dependabot-bundler 0.280.0 → 0.282.0

data/helpers/v1/monkey_patches/definition_bundler_version_patch.rb

@@ -1,16 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "bundler/definition"
-
-# Ignore the Bundler version specified in the Gemfile (since the only Bundler
-# version available to us is the one we're using).
-module BundlerDefinitionBundlerVersionPatch
-  def expanded_dependencies
-    @expanded_dependencies ||=
-      expand_dependencies(dependencies + metadata_dependencies, @remote)
-      .reject { |d| d.name == "bundler" }
-  end
-end
-
-Bundler::Definition.prepend(BundlerDefinitionBundlerVersionPatch)

data/helpers/v1/monkey_patches/definition_ruby_version_patch.rb

@@ -1,22 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "bundler/definition"
-
-module BundlerDefinitionRubyVersionPatch
-  def index
-    @index ||= super.tap do
-      if ruby_version
-        requested_version = ruby_version.to_gem_version_with_patchlevel
-        sources.metadata_source.specs <<
-          Gem::Specification.new("ruby\0", requested_version)
-      end
-
-      %w(2.5.3p105 2.6.10p210 2.7.6p219 3.0.7p220 3.1.5p252 3.2.4p170).each do |version|
-        sources.metadata_source.specs << Gem::Specification.new("ruby\0", version)
-      end
-    end
-  end
-end
-
-Bundler::Definition.prepend(BundlerDefinitionRubyVersionPatch)

data/helpers/v1/monkey_patches/fileutils_keyword_splat_patch.rb

@@ -1,20 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "bundler/vendor/fileutils/lib/fileutils"
-
-# Port
-# https://github.com/ruby/fileutils/commit/a5eca84a4240e29bb7886c3ef7085d464a972dd0
-# to fix keyword argument errors on Ruby 3.1
-
-module BundlerFileUtilsKeywordSplatPatch
-  def entries
-    opts = {}
-    opts[:encoding] = ::Encoding::UTF_8 if fu_windows?
-    Dir.entries(path, **opts)
-       .reject { |n| n == "." || n == ".." }
-       .map { |n| self.class.new(prefix, join(rel, n.untaint)) }
-  end
-end
-
-Bundler::FileUtils::Entry_.prepend(BundlerFileUtilsKeywordSplatPatch)

data/helpers/v1/monkey_patches/git_source_patch.rb

@@ -1,62 +0,0 @@
-# typed: true
-# frozen_string_literal: true
-
-require "bundler/source"
-
-module Bundler
-  class Source
-    class Git
-      class GitProxy
-        private
-
-        # Bundler allows ssh authentication when talking to GitHub but there's
-        # no way for Dependabot to do so (it doesn't have any ssh keys).
-        # Instead, we convert all `git@github.com:` URLs to use HTTPS.
-        def configured_uri_for(uri)
-          uri = uri.gsub(%r{git@(.*?):/?}, 'https://\1/')
-          if uri.match?(/https?:/)
-            remote = ::URI.parse(uri)
-            config_auth =
-              Bundler.settings[remote.to_s] || Bundler.settings[remote.host]
-            remote.userinfo ||= config_auth
-            remote.to_s
-          else
-            uri
-          end
-        end
-      end
-    end
-  end
-end
-
-module Bundler
-  class Source
-    class Git < Path
-      private
-
-      def serialize_gemspecs_in(destination)
-        original_load_paths = $LOAD_PATH.dup
-        reduced_load_paths = original_load_paths
-                             .reject { |p| p.include?("/gems/") }
-
-        $LOAD_PATH.shift until $LOAD_PATH.empty?
-        reduced_load_paths.each { |p| $LOAD_PATH << p }
-
-        destination = destination.expand_path(Bundler.root) if destination.relative?
-        Dir["#{destination}/#{@glob}"].each do |spec_path|
-          # Evaluate gemspecs and cache the result. Gemspecs
-          # in git might require git or other dependencies.
-          # The gemspecs we cache should already be evaluated.
-          spec = Bundler.load_gemspec(spec_path)
-          next unless spec
-
-          Bundler.rubygems.set_installed_by_version(spec)
-          Bundler.rubygems.validate(spec)
-          File.binwrite(spec_path, spec.to_ruby)
-        end
-        $LOAD_PATH.shift until $LOAD_PATH.empty?
-        original_load_paths.each { |p| $LOAD_PATH << p }
-      end
-    end
-  end
-end

data/helpers/v1/monkey_patches/object_untaint_patch.rb

@@ -1,17 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-# Bundler v1 uses the `untaint` method on objects in `Bundler::SharedHelpers`.
-# This method has been deprecated for a long time, and is actually a no-op in
-# ruby versions 2.7+. In Ruby 3.3 it was finally removed, and it's now causing
-# bundler v1 to error.
-#
-# In order to keep the old behavior, we're monkey patching `Object` to add a
-# no-op implementation of untaint.
-module ObjectUntaintPatch
-  def untaint
-    self
-  end
-end
-
-Object.prepend(ObjectUntaintPatch)

data/helpers/v1/monkey_patches/resolver_spec_group_sane_eql.rb

@@ -1,18 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "bundler/resolver/spec_group"
-
-# Port
-# https://github.com/rubygems/bundler/commit/30a690edbdf5ee64ea54afc7d0c91d910ff2b80e
-# to fix flaky failures on Bundler 1
-
-module BundlerResolverSpecGroupSaneEql
-  def eql?(other)
-    return false unless other.is_a?(self.class)
-
-    super
-  end
-end
-
-Bundler::Resolver::SpecGroup.prepend(BundlerResolverSpecGroupSaneEql)

data/helpers/v1/patched_bundler

@@ -1,34 +0,0 @@
-#!/usr/local/bin/ruby
-#
-# This file was generated by RubyGems.
-# It was then patched by Dependabot to add `Object#untaint` back
-# in order to run bundler 1.17.3 using Ruby 3.3+.
-#
-# The application 'bundler' is installed as part of a gem, and
-# this file is here to facilitate running it.
-#
-
-$LOAD_PATH.unshift(File.expand_path("./monkey_patches", __dir__))
-require "object_untaint_patch"
-
-require 'rubygems'
-
-version = ">= 0.a"
-
-str = ARGV.first
-if str
-  str = str.b[/\A_(.*)_\z/, 1]
-  if str and Gem::Version.correct?(str)
-    version = str
-    ENV['BUNDLER_VERSION'] = str
-
-    ARGV.shift
-  end
-end
-
-if Gem.respond_to?(:activate_bin_path)
-load Gem.activate_bin_path('bundler', 'bundle', version)
-else
-gem "bundler", version
-load Gem.bin_path("bundler", "bundle", version)
-end

data/helpers/v1/run.rb

@@ -1,38 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-gem "bundler", "~> 1.17"
-require "bundler"
-require "json"
-
-$LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
-$LOAD_PATH.unshift(File.expand_path("./monkey_patches", __dir__))
-
-trap "HUP" do
-  puts JSON.generate(error: "timeout", error_class: "Timeout::Error", trace: [])
-  exit 2
-end
-
-# Bundler monkey patches
-require "definition_ruby_version_patch"
-require "definition_bundler_version_patch"
-require "fileutils_keyword_splat_patch"
-require "git_source_patch"
-require "resolver_spec_group_sane_eql"
-require "object_untaint_patch"
-
-require "functions"
-
-begin
-  request = JSON.parse($stdin.read)
-
-  function = request["function"]
-  args = request["args"].transform_keys(&:to_sym)
-
-  print JSON.dump({ result: Functions.send(function, **args) })
-rescue StandardError => e
-  print JSON.dump(
-    { error: e.message, error_class: e.class, trace: e.backtrace }
-  )
-  exit(1)
-end

data/helpers/v1/spec/functions/conflicting_dependency_resolver_spec.rb

@@ -1,118 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "native_spec_helper"
-require "shared_contexts"
-
-RSpec.describe Functions::ConflictingDependencyResolver do
-  include_context "when in a temporary bundler directory"
-
-  let(:conflicting_dependency_resolver) do
-    described_class.new(
-      dependency_name: dependency_name,
-      target_version: target_version,
-      lockfile_name: "Gemfile.lock"
-    )
-  end
-
-  let(:dependency_name) { "dummy-pkg-a" }
-  let(:target_version) { "2.0.0" }
-
-  let(:project_name) { "blocked_by_subdep" }
-
-  describe "#conflicting_dependencies" do
-    subject(:conflicting_dependencies) do
-      in_tmp_folder { conflicting_dependency_resolver.conflicting_dependencies }
-    end
-
-    it "returns a list of dependencies that block the update" do
-      expect(conflicting_dependencies).to eq(
-        [{
-          "explanation" => "dummy-pkg-b (1.0.0) requires dummy-pkg-a (< 2.0.0)",
-          "name" => "dummy-pkg-b",
-          "version" => "1.0.0",
-          "requirement" => "< 2.0.0"
-        }]
-      )
-    end
-
-    context "when dealing with nested transitive dependencies" do
-      let(:project_name) { "transitive_blocking" }
-      let(:dependency_name) { "activesupport" }
-      let(:target_version) { "6.0.0" }
-
-      it "returns a list of dependencies that block the update" do
-        expect(conflicting_dependencies).to contain_exactly({
-          "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0)",
-          "name" => "rails",
-          "requirement" => "= 5.2.0",
-          "version" => "5.2.0"
-        }, {
-          "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionpack (5.2.0)",
-          "name" => "actionpack",
-          "version" => "5.2.0",
-          "requirement" => "= 5.2.0"
-        }, {
-          "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via actionview (5.2.0)",
-          "name" => "actionview",
-          "version" => "5.2.0",
-          "requirement" => "= 5.2.0"
-        }, {
-          "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activejob (5.2.0)",
-          "name" => "activejob",
-          "version" => "5.2.0",
-          "requirement" => "= 5.2.0"
-        }, {
-          "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activemodel (5.2.0)",
-          "name" => "activemodel",
-          "version" => "5.2.0",
-          "requirement" => "= 5.2.0"
-        }, {
-          "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via activerecord (5.2.0)",
-          "name" => "activerecord",
-          "version" => "5.2.0",
-          "requirement" => "= 5.2.0"
-        }, {
-          "explanation" => "rails (5.2.0) requires activesupport (= 5.2.0) via railties (5.2.0)",
-          "name" => "railties",
-          "version" => "5.2.0",
-          "requirement" => "= 5.2.0"
-        })
-      end
-    end
-
-    context "with multiple blocking dependencies" do
-      let(:dependency_name) { "activesupport" }
-      let(:current_version) { "5.0.0" }
-      let(:target_version) { "6.0.0" }
-      let(:project_name) { "multiple_blocking" }
-
-      it "returns all of the blocking dependencies" do
-        expect(conflicting_dependencies).to contain_exactly({
-          "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via actionpack (5.0.0)",
-          "name" => "actionpack",
-          "version" => "5.0.0",
-          "requirement" => "= 5.0.0"
-        }, {
-          "explanation" => "actionview (5.0.0) requires activesupport (= 5.0.0)",
-          "name" => "actionview",
-          "version" => "5.0.0",
-          "requirement" => "= 5.0.0"
-        }, {
-          "explanation" => "actionmailer (5.0.0) requires activesupport (= 5.0.0) via activejob (5.0.0)",
-          "name" => "activejob",
-          "version" => "5.0.0",
-          "requirement" => "= 5.0.0"
-        })
-      end
-    end
-
-    context "without any blocking dependencies" do
-      let(:target_version) { "1.0.0" }
-
-      it "returns an empty list" do
-        expect(conflicting_dependencies).to eq([])
-      end
-    end
-  end
-end

data/helpers/v1/spec/functions/dependency_source_spec.rb

@@ -1,188 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "native_spec_helper"
-require "shared_contexts"
-
-RSpec.describe Functions::DependencySource do
-  include_context "when in a temporary bundler directory"
-
-  let(:dependency_source) do
-    described_class.new(
-      gemfile_name: "Gemfile",
-      dependency_name: dependency_name
-    )
-  end
-
-  let(:dependency_name) { "business" }
-
-  let(:project_name) { "specified_source_no_lockfile" }
-  let(:registry_url) { "https://repo.fury.io/greysteil/" }
-  let(:gemfury_business_url) do
-    "https://repo.fury.io/greysteil/api/v1/dependencies?gems=business"
-  end
-
-  before do
-    stub_request(:get, registry_url + "versions")
-      .with(basic_auth: ["SECRET_CODES", ""])
-      .to_return(status: 404)
-    stub_request(:get, registry_url + "api/v1/dependencies")
-      .with(basic_auth: ["SECRET_CODES", ""])
-      .to_return(status: 200)
-    stub_request(:get, gemfury_business_url)
-      .with(basic_auth: ["SECRET_CODES", ""])
-      .to_return(status: 200, body: fixture("ruby", "gemfury_response"))
-  end
-
-  describe "#private_registry_versions" do
-    subject(:private_registry_versions) do
-      in_tmp_folder { dependency_source.private_registry_versions }
-    end
-
-    it "returns all versions from the private source" do
-      expect(private_registry_versions).to eq([
-        Gem::Version.new("1.5.0"),
-        Gem::Version.new("1.9.0"),
-        Gem::Version.new("1.10.0.beta")
-      ])
-    end
-
-    context "when specified as the default source" do
-      let(:project_name) { "specified_default_source_no_lockfile" }
-
-      it "returns all versions from the private source" do
-        expect(private_registry_versions).to eq([
-          Gem::Version.new("1.5.0"),
-          Gem::Version.new("1.9.0"),
-          Gem::Version.new("1.10.0.beta")
-        ])
-      end
-    end
-
-    context "when we don't have authentication details for" do
-      before do
-        stub_request(:get, registry_url + "versions")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 401)
-        stub_request(:get, registry_url + "api/v1/dependencies")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 401)
-        stub_request(:get, registry_url + "specs.4.8.gz")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 401)
-      end
-
-      it "blows up with a useful error" do
-        error_class = Bundler::Fetcher::AuthenticationRequiredError
-        error_message = "Authentication is required for repo.fury.io"
-        expect { private_registry_versions }
-          .to raise_error do |error|
-            expect(error).to be_a(error_class)
-            expect(error.message).to include(error_message)
-          end
-      end
-    end
-
-    context "when we have bad authentication details" do
-      before do
-        stub_request(:get, registry_url + "versions")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 403)
-        stub_request(:get, registry_url + "api/v1/dependencies")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 403)
-        stub_request(:get, registry_url + "specs.4.8.gz")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 403)
-      end
-
-      it "blows up with a useful error" do
-        error_class = Bundler::Fetcher::BadAuthenticationError
-        expect { private_registry_versions }
-          .to raise_error do |error|
-            expect(error).to be_a(error_class)
-            expect(error.message)
-              .to include("Bad username or password for")
-          end
-      end
-    end
-
-    context "when bad-requested, but is a private repo" do
-      before do
-        stub_request(:get, registry_url + "versions")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 400)
-        stub_request(:get, registry_url + "api/v1/dependencies")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 400)
-        stub_request(:get, registry_url + "specs.4.8.gz")
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 400)
-      end
-
-      it "blows up with a useful error" do
-        expect { private_registry_versions }
-          .to raise_error do |error|
-            expect(error).to be_a(Bundler::HTTPError)
-            expect(error.message)
-              .to include("Could not fetch specs from")
-          end
-      end
-    end
-
-    context "when it doesn't have details of the gem" do
-      before do
-        stub_request(:get, gemfury_business_url)
-          .with(basic_auth: ["SECRET_CODES", ""])
-          .to_return(status: 404)
-
-        # Stub indexes to return details of other gems (but not this one)
-        stub_request(:get, registry_url + "specs.4.8.gz")
-          .to_return(
-            status: 200,
-            body: fixture("ruby", "contribsys_old_index_response")
-          )
-        stub_request(:get, registry_url + "prerelease_specs.4.8.gz")
-          .to_return(
-            status: 200,
-            body: fixture("ruby", "contribsys_old_index_prerelease_response")
-          )
-      end
-
-      it { is_expected.to be_empty }
-    end
-
-    context "when it only implements the old Bundler index format" do
-      let(:project_name) { "sidekiq_pro" }
-      let(:dependency_name) { "sidekiq-pro" }
-      let(:registry_url) { "https://gems.contribsys.com/" }
-
-      before do
-        stub_request(:get, registry_url + "versions")
-          .with(basic_auth: %w(username password))
-          .to_return(status: 404)
-        stub_request(:get, registry_url + "api/v1/dependencies")
-          .with(basic_auth: %w(username password))
-          .to_return(status: 404)
-        stub_request(:get, registry_url + "specs.4.8.gz")
-          .with(basic_auth: %w(username password))
-          .to_return(
-            status: 200,
-            body: fixture("ruby", "contribsys_old_index_response")
-          )
-        stub_request(:get, registry_url + "prerelease_specs.4.8.gz")
-          .with(basic_auth: %w(username password))
-          .to_return(
-            status: 200,
-            body: fixture("ruby", "contribsys_old_index_prerelease_response")
-          )
-      end
-
-      it "returns all versions from the private source" do
-        expect(private_registry_versions.length).to be(70)
-        expect(private_registry_versions.min).to eql(Gem::Version.new("1.0.0"))
-        expect(private_registry_versions.max).to eql(Gem::Version.new("3.5.2"))
-      end
-    end
-  end
-end

data/helpers/v1/spec/functions/file_parser_spec.rb

@@ -1,75 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "native_spec_helper"
-require "shared_contexts"
-
-RSpec.describe Functions::FileParser do
-  include_context "when in a temporary bundler directory"
-
-  let(:dependency_source) do
-    described_class.new(
-      lockfile_name: "Gemfile.lock"
-    )
-  end
-
-  describe "#parsed_gemfile" do
-    subject(:parsed_gemfile) do
-      in_tmp_folder do
-        dependency_source.parsed_gemfile(gemfile_name: "Gemfile")
-      end
-    end
-
-    let(:project_name) { "gemfile" }
-
-    it "parses gemfile" do
-      parsed_gemfile = [
-        {
-          groups: [:default],
-          name: "business",
-          requirement: Gem::Requirement.new("~> 1.4.0"),
-          source: nil,
-          type: :runtime
-        },
-        {
-          groups: [:default],
-          name: "statesman",
-          requirement: Gem::Requirement.new("~> 1.2.0"),
-          source: nil,
-          type: :runtime
-        }
-      ]
-      expect(parsed_gemfile).not_to be_nil # to get past IdenticalEqualityAssertion
-    end
-  end
-
-  describe "#parsed_gemspec" do
-    subject(:parsed_gemspec) do
-      in_tmp_folder do |_tmp_path|
-        dependency_source.parsed_gemspec(gemspec_name: "example.gemspec")
-      end
-    end
-
-    let(:project_name) { "gemfile_exact" }
-
-    it "parses gemspec" do
-      parsed_gemspec = [
-        {
-          groups: nil,
-          name: "business",
-          requirement: Gem::Requirement.new("= 1.0.0"),
-          source: nil,
-          type: :runtime
-        },
-        {
-          groups: nil,
-          name: "statesman",
-          requirement: Gem::Requirement.new("= 1.0.0"),
-          source: nil,
-          type: :runtime
-        }
-      ]
-      expect(parsed_gemspec).not_to be_nil # to get past IdenticalEqualityAssertion
-    end
-  end
-end

data/helpers/v1/spec/functions/force_updater_spec.rb

@@ -1,59 +0,0 @@
-# typed: false
-# frozen_string_literal: true
-
-require "native_spec_helper"
-require "shared_contexts"
-
-RSpec.describe Functions::ForceUpdater do
-  include_context "when in a temporary bundler directory"
-  include_context "when stubbing rubygems compact index"
-
-  let(:force_updater) do
-    described_class.new(
-      dependency_name: dependency_name,
-      target_version: target_version,
-      gemfile_name: gemfile_name,
-      lockfile_name: lockfile_name,
-      update_multiple_dependencies: update_multiple_dependencies
-    )
-  end
-  let(:gemfile_name) { "Gemfile" }
-  let(:lockfile_name) { "Gemfile.lock" }
-  let(:update_multiple_dependencies) { true }
-
-  describe "#run" do
-    subject(:force_update) do
-      in_tmp_folder { force_updater.run }
-    end
-
-    context "with a version conflict" do
-      let(:target_version) { "3.6.0" }
-      let(:dependency_name) { "rspec-support" }
-      let(:project_name) { "version_conflict" }
-
-      it "updates the conflicting dependencies" do
-        updated_deps, _specs = force_update
-        expect(updated_deps).to eq([{ name: "rspec-support" }, { name: "rspec-mocks" }])
-      end
-
-      context "when updating a single dependency" do
-        let(:update_multiple_dependencies) { false }
-
-        it { expect { force_update }.to raise_error(Bundler::VersionConflict) }
-      end
-    end
-
-    context "with a version conflict in gems rb" do
-      let(:target_version) { "3.6.0" }
-      let(:dependency_name) { "rspec-support" }
-      let(:project_name) { "version_conflict_gems_rb" }
-      let(:gemfile_name) { "gems.rb" }
-      let(:lockfile_name) { "gems.locked" }
-
-      it "updates the conflicting dependencies" do
-        updated_deps, _specs = force_update
-        expect(updated_deps).to eq([{ name: "rspec-support" }, { name: "rspec-mocks" }])
-      end
-    end
-  end
-end