dependabot-bundler 0.236.0 → 0.238.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4fd34dd5e86ac6b391a703c276d062a73f797c3f936658aebc25680ee886edc6
4
- data.tar.gz: f06e52b4ddfaba21629b65ccc739eede69faccc75eb542cb2da726f3a1611cba
3
+ metadata.gz: 15ed934b702f4aa5f9486243fa05fb5ff8f25b228a94b28087f496adad2094df
4
+ data.tar.gz: e608d86d64de0763edaa50de472dc8769b7edc796c119b1272674d789c428e77
5
5
  SHA512:
6
- metadata.gz: 6e6ec483cbd9483321846361ade36c24bf9fca1c355e43bbffcfc7a3d25c7c8ec08f3e88137913d3538928fdde6b00bb3f82edb912fccff856ade082a5b00ba6
7
- data.tar.gz: 1581d435a66c7753929a5adece2b9b9387477fad411de498afb85f9972ba99a1f6df9482597acbab5bacaf0b8cbda2a6f42e6de080b41572da9ac2255e3a9694
6
+ metadata.gz: 772fb2392a262c2c9db7bdbe3ecd6a8e817cc863796e015141497ed9ae43ac4d4cd0e98eb7c245000422eb07c11b3d92a76ca34630f3216190b79dc2d669d524
7
+ data.tar.gz: 2cc4dc6fb2ff3a3c464a438ab0e4088e3660acdde352e5821d7609446d6f2ad539b1c4149bd98c683e669e5b0e8f8b6e7d2ff453bf5febfbc3ed415819cbe3e1
@@ -148,6 +148,9 @@ module Functions
148
148
 
149
149
  # Use HTTPS for GitHub if lockfile
150
150
  Bundler.settings.set_command_option("github.https", "true")
151
+
152
+ # Native helpers rely on dependency unlocking, so Bundler should never be frozen
153
+ Bundler.settings.set_command_option("frozen", "false")
151
154
  end
152
155
 
153
156
  def self.relevant_credentials(credentials)
@@ -42,9 +42,8 @@ module Functions
42
42
  .fetchers.flat_map do |fetcher|
43
43
  fetcher
44
44
  .specs([dependency_name], bundler_source)
45
- .search_all(dependency_name)
45
+ .search_all(dependency_name).map(&:version)
46
46
  end
47
- .map(&:version)
48
47
  end
49
48
 
50
49
  private
@@ -127,7 +127,7 @@ module Functions
127
127
  def fetcher_class(dep)
128
128
  return unless dep.source.is_a?(::Bundler::Source::Rubygems)
129
129
 
130
- dep.source.fetchers.first.fetchers.first.class.to_s
130
+ dep.source.fetchers.first.send(:fetchers).first.class.to_s
131
131
  end
132
132
 
133
133
  def ruby_version
@@ -152,6 +152,9 @@ module Functions
152
152
  Bundler.ui = Bundler::UI::Silent.new
153
153
 
154
154
  Bundler.settings.set_command_option("forget_cli_options", "true")
155
+
156
+ # Native helpers rely on dependency unlocking, so Bundler should never be frozen
157
+ Bundler.settings.set_command_option("frozen", "false")
155
158
  end
156
159
 
157
160
  def self.relevant_credentials(credentials)
@@ -96,11 +96,11 @@ RSpec.describe Functions::DependencySource do
96
96
  end
97
97
 
98
98
  it "blows up with a useful error" do
99
- error_class = Bundler::Fetcher::BadAuthenticationError
99
+ error_class = Bundler::Fetcher::AuthenticationForbiddenError
100
100
  expect { private_registry_versions }
101
101
  .to raise_error do |error|
102
102
  expect(error).to be_a(error_class)
103
- expect(error.message).to include("Bad username or password for")
103
+ expect(error.message).to include("Access token could not be authenticated for")
104
104
  end
105
105
  end
106
106
  end
@@ -126,7 +126,7 @@ RSpec.describe Functions::DependencySource do
126
126
  .to raise_error do |error|
127
127
  expect(error).to be_a(Bundler::HTTPError)
128
128
  expect(error.message)
129
- .to include("Could not fetch specs from")
129
+ .to include("Could not fetch specs from #{registry_url} due to underlying error")
130
130
  end
131
131
  end
132
132
  end
@@ -1,6 +1,7 @@
1
1
  # typed: false
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
4
5
  require "dependabot/file_fetchers"
5
6
  require "dependabot/file_fetchers/base"
6
7
  require "dependabot/bundler/file_updater/lockfile_updater"
@@ -9,6 +10,9 @@ require "dependabot/errors"
9
10
  module Dependabot
10
11
  module Bundler
11
12
  class FileFetcher < Dependabot::FileFetchers::Base
13
+ extend T::Sig
14
+ extend T::Helpers
15
+
12
16
  require "dependabot/bundler/file_fetcher/gemspec_finder"
13
17
  require "dependabot/bundler/file_fetcher/path_gemspec_finder"
14
18
  require "dependabot/bundler/file_fetcher/child_gemfile_finder"
@@ -32,8 +36,7 @@ module Dependabot
32
36
  }
33
37
  end
34
38
 
35
- private
36
-
39
+ sig { override.returns(T::Array[DependencyFile]) }
37
40
  def fetch_files
38
41
  fetched_files = []
39
42
  fetched_files << gemfile if gemfile
@@ -55,6 +58,8 @@ module Dependabot
55
58
  fetched_files
56
59
  end
57
60
 
61
+ private
62
+
58
63
  def uniq_files(fetched_files)
59
64
  uniq_files = fetched_files.reject(&:support_file?).uniq
60
65
  uniq_files += fetched_files
@@ -1,32 +1,43 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "bundler"
5
+ require "sorbet-runtime"
5
6
  require "dependabot/shared_helpers"
6
7
 
7
8
  module Dependabot
8
9
  module Bundler
9
10
  module NativeHelpers
11
+ extend T::Sig
12
+ extend T::Generic
13
+
10
14
  class BundleCommand
15
+ extend T::Sig
16
+
11
17
  MAX_SECONDS = 1800
12
18
  MIN_SECONDS = 60
13
19
 
20
+ sig { params(timeout_seconds: T.nilable(Integer)).void }
14
21
  def initialize(timeout_seconds)
15
- @timeout_seconds = clamp(timeout_seconds)
22
+ @timeout_seconds = T.let(clamp(timeout_seconds), Integer)
16
23
  end
17
24
 
25
+ sig { params(script: String).returns(String) }
18
26
  def build(script)
19
27
  [timeout_command, :ruby, script].compact.join(" ")
20
28
  end
21
29
 
22
30
  private
23
31
 
32
+ sig { returns(Integer) }
24
33
  attr_reader :timeout_seconds
25
34
 
35
+ sig { returns(T.nilable(String)) }
26
36
  def timeout_command
27
37
  "timeout -s HUP #{timeout_seconds}" unless timeout_seconds.zero?
28
38
  end
29
39
 
40
+ sig { params(seconds: T.nilable(Integer)).returns(Integer) }
30
41
  def clamp(seconds)
31
42
  return 0 unless seconds
32
43
 
@@ -34,6 +45,15 @@ module Dependabot
34
45
  end
35
46
  end
36
47
 
48
+ sig do
49
+ params(
50
+ function: String,
51
+ args: T::Hash[Symbol, String],
52
+ bundler_version: String,
53
+ options: T::Hash[Symbol, T.untyped]
54
+ )
55
+ .returns(T.untyped)
56
+ end
37
57
  def self.run_bundler_subprocess(function:, args:, bundler_version:, options: {})
38
58
  # Run helper suprocess with all bundler-related ENV variables removed
39
59
  helpers_path = versioned_helper_path(bundler_version)
@@ -60,10 +80,12 @@ module Dependabot
60
80
  end
61
81
  end
62
82
 
83
+ sig { params(bundler_major_version: String).returns(String) }
63
84
  def self.versioned_helper_path(bundler_major_version)
64
85
  File.join(native_helpers_root, "v#{bundler_major_version}")
65
86
  end
66
87
 
88
+ sig { returns(String) }
67
89
  def self.native_helpers_root
68
90
  helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
69
91
  return File.join(helpers_root, "bundler") unless helpers_root.nil?
@@ -24,8 +24,9 @@ module Dependabot
24
24
  MISSING_AUTH_REGEX = /bundle config (?:set --global )?(?<source>.*) username:password/
25
25
 
26
26
  BAD_AUTH_REGEX = /Bad username or password for (?<source>.*)\.$/
27
+ FORBIDDEN_AUTH_REGEX = /Access token could not be authenticated for (?<source>.*)\.$/
27
28
  BAD_CERT_REGEX = /verify the SSL certificate for (?<source>.*)\.$/
28
- HTTP_ERR_REGEX = /Could not fetch specs from (?<source>.*)$/
29
+ HTTP_ERR_REGEX = /Could not fetch specs from (?<source>\S+)/
29
30
  end
30
31
 
31
32
  RETRYABLE_ERRORS = %w(
@@ -133,6 +134,10 @@ module Dependabot
133
134
  regex = BundlerErrorPatterns::MISSING_AUTH_REGEX
134
135
  source = error.message.match(regex)[:source]
135
136
  raise Dependabot::PrivateSourceAuthenticationFailure, source
137
+ when "Bundler::Fetcher::AuthenticationForbiddenError"
138
+ regex = BundlerErrorPatterns::FORBIDDEN_AUTH_REGEX
139
+ source = error.message.match(regex)[:source]
140
+ raise Dependabot::PrivateSourceAuthenticationFailure, source
136
141
  when "Bundler::Fetcher::BadAuthenticationError"
137
142
  regex = BundlerErrorPatterns::BAD_AUTH_REGEX
138
143
  source = error.message.match(regex)[:source]
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-bundler
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.236.0
4
+ version: 0.238.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-10-26 00:00:00.000000000 Z
11
+ date: 2023-12-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.236.0
19
+ version: 0.238.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.236.0
26
+ version: 0.238.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -94,20 +94,34 @@ dependencies:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
96
  version: '1.3'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rspec-sorbet
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - "~>"
102
+ - !ruby/object:Gem::Version
103
+ version: 1.9.2
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - "~>"
109
+ - !ruby/object:Gem::Version
110
+ version: 1.9.2
97
111
  - !ruby/object:Gem::Dependency
98
112
  name: rubocop
99
113
  requirement: !ruby/object:Gem::Requirement
100
114
  requirements:
101
115
  - - "~>"
102
116
  - !ruby/object:Gem::Version
103
- version: 1.56.0
117
+ version: 1.57.2
104
118
  type: :development
105
119
  prerelease: false
106
120
  version_requirements: !ruby/object:Gem::Requirement
107
121
  requirements:
108
122
  - - "~>"
109
123
  - !ruby/object:Gem::Version
110
- version: 1.56.0
124
+ version: 1.57.2
111
125
  - !ruby/object:Gem::Dependency
112
126
  name: rubocop-performance
113
127
  requirement: !ruby/object:Gem::Requirement
@@ -282,7 +296,7 @@ licenses:
282
296
  - Nonstandard
283
297
  metadata:
284
298
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
285
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.236.0
299
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
286
300
  post_install_message:
287
301
  rdoc_options: []
288
302
  require_paths: