dependabot-bundler 0.234.0 → 0.236.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/v2/lib/functions/force_updater.rb +36 -7
  3. data/lib/dependabot/bundler/update_checker/force_updater.rb +6 -18
  4. data/lib/dependabot/bundler/version.rb +1 -1
  5. data/lib/dependabot/bundler.rb +1 -1
  6. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3d26201f1e3f35e54830b46511f495996de7578e79e4c155b37f8d4a276f59f5
4
- data.tar.gz: 6ca680989cdc4422b39b546f6870c611e38b573b8b8a0b8b3773ddebef6a5a5b
3
+ metadata.gz: 4fd34dd5e86ac6b391a703c276d062a73f797c3f936658aebc25680ee886edc6
4
+ data.tar.gz: f06e52b4ddfaba21629b65ccc739eede69faccc75eb542cb2da726f3a1611cba
5
5
  SHA512:
6
- metadata.gz: b868c617d8a9be3524f12223ce297fda451ea708917016889907faabfe25944b3a2b432ed7b08cfcbf577fab3f16d9c63eee709b81e959e99b9f5e816928ffd7
7
- data.tar.gz: a1e6df8ec00521f7cb949551112292c12a008d978e09f9337516958325e82e746139ab21cb92fef6f65db493dbe1980937700c7070ae67e7fe12626da527886a
6
+ metadata.gz: 6e6ec483cbd9483321846361ade36c24bf9fca1c355e43bbffcfc7a3d25c7c8ec08f3e88137913d3538928fdde6b00bb3f82edb912fccff856ade082a5b00ba6
7
+ data.tar.gz: 1581d435a66c7753929a5adece2b9b9387477fad411de498afb85f9972ba99a1f6df9482597acbab5bacaf0b8cbda2a6f42e6de080b41572da9ac2255e3a9694
data/helpers/v2/lib/functions/force_updater.rb CHANGED
@@ -4,6 +4,7 @@
4
4
  module Functions
5
5
  class ForceUpdater
6
6
  class TransitiveDependencyError < StandardError; end
7
+ class TopLevelDependencyDowngradedError < StandardError; end
7
8
 
8
9
  def initialize(dependency_name:, target_version:, gemfile_name:,
9
10
  lockfile_name:, update_multiple_dependencies:)
@@ -21,13 +22,21 @@ module Functions
21
22
  definition = build_definition(dependencies_to_unlock: dependencies_to_unlock)
22
23
  definition.resolve_remotely!
23
24
  specs = definition.resolve
24
- updates = ([dependency_name, *dependencies_to_unlock] - subdependencies).uniq.map { |name| { name: name } }
25
+ updates = ([dependency_name, *dependencies_to_unlock] - subdependencies + extra_top_level_deps(specs)).uniq
26
+
27
+ updates = updates.map do |name|
28
+ {
29
+ name: name
30
+ }
31
+ end
32
+
25
33
  specs = specs.map do |dep|
26
34
  {
27
35
  name: dep.name,
28
36
  version: dep.version
29
37
  }
30
38
  end
39
+
31
40
  [updates, specs]
32
41
  rescue Bundler::SolveFailure => e
33
42
  raise unless update_multiple_dependencies?
@@ -53,6 +62,24 @@ module Functions
53
62
  :update_multiple_dependencies
54
63
  alias update_multiple_dependencies? update_multiple_dependencies
55
64
 
65
+ def extra_top_level_deps(specs)
66
+ top_level_dep_names.reject do |name|
67
+ original_version = original_specs.find { |s| s.name == name }&.version
68
+ new_version = specs[name].first&.version
69
+
70
+ if original_version == new_version
71
+ true
72
+ else
73
+ original_version = Gem::Version.new(original_version)
74
+ new_version = Gem::Version.new(new_version)
75
+
76
+ raise TopLevelDependencyDowngradedError if new_version < original_version
77
+
78
+ false
79
+ end
80
+ end
81
+ end
82
+
56
83
  def new_dependencies_to_unlock_from(error:, already_unlocked:)
57
84
  names = [*already_unlocked, dependency_name]
58
85
  extra_names_to_unlock = []
@@ -118,13 +145,15 @@ module Functions
118
145
  # subdependencies
119
146
  return [] unless lockfile
120
147
 
121
- all_deps = Bundler::LockfileParser.new(lockfile)
122
- .specs.map(&:name)
123
- top_level = Bundler::Definition
124
- .build(gemfile_name, lockfile_name, {})
125
- .dependencies.map(&:name)
148
+ original_specs.map(&:name) - top_level_dep_names
149
+ end
150
+
151
+ def top_level_dep_names
152
+ @top_level_dep_names ||= Bundler::Definition.build(gemfile_name, lockfile_name, {}).dependencies.map(&:name)
153
+ end
126
154
 
127
- all_deps - top_level
155
+ def original_specs
156
+ @original_specs ||= Bundler::LockfileParser.new(lockfile).specs
128
157
  end
129
158
 
130
159
  def unlock_gem(definition:, gem_name:)
data/lib/dependabot/bundler/update_checker/force_updater.rb CHANGED
@@ -78,15 +78,6 @@ module Dependabot
78
78
  ).parse
79
79
  end
80
80
 
81
- def top_level_dependencies
82
- @top_level_dependencies ||=
83
- FileParser.new(
84
- dependency_files: dependency_files.reject { |file| file.name == lockfile.name },
85
- credentials: credentials,
86
- source: nil
87
- ).parse
88
- end
89
-
90
81
  def dependencies_from(updated_deps, specs)
91
82
  # You might think we'd want to remove dependencies whose version
92
83
  # hadn't changed from this array. We don't. We still need to unlock
@@ -95,17 +86,14 @@ module Dependabot
95
86
  #
96
87
  # This is kind of a bug in Bundler, and we should try to fix it,
97
88
  # but resolving it won't necessarily be easy.
89
+ updated_deps.filter_map do |dep|
90
+ original_dep =
91
+ original_dependencies.find { |d| d.name == dep.fetch("name") }
92
+ spec = specs.find { |d| d.fetch("name") == dep.fetch("name") }
98
93
 
99
- # put the lead dependency first
100
- index = specs.index { |dep| dep["name"] == updated_deps.first["name"] }
101
- specs.unshift(specs.delete_at(index))
102
- specs.filter_map do |dep|
103
- next unless top_level_dependencies.find { |d| d.name == dep.fetch("name") }
104
-
105
- original_dep = original_dependencies.find { |d| d.name == dep.fetch("name") }
106
- next if dep.fetch("version") == original_dep.version
94
+ next if spec.fetch("version") == original_dep.version
107
95
 
108
- build_dependency(original_dep, dep)
96
+ build_dependency(original_dep, spec)
109
97
  end
110
98
  end
111
99
 
data/lib/dependabot/bundler/version.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "dependabot/version"
data/lib/dependabot/bundler.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  # These all need to be required so the various classes can be registered in a
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-bundler
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.234.0
4
+ version: 0.236.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-10-12 00:00:00.000000000 Z
11
+ date: 2023-10-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.234.0
19
+ version: 0.236.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.234.0
26
+ version: 0.236.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -282,7 +282,7 @@ licenses:
282
282
  - Nonstandard
283
283
  metadata:
284
284
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
285
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.234.0
285
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.236.0
286
286
  post_install_message:
287
287
  rdoc_options: []
288
288
  require_paths: