 0.216.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - ">="
31
+ - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: 1.0.0
33
+ version: 1.7.1
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - ">="
38
+ - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: 1.0.0
40
+ version: 1.7.1
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: gpgme
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: 4.0.0
61
+ version: 4.2.0
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: 4.0.0
68
+ version: 4.2.0
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rake
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
86
86
  requirements:
87
87
  - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: '3.8'
89
+ version: '3.12'
90
90
  type: :development
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: '3.8'
96
+ version: '3.12'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: rspec-its
99
99
  requirement: !ruby/object:Gem::Requirement
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: '1.2'
103
+ version: '1.3'
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: '1.2'
110
+ version: '1.3'
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: rubocop
113
113
  requirement: !ruby/object:Gem::Requirement
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: 1.39.0
117
+ version: 1.50.0
118
118
  type: :development
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: 1.39.0
124
+ version: 1.50.0
125
125
  - !ruby/object:Gem::Dependency
126
126
  name: rubocop-performance
127
127
  requirement: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: 1.15.0
131
+ version: 1.17.1
132
132
  type: :development
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - "~>"
137
137
  - !ruby/object:Gem::Version
138
- version: 1.15.0
138
+ version: 1.17.1
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: simplecov
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
143
  - - "~>"
144
144
  - !ruby/object:Gem::Version
145
- version: 0.21.0
145
+ version: 0.22.0
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
150
  - - "~>"
151
151
  - !ruby/object:Gem::Version
152
- version: 0.21.0
152
+ version: 0.22.0
153
153
  - !ruby/object:Gem::Dependency
154
154
  name: simplecov-console
155
155
  requirement: !ruby/object:Gem::Requirement
@@ -182,39 +182,39 @@ dependencies:
182
182
  name: vcr
183
183
  requirement: !ruby/object:Gem::Requirement
184
184
  requirements:
185
- - - '='
185
+ - - "~>"
186
186
  - !ruby/object:Gem::Version
187
- version: 6.1.0
187
+ version: '6.1'
188
188
  type: :development
189
189
  prerelease: false
190
190
  version_requirements: !ruby/object:Gem::Requirement
191
191
  requirements:
192
- - - '='
192
+ - - "~>"
193
193
  - !ruby/object:Gem::Version
194
- version: 6.1.0
194
+ version: '6.1'
195
195
  - !ruby/object:Gem::Dependency
196
196
  name: webmock
197
197
  requirement: !ruby/object:Gem::Requirement
198
198
  requirements:
199
199
  - - "~>"
200
200
  - !ruby/object:Gem::Version
201
- version: '3.4'
201
+ version: '3.18'
202
202
  type: :development
203
203
  prerelease: false
204
204
  version_requirements: !ruby/object:Gem::Requirement
205
205
  requirements:
206
206
  - - "~>"
207
207
  - !ruby/object:Gem::Version
208
- version: '3.4'
209
- description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
210
- Rust, Java, .NET, Elm and Go
211
- email: support@dependabot.com
208
+ version: '3.18'
209
+ description: Dependabot-Bundler provides support for bumping Ruby (bundler) gems via
210
+ Dependabot. If you want support for multiple package managers, you probably want
211
+ the meta-gem dependabot-omnibus.
212
+ email: opensource@github.com
212
213
  executables: []
213
214
  extensions: []
214
215
  extra_rdoc_files: []
215
216
  files:
216
217
  - helpers/v1/.gitignore
217
- - helpers/v1/Gemfile
218
218
  - helpers/v1/build
219
219
  - helpers/v1/lib/functions.rb
220
220
  - helpers/v1/lib/functions/conflicting_dependency_resolver.rb
@@ -237,7 +237,6 @@ files:
237
237
  - helpers/v1/spec/native_spec_helper.rb
238
238
  - helpers/v1/spec/shared_contexts.rb
239
239
  - helpers/v2/.gitignore
240
- - helpers/v2/Gemfile
241
240
  - helpers/v2/build
242
241
  - helpers/v2/lib/functions.rb
243
242
  - helpers/v2/lib/functions/conflicting_dependency_resolver.rb
@@ -295,7 +294,9 @@ files:
295
294
  homepage: https://github.com/dependabot/dependabot-core
296
295
  licenses:
297
296
  - Nonstandard
298
- metadata: {}
297
+ metadata:
298
+ issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
299
+ changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
299
300
  post_install_message:
300
301
  rdoc_options: []
301
302
  require_paths:
@@ -311,8 +312,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
311
312
  - !ruby/object:Gem::Version
312
313
  version: 3.1.0
313
314
  requirements: []
314
- rubygems_version: 3.3.7
315
+ rubygems_version: 3.3.26
315
316
  signing_key:
316
317
  specification_version: 4
317
- summary: Ruby (bundler) support for dependabot
318
+ summary: Provides Dependabot support for Ruby (bundler)
318
319
  test_files: []
data/helpers/v1/Gemfile DELETED
@@ -1,11 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- source "https://rubygems.org"
4
-
5
- # NOTE: Used to run native helper specs
6
- group :test do
7
- gem "rspec", "~> 3.8"
8
- gem "rspec-its", "~> 1.2"
9
- gem "vcr", "6.1.0"
10
- gem "webmock", "~> 3.4"
11
- end
data/helpers/v2/Gemfile DELETED
@@ -1,12 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- source "https://rubygems.org"
4
-
5
- # NOTE: Used to run native helper specs
6
- group :test do
7
- gem "debug", ">= 1.0.0"
8
- gem "rspec", "~> 3.8"
9
- gem "rspec-its", "~> 1.2"
10
- gem "vcr", "6.1.0"
11
- gem "webmock", "~> 3.4"
12
- end